Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LF_OVS_17_IPSEC and OVS DPDK

503 views

Published on

Open vSwitch Fall Conference 2017

Published in: Technology
  • Be the first to comment

LF_OVS_17_IPSEC and OVS DPDK

  1. 1. IPsec and OVS DPDK Ian Stokes Intel November 16-17, 2017 | San Jose, CA
  2. 2. Notices & Disclaimers Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at intel.com. No computer system can be absolutely secure. Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/benchmarks . Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit http://www.intel.com/benchmarks . Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Cost reduction scenarios described are intended as examples of how a given Intel-based product, in the specified circumstances and configurations, may affect future costs and provide cost savings. Circumstances will vary. Intel does not guarantee any costs or cost reduction. Intel does not control or audit third-party benchmark data or the web sites referenced in this document. You should visit the referenced web site and confirm whether referenced data are accurate. © 2017 Intel Corporation. Intel, the Intel logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as property of others.
  3. 3. Content • Use Case Overview • Proposed IPsec functionality • Design Considerations • Performance Metrics • Future Work
  4. 4. Hypervisor Server 1 IP Network Hypervisor Server 2 Use Case Overview Datacenter VM 1-1 VM 1-2 VM 1-3 VM 1-4 VM 2-1 VM 2-2 VM 2-3 VM 2-4 • Traffic is not ISOLATED. ! • Traffic is not CONFIDENTIAL. ! • Traffic integrity is not PROTECTED. ! • Traffic is not AUTHENTICATED. ! Do you trust the network?
  5. 5. Hypervisor Server 1 IP Network Hypervisor Server 2 Use Case Overview cont. Datacenter : VXLAN VM1-1 VNI 12 VM1-2 VNI 22 VM1-3 VNI 32 VM1-4 VNI 42 VM2-1 VNI 12 VM2-2 VNI 22 VM2-3 VNI 32 VM2-4 VNI 42 BD BD BD BD BD BD BD BD VTEP VTEP VXLAN 12 VXLAN 22 VXLAN 32 VXLAN 42 • Traffic is isolated. ü • Traffic is not CONFIDENTIAL. ! • Traffic integrity is not PROTECTED. ! • Traffic is not AUTHENTICATED. !
  6. 6. Hypervisor Server 1 IP Network Hypervisor Server 2 Use Case Overview cont. Datacenter : VXLAN + IPsec VM1-1 VNI 12 VM1-2 VNI 22 VM1-3 VNI 32 VM1-4 VNI 42 VM2-1 VNI 12 VM2-2 VNI 22 VM2-3 VNI 32 VM2-4 VNI 42 BD BD BD BD BD BD BD BD VTEP VTEP VXLAN 12 VXLAN 22 VXLAN 32 VXLAN 42 IPsec termination point IPsec termination point • Traffic is isolated. ü • Traffic is confidential. ü • Traffic integrity is protected. ü • Traffic is authenticated. ü
  7. 7. Proposed IPsec functionality Payload L4 Header IP Header Ethernet Header Payload L4 Header IP Header Ethernet Header ESP Header ESP Trailer ESP Digest ESP Padding Given standard IPv4 packet: What IPsec functionality is required to provide: • Confidentiality • Integrity • Authenticity IPsec •Protocol: ESP (Encapsulating Security Protocol) •Mode: Transport Encrypted • Encryption Ciphers • AES-CBC • AES-GCM with 16 octet ICV (Combined) Authenticated • Authentication Cipher • HMAC-SHA1-96
  8. 8. Proposed IPsec functionality: Vxlanipsec interface Hypervisor 1 (vxlan) VM 1 Br-int vxlan0 Br0 dpdk0 Introduce new tunnel interface type ‘vxlanipsec’ Hypervisor 1 (vxlanipsec) Vxlanipsec DPDK Cryptodev QAT VDEV PMD • Note: Cryptodev can utilise • HW: Intel ® QuickAssist (QAT) • SW: VDEV crypto PMD VM 1 Br-int Vxlan ipsec 0 Br0 dpdk0 • Associated DPDK Cryptodev for • Cipher encrypt/decrypt . • Digest generation/verification. • Handles vxlan encap/decap. • Handles ESP encap/decap.
  9. 9. Proposed IPsec functionality: Vxlanipsec Encap Hypervisor 1 VM 1 Br-int Vxlan ipsec 0 Br0 dpdk0 Hypervisor 2 VM 2 Br-int Vxlan ipsec 1 Br1 dpdk1 Vhu-0 Vhu-1
  10. 10. Proposed IPsec functionality: Vxlanipsec Encap Hypervisor 1 VM 1 Br-int Vxlan ipsec 0 Br0 dpdk0 Vhu-0 Payload L4 Header IP Header Ethernet Header • Packet Arrives at ‘vhu-0’ as follows • Packet arrives at ‘vxlan-ipsec0’ Outer IP Header Outer Ethernet Header ESP Header IV UDP Header VXLAN Header VXLAN ETH/IP UDP/VXLAN Headers ESP Header/Initialization Vector Original packet • Encap packet trailer built as follows Original packet Cipher Padding ESP Trailer ESP Digest • Encap packet header built as follows Padding/ESP trailer/Digest
  11. 11. Proposed IPsec functionality: Vxlanipsec Decap Hypervisor 2 VM 2 Br-int Vxlan ipsec 1 Br1 dpdk1 Vhu-1 • Packet arrives at dpdk1 as follows: ESP Header Encrypted Payload ESP Digest Outer IP Header Outer Ethernet Header IV UDP Header VXLAN Header Original packet Cipher Padding ESP Trailer • Encrypted Payload consists of: • Packet routed to ‘vxlanipsec1’ for decap • Use crypto dev to: Payload L4 Header IP Header Ethernet Header • Validate Digest ü • Decrypt payload ü • Extract tunnel metadata. • Pop vxlan/ESP headers and trailers for recirculation.
  12. 12. Design Considerations Intel ® QAT VDEV Crypto PMDCrypto Dev Creation • Virtual Function attached by user to userspace driver prior to Open vSwitch launch. • Created at runtime via VDEV init API. RX Queue Pair Capabilities • 2 queue pairs max per VF. • 8 queue pairs max by default DPDK PMD requirements • Intel ® QAT device. • CONFIG_RTE_LIBRTE_PMD_QAT • Intel ® Multi-Buffer Crypto for IPSec. • CONFIG_RTE_LIBRTE_PMD_AESNI_MB • CONFIG_RTE_LIBRTE_PMD_AESNI_GCM
  13. 13. Design Considerations cont. Asynchronous Operations • Cryptodev Operations are asynchronous regardless of HW/SW device i.e. DPDK Cryptodev • User configures 6 crypto ops and enqueues them to crypto device • User requests to dequeue the 6 crypto ops from the crypto device • May not receive 6 crypto ops on dequeue. rte_cryptodev_enqueue_burst() rte_cryptodev_dequeue_burst()
  14. 14. Design Considerations cont. Security Association Establishment Security Association • Crypto transform • Cipher Key • Authentication Key Security Consideration • Where should Cipher/Authentication keys be stored? • OVSDB? • User owned file?
  15. 15. Performance Metrics * Test and System Configurations: Estimates are based on internal Intel analysis using Intel® Server Board S2600WT, Intel® Xeon® CPU E5-2695 v3 @ 2.30GHz, Intel®, Ethernet Converged Network Adapter X710-DA4, AESNI_MB_PMD. 0 2,000 4,000 6,000 8,000 10,000 64 byte 256 byte 512 byte 1024 byte Test TX Rate (Line Rate) 7,619 9,275 9,624 9,808 Encap Rate 2,763 4,320 5,654 7,060 Mbps Test Tx rate VS Encap Rate Encap – 1 PMD - Vdev (AES-CBC & HMAC-SHA1-96) Test TX Rate (Line Rate) Encap Rate
  16. 16. Future Work • Add GCM combined mode support. • Add IPsec Tunnel support • IKEv2: Support for dynamic re-keying • Integrating with StrongSwan userspace plugin • Community opinion on 3rd party support for feature. • OVS architecture changes • Packet batching with tunnels to replace single encap/decap. • Integration with RTE_Security • Enables HW acceleration for inline crypto.
  17. 17. Questions and Contact Info • Contact info – Email: ian.stokes@intel.com

×