Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SFO17-406: IPsec Full Offload Support
in OpenDataPlane
Bill Fischofer
ENGINEERS
AND DEVICES
WORKING
TOGETHER
Credits
The work described in this session represents the collaborative
contributio...
ENGINEERS AND DEVICES
WORKING TOGETHER
IPsec Background
● Standard means of creating
cryptographically secure
communicatio...
ENGINEERS AND DEVICES
WORKING TOGETHER
IPsec - Authentication Header (AH)
Transport Mode Tunnel Mode
IP Hdr
AH
Hdr
Payload...
ENGINEERS AND DEVICES
WORKING TOGETHER
IPsec - Encapsulating Security Protocol (ESP)
Transport Mode Tunnel Mode
IP Hdr
ESP...
ENGINEERS AND DEVICES
WORKING TOGETHER
Security Association (SA)
● One per direction (RX, TX) for an
IPsec flow
● Contains...
ENGINEERS AND DEVICES
WORKING TOGETHER
Why is IPsec of Interest to ODP?
● Encryption is slow in software
● IPsec relies he...
ENGINEERS AND DEVICES
WORKING TOGETHER
ODP IPsec APIs
Capabilities
● odp_ipsec_capability()
● odp_ipsec_cipher_capability(...
ENGINEERS AND DEVICES
WORKING TOGETHER
IPsec Lookaside Processing in ODP
Synchronous:
odp_ipsec_in() for decrypt
odp_ipsec...
ENGINEERS AND DEVICES
WORKING TOGETHER
IPsec Inline Processing in ODP
Inline Encrypt:
odp_ipsec_out_inline()
Inline Decryp...
ENGINEERS AND DEVICES
WORKING TOGETHER
Not Part of ODP IPsec Support
IKE (Internet Key Exchange)
● Control plane function
...
ENGINEERS
AND DEVICES
WORKING
TOGETHER
Performance Results - IMIX Traffic
ENGINEERS
AND DEVICES
WORKING
TOGETHER
IMIX Traffic Performance Comparison
ENGINEERS AND DEVICES
WORKING TOGETHER
Thank You
Thank You
#SFO17
SFO17 keynotes and videos on: connect.linaro.org
For further information: www.linaro.org
Upcoming SlideShare
Loading in …5
×

IPsec Full Offload Support in ODP - SFO17-406

274 views

Published on

Session ID: SFO17-406
Session Name: IPsec Full Offload Support in ODP - SFO17-406
Speaker:
Track: LNG


★ Session Summary ★
The ODP “Tiger Moth” release introduces inline processing support for IPsec that enables dramatic increases in throughput and performance by fully leveraging hardware-offload capabilities on platforms that provide this. This talk discusses the design of this support and the results achievable with it.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-406/
Presentation:
Video:
---------------------------------------------------

★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport

---------------------------------------------------
Keyword:
http://www.linaro.org
http://connect.linaro.org
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IPsec Full Offload Support in ODP - SFO17-406

  1. 1. SFO17-406: IPsec Full Offload Support in OpenDataPlane Bill Fischofer
  2. 2. ENGINEERS AND DEVICES WORKING TOGETHER Credits The work described in this session represents the collaborative contribution of the LNG ODP team, particularly: Petri Savolainen, Nokia Dmitry Eremin-Solenikov, Cavium Bala Manoharan, Cavium Nikhil Agarwal, NXP Plus inputs from Member Engineers and the ODP Community at large.
  3. 3. ENGINEERS AND DEVICES WORKING TOGETHER IPsec Background ● Standard means of creating cryptographically secure communication channels over the Internet, also provides data authentication services ● Operates at Layer 3 ● Common use in telecom to provide secure tunnels for VPNs, backhaul links, etc. ● Defined by IETF RFCs (4301, 4302, 4303, 6040, 7619, 7296, etc., etc.)
  4. 4. ENGINEERS AND DEVICES WORKING TOGETHER IPsec - Authentication Header (AH) Transport Mode Tunnel Mode IP Hdr AH Hdr Payload Authenticated IP Hdr Payload IP Hdr AH Hdr Payload Authenticated IP Hdr Payload IP Hdr
  5. 5. ENGINEERS AND DEVICES WORKING TOGETHER IPsec - Encapsulating Security Protocol (ESP) Transport Mode Tunnel Mode IP Hdr ESP Hdr ESP Trailer Payload Encrypted ESP Auth Authenticated IP Hdr Payload IP Hdr ESP Hdr ESP Trailer Payload Encrypted ESP Auth Authenticated IP Hdr Payload IP Hdr
  6. 6. ENGINEERS AND DEVICES WORKING TOGETHER Security Association (SA) ● One per direction (RX, TX) for an IPsec flow ● Contains keying and other material needed to encrypt, decrypt, and authenticate packets ● Key negotiation done via a separate protocol - Internet Key Exchange (IKE) ● Packets identify which SA they belong to via the Security Parameter Index (SPI) field in IPsec headers SA Decrypt (RX) Encrypt (TX)
  7. 7. ENGINEERS AND DEVICES WORKING TOGETHER Why is IPsec of Interest to ODP? ● Encryption is slow in software ● IPsec relies heavily on encryption ● Many SoCs offer hardware support for IPsec ● ...but each differ in how such support is accessed ● This is exactly the type of problem ODP is designed to address!
  8. 8. ENGINEERS AND DEVICES WORKING TOGETHER ODP IPsec APIs Capabilities ● odp_ipsec_capability() ● odp_ipsec_cipher_capability() ● odp_ipsec_auth_capability() Global Configuration ● odp_ipsec_config_init() ● odp_ipsec_config() SA Creation and Management ● odp_ipsec_sa_param_init() ● odp_ipsec_sa_create() ● odp_ipsec_sa_disable() ● odp_ipsec_sa_destroy() ● odp_ipsec_sa_mtu_update() ● odp_ipsec_sa_context() ● odp_ipsec_sa_to_u64() Inbound Processing ● odp_ipsec_in() ● odp_ipsec_in_enq() Outbound Processing ● odp_ipsec_out() ● odp_ipsec_out_enq() ● odp_ipsec_out_inline() Event Types / Subtypes ● ODP_EVENT_PACKET_IPSEC ● ODP_EVENT_IPSEC_STATUS Event Processing ● odp_ipsec_packet_from_event() ● odp_ipsec_packet_to_event() ● odp_ipsec_result() ● odp_ipsec_status()
  9. 9. ENGINEERS AND DEVICES WORKING TOGETHER IPsec Lookaside Processing in ODP Synchronous: odp_ipsec_in() for decrypt odp_ipsec_out() for encrypt Asynchronous: odp_ipsec_in_enq() for decrypt odp_ipsec_out_enq()for encrypt
  10. 10. ENGINEERS AND DEVICES WORKING TOGETHER IPsec Inline Processing in ODP Inline Encrypt: odp_ipsec_out_inline() Inline Decrypt is Implicit
  11. 11. ENGINEERS AND DEVICES WORKING TOGETHER Not Part of ODP IPsec Support IKE (Internet Key Exchange) ● Control plane function ● Use strongSwan or similar packages - https://strongswan.org/ Time-based SA expirations ● Application responsibility ● ODP provides byte/packet soft and hard expiration support Inline Output via Traffic Manager ● May be added in the future ● For now, use lookaside-mode processing if this is needed
  12. 12. ENGINEERS AND DEVICES WORKING TOGETHER Performance Results - IMIX Traffic
  13. 13. ENGINEERS AND DEVICES WORKING TOGETHER IMIX Traffic Performance Comparison
  14. 14. ENGINEERS AND DEVICES WORKING TOGETHER Thank You
  15. 15. Thank You #SFO17 SFO17 keynotes and videos on: connect.linaro.org For further information: www.linaro.org

×