DPDK IPSec performance benchmark ~ Georgii Tkachuk
Download as PPTX, PDF
3 likes1,662 views
This document provides an overview of the DpdkIPSecsecuritygateway application, which is an Intel DPDK sample application that demonstrates using the Cryptography Device Library (cryptodev) framework to implement an IPSec security gateway with encryption and authentication. The application shows the flow of outbound and inbound traffic through the gateway and the use of security policies and security associations to classify and process packets. It also discusses performance considerations for running the application and maximizing throughput.
DPDK IPSec performance benchmark ~ Georgii Tkachuk
- 2. LegalNoticesandDisclaimersIntel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer. No computer system can be absolutely secure. Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance. Intel, the Intel logo and others are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. 息 2017 Intel Corporation.
- 3. overview Example application providing guidelines for using the Cryptography Device Library framework. Showcase DPDK cryptodev framework performance with a real world use case scenario. http://dpdk.org/doc/guides-16.04/sample_app_ug/ipsec_secgw.html (Google DPDK IPSec sample application) 3
- 4. Overviewcont. 4 IPSec Security Gateway IPSec tunnel Outbound Traffic Inbound Traffic
- 5. ApplicationFlow Outbound Check destination Encrypt, Encapsulate Route Inbound Classify Decrypt, Decapsulate Check SP Route 5 RX Security Policy (SP) Security Association (SA) Encapsulation (ESP, Outer IP) Encrypt Route TX RX Classify (IP/ESP) Security Association Decrypt Decapsulation Route TX Check SP
- 6. securitypolicy 6 RX Security Policy (SP) Security Association (SA) Encapsulation (ESP, Outer IP) Encrypt Route TX RX Classify (IP/ESP) Security Association Decrypt Decapsulation Route TX Check SP Src Dst proto SA idx Any 192.168.115.0/24 Any 5 Any 192.168.116.0/24 Any 6 Any 192.168.117.0/24 Any BYPASS
- 7. securityassociation 7 RX Security Policy (SP) Security Association (SA) Encapsulation (ESP, Outer IP) Encrypt Route TX RX Classify (IP/ESP) Security Association Decrypt Decapsulation Route TX Check SP SPI Cipher Auth Tunnel src Tunnel dst 5 AES-CBC HMAC-SHA1 172.16.1.5 172.16.2.5 6 AES-CBC HMAC-SHA1 172.16.1.6 172.16.2.6 9 NULL NULL 172.16.1.5 172.16.2.5
- 8. cryptography 8 RX Security Policy (SP) Security Association (SA) Encapsulation (ESP, Outer IP) Encrypt Route TX RX Classify (IP/ESP) Security Association Decrypt Decapsulation Route TX Check SP DPDK cryptodev QAT/AESNI
- 9. DPDKcryptodev Crypto PMD framework similar to DPDK NIC drivers Same generic API for HW and SW crypto devices No change to code to switch between QAT and AESNI libraries Supports Symmetric Crypto Authentication Chained crypto/authentication Asymmetric Crypto 9 http://dpdk.org/doc/guides-16.04/prog_guide/cryptodev_lib.html (Google DPDK cryptodev libraries)
- 10. FlowTrafficConfiguration 10 * Other names and brands may be claimed as the property of others. *
- 11. runningtheapplication Pass number of cores -l 1,2-5 Pass NICs -w 02:00.0 Pass encryption device -w b3:00.0 or --vdev=crypto_aesni_mb Allocate ports and cores --config=(port,queue,core) Provide IPSec config EP0 or EP1 11
- 13. systemresources Cores Run to completion Packets/Sec/Core varies Memory Large amount of data traveling through memory (2x memory accesses vs L3fwd) Beware of NUMA Cryptodev QAT has a limit based on packet size NIC line rate Encapsulated packet is larger than original 13
- 17. Backup 17
Editor's Notes
- #3: Place at the back of the deck