展开查看详情
2 .LEGAL DISCLAIMER
• No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.
• Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising
from course of performance, course of dealing, or usage in trade.
• This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the
latest forecast, schedule, specifications and roadmaps.
• The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.
• Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting: http://www.intel.com/design/literature.htm
• Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
• *Other names and brands may be claimed as the property of others.
• Copyright © 2019, Intel Corporation. All rights reserved.
• Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3
instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent
optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable
product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Notice Revision #20110804
• Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to
evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit www.intel.com/benchmarks Test and System Configurations:Estimates are
based on internal Intel analysis using at least Data Plane Development Kit IpSec sample application on Intel(R) Xeon(R) Gold 6142 CPU @ 2.60GHz with at least using Intel(R) Communications Chipset(s) 8955.
• no computer system can be totally secure
2
�
3 .Agenda
- Motivation
- DPDK and rte_cryptodev brief
introduction
- DPDK rte_ipsec deep-dive
- Performance
- Current status and future work
�
4 .Motivation
Network traffic has to be secured.
IPSec as the popular secure network protocol, is still a very heavy task for modern system.
Large scale network systems, such as 5G Network infrastructure, are likely contained
heterogeneous hardware, including crypto/IPSec workload Acceleration methods.
From Cloud Native point of view, we expect the network nodes running same software. Is this
possible for IPSec application?
User Equipment Mobile Network Server
Application Control Application
Platform RRH BBU S-GW P-GW Platform
Lookaside Inline Inline FPGA
SW Crypto Crypto Crypto IPSec IPSec ???
�
5 .What is DPDK?
Data Plane Development Kit, includes a set of libraries and user-space device drivers
Accelerates workload on generic computer (Network, Crypto, Compression, Virtualization, and
many more)
Data I/O abstraction
Standard API to access hardware from different vendors. Accelerated
DumbNIC/SmartNIC, Lookaside/inline Crypto, BBDev, Virtio, AF-XDP, and FPGA ready
How?
Polling, working in bursts, core affinity, memory/buffer management,
PCI utilization, use of vector instructions.
�
6 .DPDK RTE_Cryptodev Brief User Application
CRYPTO FRAMEWORK FOR
PROCESSING SYMMETRIC AND Device Device Algorithm Session
ASYMMETRIC CRYPTO WORKLOADS Management Capabilities Definition Management
IN DPDK. Queue Pair
Device Stats
Operation Enqueue/
Management Provision Dequeue
Target SW and Lookaside crypto ZUC/ Scheduler
QAT PMD AESNI** PMD Virtio PMD
accelerator SNOW3G/
Kasumi PMDs
PMD
QAT* Intel Wireless Virtio-crypto Workload
Wide range of SW and HW PMDs Hardware IPSec_mb security specs scheduling
Standard API supports all PMDs Other
ARMv8, camm_jr, ccp,
Multi-queues for multi-thread Vendor s
PMD
dpaa/2, octeontx...
sharing
�
7 .What’s left? Oh, ipsec!
We now have tools we need to access different HW for acceleration.
BUT all IPSec solutions need:
SA management
Transport/Tunnel header assembly/strip
SAD/SPD
A crypto load-balancer
Native support of current and future HW/SW acceleration methods
We propose DPDK Rte_ipsec library for community to address
common IPSec challenges
�
8 .Rte_ipsec: a library to address IPsec
challenges
A modular library built around a core Librte_ipsec
functionality of data-path processing and SA Current focus SAD
management. - HW resource allocation &
management
- SA management
- Packet header update/strip SPD
Optional modules: - Prepare rte_crypto_op for
cryptodev, OR
Scalable and performant SAD and SPD - Prepare metadata for inline Crypto Load-
Crypto load-balancing (host, lookaside, inline) crypto device balancing
Integration point for IKE clients IKE SHIM LAYER
Automatically handle HW accelerator allocation
and resource usage.
�
9 .RTE_ipsec Session Creation
Different paths for rte_cryptodev to
create crypto/security session Rte_cryptodev Path
(automatable).
Crypto Crypto
session session
create init
After the session is created, same
Fill
code path is used to create ipsec Crypto rte_ipsec
Create
rte_ipse
session. xform session
param
session
Same crypto transform (xform) is
reused.
�
10 .Rte_ipsec DATA Path
Enqueue to Cryptodev Dequeue from Cryptodev
RX
Cryptodev Path
Prepare packet Group packet Process packet
SPD-S/SAD
lookup
Inline/Synchronous Path
Fetch IPSec Route/
Process packet
Session TX
�
11 .Multiple IPSec Processing modes
Host based SW
Lookaside HW I/O based inline
Crypto Processing Crypto Processing Crypto Processing
Application Application Application
L3 L3 L3
librte_ipsec librte_ipsec librte_ipsec
L2 L2 L2
Ethdev Cryptodev Ethdev Cryptodev Ethdev/flow/security
HW Crypto SW Crypto
NET PMD NET PMD NET PMD
PMD PMD
HW Crypto SADB
NIC NIC CPU SmartNIC
Accelerator Crypto
�
12 .Current activity
Transport/Tunnel ESP, IPv4 and IPv6
Supported cipher algorithms: AES-CBC-128/256, AES-CTR-128, 3DES-CBC, NULL
Supported authentication algorithms: HMAC-SHA1/SHA256, NULL
Supported AEAD algorithms: AES-GCM-128
ESN and anti-replay
Multi-segment packets support (DPDK 19.08)
Header reconstruction (DPDK 19.11)
SW/HW lookaside/HW inline crypto accelerator support
Potential Community additions:
SADB/SPDB
NAT
Crypto-load-balancing
IKE client SHIM layer
Integration into VPP, OVS, and other open source projects
�
热门城市
