6WINDGate™ - Powering the New-Generation of IPsec Gateways

  • 732 views
Uploaded on

6WINDGate™ for IPsec Gateways: …

6WINDGate™ for IPsec Gateways:

- High performance IPsec stack to sustain encrypted traffic over several tens of thousands of IPsec tunnels with low-latency

- Optimal use of software and hardware crypto-acceleration for best price/performance

- High-capacity IKE control plane to manage several tens of thousands of IKE sessions on a single server

- High capacity for encapsulation protocols such as VLAN, PPP, L2TP and GRE…

- High performance and scalable IPv4 and IPv6 forwarding with virtual routing support for a large number of instances

- High performance and capacity firewall and NAT

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
732
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. v1.0 | ©6WIND 2014. All rights reserved. All brand names, trademarks and copyright information cited in this presentation shall remain the property of its registered owners. SPEED MATTERS
  • 2. v1.0 | 2©6WIND 2014  Enable open platform ecosystem to replace dedicated hardware with commodity servers and virtualization.  Close the performance gap for Service Providers and Enterprises to upgrade their network architecture. The Promise Of 6WIND Network Architecture Transformation Dedicated Hardware And Software Platform White Box Ecosystem Virtualization Rigid Platform Long Time To Market Open Platform Inexpensive Rapid Services Creation $$$ Expensive $
  • 3. v1.0 | 3©6WIND 2014  Best in class packet processing technology thanks to 6WIND deep expertise in networking and more than 150 man years of development.  Since the first shipment of its 6WINDGate software in 2007, 6WIND has been selected and deployed by Blue Chip companies to unlock hidden infrastructure performance.  6WIND is an independent software vendor and 6WINDGate is the only heterogeneous networking stack to support major market- leading hardware platforms.  6WIND is privately held and headquartered in France, with offices in Asia and the US. 6WIND Facts
  • 4. v1.0 | 4©6WIND 2014  Service Providers:  Wireless offload schemes to extend coverage for subscribers expose mobile core networks to security threats and require secure connections  Cloud Providers:  Data Center Virtualization solutions require secure connections across virtual networks  Enterprise Providers:  Network equipment (physical and software appliances) must help secure connections across distributed data centers IPsec Gateways Are a Requirement to Secure IP Communications from Internet Attacks
  • 5. v1.0 | 5©6WIND 2014  Use of cost-effective hardware and software solutions  Generic hardware platforms with high performance Ethernet NICs  Hardware or software crypto acceleration  Commercial or open source Linux distributions  High performance packet processing software for  Network security features such as IPsec and IKE to sustain high network throughput of encrypted traffic  A large number of protocols such as Layer 2 encapsulation, IPv6, routing, virtual routing, firewall, NAT, QoS… to easily integrate the IPsec gateway into a complete networking infrastructure  Flexible and extensible software architecture  Develop physical IPsec Gateways and prepare the shift to virtualized solutions  Open architecture to reuse in-house or third party application software Requirements for High Performance and Cost-Effective IPsec Gateways
  • 6. v1.0 | 6©6WIND 2014  Fastest performance on the market; in both physical and virtual environments  Transparent, no change necessary to OS, hypervisor and management  Available across all major platforms  Native support for all major network protocols 6WINDGate on Standard Platforms: Paradigm Shift In Packet Processing Software
  • 7. v1.0 | 7©6WIND 2014 6WINDGate Removes Performance Bottlenecks Performance (MillionsOfPackets PerSecond) ... Fast Path Cores ... Increase OS stability by offloading resource intensive mundane tasks Standard Linux Becomes Unstable Performance benefits scale with the number of processing cores 1 2 3 8 9 10 ...
  • 8. v1.0 | 8©6WIND 2014 Networking Stack Control Plane Fast Path Transparent to Operating System ?Local info Local info Fast path packet Continuous synchronization Exception packet Synchronization modules
  • 9. v1.0 | 9©6WIND 2014 Available for Industry-Leading Processor Platforms ZoL™DPDKSimple ExecNetOS Architecture-independent “Fast Path Modules” • Generic, processor-independent source code • Cycle-level and pipeline-level optimizations Architecture-specific "Fast Path Networking SDK" • Zero-overhead API for fast path modules • Support for processor-specific features and resources • Leverages processor suppliers' SDKs Data Plane Fast Path FPN-SDK FPN-SDK FPN-SDK FPN-SDK
  • 10. v1.0 | 10©6WIND 2014 Linux Userland Linux Kernel Linux Networking Stack FastPath 6WINDGate IPsec Architecture Multicore Processor Platform FPN-SDK IPsec IPv4/IPv6 Other FP modules Shared memory IPsec SPD IPsec SAD IPsec IPv4/IPv6 statistics IPsec SPD IPsec SAD Linux / fast path synchronization (statistics) Security table updates Netlink notifications IKEv1/v2 Linux / fast path synchronization (configuration) DPDK Cavium NITROX Intel® Multi- Buffer Intel® QuickAssist Crypto Framework 6WIND DPDK Crypto Framework
  • 11. v1.0 | 11©6WIND 2014  Based on dpdk.org  6WINDGate DPDK add-ons available for increased system functionality, performance and reliability  Poll Mode Drivers for multi-vendor NICs  Mellanox ConnectX-3® EN Series PMD  Emulex OCE14102 PMD  Performance acceleration for virtualized networking  Fast vNIC PMD  VMXNET3 Guest VMware PMD  VIRTIO Guest XEN-KVM PMD  Crypto acceleration modules that leverage  Cavium NITROX SDK 5.x Crypto  Intel® Multi-Buffer Crypto  Intel® QuickAssist Crypto 6WINDGate DPDK Features and Benefits Virtualization acceleration Fast vNIC PMD VMXNET3 Guest VMware PMD VIRTIO Guest XEN- KVM PMD Crypto acceleration Cavium NITROX SDK 5.x Crypto Intel® Multi-Buffer Crypto Intel® QuickAssist Crypto dpdk.org Multi-vendor NIC support Emulex OCE14102 PMD Mellanox ConnectX®- 3 EN Series PMD
  • 12. v1.0 | 12©6WIND 2014  6WINDGate IPsec performance (AES-128 HMAC-SHA1)  5.24 Gbps per core for 1420B packets  Up to 193.27 Gbps using 40 cores  Performance scales linearly with the number of cores configured to run the fast path Intel Multi-Buffer IPsec Test Results
  • 13. v1.0 | 13©6WIND 2014  6WINDGate IPsec using Quick Assist performance  3.52 Gbps per engine for 1420B packets  Up to 40 Gbps (platform limit) using 16 engines  Performance scales linearly with the number of engines configured to process IPsec transformation Intel Cave Creek IPsec Test Results
  • 14. v1.0 | 14©6WIND 2014  6WINDGate IPsec performance using Cavium Nitrox DPDK add-on  Up to 20.23 Gbps for 1420 bytes Cavium Nitrox IPsec Test Results
  • 15. v1.0 | 15©6WIND 2014  High performance IPsec stack to sustain encrypted traffic over several tens of thousands of IPsec tunnels with low-latency  Optimal use of software and hardware crypto-acceleration for best price/performance  High-capacity IKE control plane to manage several tens of thousands of IKE sessions on a single server  High capacity for encapsulation protocols such as VLAN, PPP, L2TP and GRE…  High performance and scalable IPv4 and IPv6 forwarding with virtual routing support for a large number of instances  High performance and capacity firewall and NAT 6WINDGate for IPsec Gateways
  • 16. v1.0 | 16©6WIND 2014 Generic Hardware Platform Network Architecture Evolution Proprietary Hardware Platform Application Proprietary Hardware Platform Application Proprietary Hardware Platform Application Application Application Application Virtualization Generic Hardware Platforms Application Application Application
  • 17. v1.0 | 17©6WIND 2014 6WINDGate Extensions to IPsec Gateway Virtualization NICs DPDK (Intel and multi-vendor NIC drivers) Host Driver OVS Acceleration Additional Features (L3 Routing, Firewall, NAT…) Virtual Switch Fast vNIC PMD Virtio PMD Fast vNIC Linux Virtio Virtio Fast vNIC vIPsec Gateway vRouter Additional VNFs Drivers for Virtual Appliance • Fast vNIC drivers for high performance communications • Standard drivers for existing VAs • Extensible for all OSs Accelerated Virtual Switch • DPDK with multi-vendor NIC support • OVS acceleration • Extended network services • Host driver for high performance communications
  • 18. v1.0 | 18©6WIND 2014  High performance switching aggregated bandwidth for VNFs without any modification in the virtual switch  Hardware independent VNF network attachments for seamless network hardware upgrades and VNF migration  Low-latency inter-VNF communications  Enhanced features beyond switching (L3 forwarding, virtual routing, firewall, IPsec and more) for extended chaining capabilities  Support for multi-vendor VNFs based on different OSs 6WIND’s Open Networking Platform For NFVI
  • 19. v1.0 | 19©6WIND 2014 10 x 40 Gbps Full Duplex Traffic Virtual Switch Acceleration Accelerated Open vSwitch Open vSwitch Traffic Generator  No modification is required to OVS, OS, Hypervisor, Management  L2 switching capability on 10 cores using 40G Ethernet  52 Mpps with 64 byte packets  195 Gbps with 1280 byte packets OpenFlow Controller
  • 20. v1.0 | 20©6WIND 2014 Virtual Network Function Virtual Network Function Virtual Network Function Virtual Switch-Based NFVI Lowest Latency and Flexible Chaining PCI Express Local NIC External Switch Physical Switching Limitations • Hardware dependent switching (SR-IOV, RDMA, NIC embedded switching) • Throughput is limited by PCI Express (50 Gbps) and faces PCI Express and DMA additional latencies • Available PCI slots limit the number of chained VNFs • At 30 Gbps a single VNF is supported per node! Virtual Switching With 6WINDGate • Hardware independent virtual switching (NIC driver) • Aggregate 500 Gbps bandwidth with low latency • No external limit to number of chained VNFs 50 Gbps 500 Gbps 6WINDGate Accelerated OVS
  • 21. v1.0 | 21©6WIND 2014 FastPath IPv4/IPv6 Forwarding MPLS/VPLS Encapsulation IPv4/IPv6 Multi-cast Filtering IPv4/IPv6 IPsec SVTI VLAN Link Aggregation NAT GRE TCP/UDP Termination Flow Inspection L2TP/ PPPoE BRAS GTP-UVXLAN Tunneling (IPinIP) IPsec IPv4/IPv6 Ethernet Bridging 6WINDGate Module List DistributedArch. Fast path extensions Control plane extensions ControlPlane BFD SMR L2TP, PPPoE BRAS Routing Virtual Routing Security VRRP LACP VPN Monitoring HighAvailability LACP Firewall / NAT Routing ARP / NDP DPDK Fast vNIC PMD VMXNET3 Guest VMware PMD Intel® QuickAssist Crypto VIRTIO Guest XEN-KVM PMD Intel® Multi- Buffer Crypto Cavium NITROX SDK 5.X Crypto Mellanox ConnectX®-3 EN Series PMD FPN-SDK OVS Acceleration Emulex OCE14000 Series PMD QoS Hardware platform independence Modular virtualization extensions Complete protocol portfolio for IPsec gateway Generic software
  • 22. v1.0 | 22©6WIND 2014 6WIND Enables Cost-Effective IPsec Gateways for Enterprises and Service Providers  6WINDGate Powered IPsec Gateway and Firewall  DPDK on Linux  Hardware offload to Cavium Nitrox for IPsec  Software based appliance on custom hardware for additional performance  Allows use of DPDK on multi-vendor NICs for crypto support  Ready for fully virtual applications Commodity Hardware x86 Processor Hypervisor Virtual IPsec Gateway and Firewall IPsec Gateway and Firewall
  • 23. v1.0 | 23©6WIND 2014