DPDK IPsec - a scalable high performance library for your IPsec application



2.LEGAL DISCLAIMER • No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. • Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. • This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. • The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request. • Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting: http://www.intel.com/design/literature.htm • Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. • *Other names and brands may be claimed as the property of others. • Copyright © 2019, Intel Corporation. All rights reserved. • Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Notice Revision #20110804 • Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit www.intel.com/benchmarks Test and System Configurations:Estimates are based on internal Intel analysis using at least Data Plane Development Kit IpSec sample application on Intel(R) Xeon(R) Gold 6142 CPU @ 2.60GHz with at least using Intel(R) Communications Chipset(s) 8955. • no computer system can be totally secure 2

3.Agenda - Motivation - DPDK and rte_cryptodev brief introduction - DPDK rte_ipsec deep-dive - Performance - Current status and future work

4.Motivation Network traffic has to be secured. IPSec as the popular secure network protocol, is still a very heavy task for modern system. Large scale network systems, such as 5G Network infrastructure, are likely contained heterogeneous hardware, including crypto/IPSec workload Acceleration methods. From Cloud Native point of view, we expect the network nodes running same software. Is this possible for IPSec application? User Equipment Mobile Network Server Application Control Application Platform RRH BBU S-GW P-GW Platform Lookaside Inline Inline FPGA SW Crypto Crypto Crypto IPSec IPSec ???

5.What is DPDK? Data Plane Development Kit, includes a set of libraries and user-space device drivers Accelerates workload on generic computer (Network, Crypto, Compression, Virtualization, and many more) Data I/O abstraction Standard API to access hardware from different vendors. Accelerated DumbNIC/SmartNIC, Lookaside/inline Crypto, BBDev, Virtio, AF-XDP, and FPGA ready How? Polling, working in bursts, core affinity, memory/buffer management, PCI utilization, use of vector instructions.

6.DPDK RTE_Cryptodev Brief User Application CRYPTO FRAMEWORK FOR PROCESSING SYMMETRIC AND Device Device Algorithm Session ASYMMETRIC CRYPTO WORKLOADS Management Capabilities Definition Management IN DPDK. Queue Pair Device Stats Operation Enqueue/ Management Provision Dequeue Target SW and Lookaside crypto ZUC/ Scheduler QAT PMD AESNI** PMD Virtio PMD accelerator SNOW3G/ Kasumi PMDs PMD QAT* Intel Wireless Virtio-crypto Workload Wide range of SW and HW PMDs Hardware IPSec_mb security specs scheduling Standard API supports all PMDs Other ARMv8, camm_jr, ccp, Multi-queues for multi-thread Vendor s PMD dpaa/2, octeontx... sharing

7.What’s left? Oh, ipsec! We now have tools we need to access different HW for acceleration. BUT all IPSec solutions need:  SA management  Transport/Tunnel header assembly/strip  SAD/SPD  A crypto load-balancer  Native support of current and future HW/SW acceleration methods We propose DPDK Rte_ipsec library for community to address common IPSec challenges

8.Rte_ipsec: a library to address IPsec challenges A modular library built around a core Librte_ipsec functionality of data-path processing and SA Current focus SAD management. - HW resource allocation & management - SA management - Packet header update/strip SPD Optional modules: - Prepare rte_crypto_op for cryptodev, OR  Scalable and performant SAD and SPD - Prepare metadata for inline Crypto Load-  Crypto load-balancing (host, lookaside, inline) crypto device balancing  Integration point for IKE clients IKE SHIM LAYER Automatically handle HW accelerator allocation and resource usage.

9.RTE_ipsec Session Creation Different paths for rte_cryptodev to create crypto/security session Rte_cryptodev Path (automatable). Crypto Crypto session session create init After the session is created, same Fill code path is used to create ipsec Crypto rte_ipsec Create rte_ipse session. xform session param session Same crypto transform (xform) is reused.

10.Rte_ipsec DATA Path Enqueue to Cryptodev Dequeue from Cryptodev RX Cryptodev Path Prepare packet Group packet Process packet SPD-S/SAD lookup Inline/Synchronous Path Fetch IPSec Route/ Process packet Session TX

11.Multiple IPSec Processing modes Host based SW Lookaside HW I/O based inline Crypto Processing Crypto Processing Crypto Processing Application Application Application L3 L3 L3 librte_ipsec librte_ipsec librte_ipsec L2 L2 L2 Ethdev Cryptodev Ethdev Cryptodev Ethdev/flow/security HW Crypto SW Crypto NET PMD NET PMD NET PMD PMD PMD HW Crypto SADB NIC NIC CPU SmartNIC Accelerator Crypto

12.Current activity Transport/Tunnel ESP, IPv4 and IPv6 Supported cipher algorithms: AES-CBC-128/256, AES-CTR-128, 3DES-CBC, NULL Supported authentication algorithms: HMAC-SHA1/SHA256, NULL Supported AEAD algorithms: AES-GCM-128 ESN and anti-replay Multi-segment packets support (DPDK 19.08) Header reconstruction (DPDK 19.11) SW/HW lookaside/HW inline crypto accelerator support Potential Community additions: SADB/SPDB NAT Crypto-load-balancing IKE client SHIM layer Integration into VPP, OVS, and other open source projects