August 2016 Tommy Long, Sergio Gonzalez Monroy VPP Cryptodev 1.

Slides:



Advertisements
Similar presentations
Accelerating Network Intensive Workloads Using the DPDK netdev
Advertisements

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Performance Analysis of Orb Rabin Karki and Thangam V. Seenivasan 1.
Implementing Efficient RSS Capable Hardware and Drivers for Windows 7
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
Add on cards. Also known as Expansion card or interface adapter. It can be inserted into an expansion slot of a motherboard to add functionality to a.
Boosting Event Building Performance Using Infiniband FDR for CMS Upgrade Andrew Forrest – CERN (PH/CMD) Technology and Instrumentation in Particle Physics.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Virtio-IPsec-LA PoC Implementation
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
Technical Overview of Microsoft’s NetDMA Architecture Rade Trimceski Program Manager Windows Networking & Devices Microsoft Corporation.
DPACC Metadata 2016/2/25. Motivation Openstack needs to define a general metadata for acceleration resources Acc-agent interface s-API Agent-VIM interface.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice ProLiant G5 to G6 Processor Positioning.
DPACC Metadata Revised 2016/4/6. Table of Contents Motivation Information Elements Data representation Convergence discussion for IFA004.
1© Copyright 2015 EMC Corporation. All rights reserved. NUMA(YEY) BY JACOB KUGLER.
Opnfv Summit 2016 (Berlin) DPACC and DPDK solving NFV acceleration
DPACC Metadata Revised 2016/3/21. Table of Contents Motivation Information Elements Data representation Convergence discussion for IFA004.
Open-source routing at 10Gb/s Olof Hagsand (KTH) Robert Olsson (Uppsala U) Bengt Görden (KTH) SNCNW May 2009 Project grants: Internetstiftelsen (IIS) Equipment:
What is CRKIT Framework ? Baseband Processor :  FPGA-based off-the-shelf board  Control up to 4 full-duplex wideband radios  FPGA-based System-on-Chip.
BTC Network Systems A Division of Becerra Trading Company This Information is confidential and proprietary to BTC Network Systems BTC is an Information.
TIZEN STUDIO INSTALLATION & ENVIRONMENT SETUP FOR DEVLAB
Shaopeng, Ho Architect of Chinac Group
Intel and AMD processors
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Palo Alto Networks Certified Network Security Engineer
Module 4: Configuring Site to Site VPN with Pre-shared keys
TLDK Transport Layer Development Kit
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
TLDK overview Konstantin Ananyev 05/08/2016.
NFV Compute Acceleration APIs and Evaluation
IPSecurity.
© 2002, Cisco Systems, Inc. All rights reserved.
Distributed Cache Technology in Cloud Computing and its Application in the GIS Software Wang Qi Zhu Yitong Peng Cheng
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Chapter 18 IP Security  IP Security (IPSec)
6WIND MWC IPsec Demo Scalable Virtual IPsec Aggregation with DPDK for Road Warriors and Branch Offices Changed original subtitle. Original subtitle:
DPDK API and Virtual Infrastructure
Implementing Network Access Protection
Windows Server* 2016 & Intel® Technologies
Linux Kernel Crypto API Herbert Xu Red Hat Inc.
TLS Receive Side Crypto Offload to NIC
NSH_SFC Performance Report FD.io NSH_SFC and CSIT Team
Many-core Software Development Platforms
What we need to be able to count to tune programs
Encrypting the Internet 09/01/10
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 2: The Linux System Part 1
Virtio Keith Wiles July 11, 2016.
A Survey on Virtualization Technologies
Ideas for adding FPGA Accelerators to DPDK
Honnappa Nagarahalli Principal Software Engineer Arm
Virtio/Vhost Status Quo and Near-term Plan
rte_security: A new crypto-offload framework in DPDK
Enabling TSO in OvS-DPDK
Reprogrammable packet processing pipeline
Deflate your Data with DPDK
A Scalable Approach to Virtual Switching
Intel Active Management Technology
Lecture9: Embedded Network Operating System: cisco IOS
Ch 17 - Binding Protocol Addresses
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Lecture9: Embedded Network Operating System: cisco IOS
Latest Update on Gap Analysis of Openstack for DPACC
DPACC API Guidelines 2019/10/12.
Latest Update on Gap Analysis of Openstack for DPACC
Update Summary of DPACC docs
Figure 3-2 VIM-NFVI acceleration management architecture
Presentation transcript:

August 2016 Tommy Long, Sergio Gonzalez Monroy VPP Cryptodev 1

2 Crypto framework for processing symmetric crypto workloads in DPDK. Defines a standard API which supports both hardware and software crypto processing.  How the crypto operation is processed is transparent to user application, allowing migration of work from hardware to software dynamically. Poll mode driver infrastructure for hardware and software crypto devices. Cryptodev Overview

3 Cryptodev Components

DPDK Crypto Acceleration Current Cryptodev implementation  Supports software and hardware (offload) symmetric crypto. – Cipher - AES CBC/CTR 128/192/256 bit, Snow3G (UEA2), KASUMI F8*, NULL* – Authentication - MD5_HMAC*/SHA1/224*/256/384*/512, AES XCBC, Snow3G UIA2, KASUMI F9*, NULL* – Combined - AES GCM 128/192**/256** bit 4

DPDK Crypto APIs - Burst uint16_t rte_cryptodev_enqueue_burst(uint8_t dev_id, uint16_t qp_id, struct rte_crypto_op **ops, uint16_t nb_bufs); uint16_t rte_cryptodev_dequeue_brust(uint8_t dev_id, uint16_t qp_id, struct rte_crypto_op **ops, uint16_t nb_bufs); uint16_t rte_cryptodev_enqueue_burst(uint8_t dev_id, uint16_t qp_id, struct rte_crypto_op **ops, uint16_t nb_bufs); uint16_t rte_cryptodev_dequeue_brust(uint8_t dev_id, uint16_t qp_id, struct rte_crypto_op **ops, uint16_t nb_bufs); − The enqueue burst function will expect that each rte_crypto_op in the burst has a valid crypto operation data. − Burst dequeue function will flag rte_crypto_op which have failed to be processed correctly (for example, incorrect digest) with an appropriate flag set, so that no packets can be dropped silently within the cryptodev. 5

6 VPP IPsec Encryption Path

7 IPsec Cryptodev Encryption Path

8 Test Setup DUT Patched VPP Cleartext Traffic Ciphertext Traffic IPsec Encap Ixia Traffic Generator

Platform Configuration  Intel® Xeon® DP-based Server (2 CPU sockets).  Intel(R) Xeon(R) CPU E GHz (Haswell)  18 physical cores per CPU (i.e. per socket)  128 GB DDR4 RDIMM Crucial Server capacity = 64 GB RAM (16 x 8 GB). Tested with 128 G  1 x Intel® Gigabit Ethernet Controller  1 x Intel Corporation DH895XCC Series QAT (Coletto Creek)  Operating System: Ubuntu 16.04, Kernel version: generic  VPP commit ID: 154d445f7f8f1553d9bb00d1be42bf1b06eda9f1  Intel(R) DPDK  Single data processing core  All hardware local to socket 1 Results will vary depending on software, workloads and system configuration BIOS SettingsSetting Enhanced Intel SpeedStep®DISABLED Processor C3DISABLED Processor C6DISABLED Intel® Hyper-Threading Technology (HTT)DISABLED Intel® Virtualization TechnologyENABLED Intel® Virtualization Technology for Directed I/O (VT- d) DISABLED MLC StreamerENABLED MLC Spatial PrefetcherENABLED DCU Data PrefetcherENABLED DCU Instruction PrefetcherENABLED Direct Cache Access (DCA)ENABLED CPU Power and Performance PolicyPerformance Memory Power OptimizationPerformance Optimized Intel® Turbo boostOFF Memory RAS and Performance Configuration -> NUMA Optimized ENABLED

10 VPP Configuration set int ip address TenGigabitEthernet86/0/ /24 set int promiscuous on TenGigabitEthernet86/0/1 set int ip address TenGigabitEthernet86/0/ /24 set int promiscuous on TenGigabitEthernet86/0/1 create ipsec tunnel local-ip local-spi 1111 remote-ip remote-spi 2222 set interface ipsec key ipsec0 local crypto aes-cbc-128 2b7e151628aed2a6abf cf4f3d set interface ipsec key ipsec0 local integ sha set interface ipsec key ipsec0 remote crypto aes-cbc-128 2b7e151628aed2a6abf cf4f3d set interface ipsec key ipsec0 remote integ sha ip route add /32 via ipsec0 set ip arp TenGigabitEthernet86/0/ :e2:ba:b0:dc:69 set int state TenGigabitEthernet86/0/1 up set int state TenGigabitEthernet86/0/0 up set int state ipsec0 up

11 Early Development Performance Indicators Preliminary POC Results Results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

12 Possible IPsec Select Node ?

13 Implementation Gaps that we know of Algorithm Support - Only AES-SHA is currently supported Re-keying on sequence overflow Anti-replay frame size limited to 64 packets Full multicore support – atomic sequence number updates SA lifetime (Time & Flow Data) No scatter gather support IKEv2 Responder Any other gaps ?

14 Features we would like to add to VPP Support for Cryptodev API Additional algorithm support – e.g. GCM Ability to configure and manage different devices Detection of supported devices Detection of supported algorithms on each devices IKE collaboration ?

15 Back Up

16 Eth HWQAT HW ethdev PMD QAT PMD AES-NI PMD EthDev APICryptoDev API VPP DPDK

DPDK crypto PMDs QAT (hw) AESNI multi-buffer (sw) AESNI GCM (sw) NULL (sw) Snow3G (sw) Each PMD supports the full cryptodev API, but may only support a subset of all the possible algorithms/modes. 17

DPDK Crypto Software PMDs aesni_mb – uses the intel multi-buffer library to provide symmetric crypto operations in SW, utilising the AES-NI CPU instruction set. See aesni_gcm – provides AES GCM operations in software. Also depends on the mb lib. null – provides a pass-through service (for debug) Snow3G – uses the intel Snow3G libsso library to provide Snow3G cipher and auth operations for wireless applications. See 18

DPDK Crypto APIs  Crypto Device Management APIs  Crypto Stats and Capabilities APIs  Symmetric Cipher / Hash Algorithm Definitions  Session Management APIs  Operation Management APIs  Burst APIs 19

DPDK Crypto APIs - Session Management struct rte_cryptodev_session *rte_cryptodev_session_create(uint8_t dev_id, struct rte_crypto_xform *xform); void rte_cryptodev_free_session(struct rte_crypto_session *session); − Session creation function allocates and populates a device specific opaque session data structure. − Session structures are crypto device specific to allow for formatting of key material in an optimal way for the underlying devices. struct rte_crypto_sym_xform { struct rte_crypto_sym_xform *next; enum rte_crypto_sym_xform_type type; union { struct rte_crypto_auth_xform auth; struct rte_crypto_cipher_xform cipher; }; struct rte_crypto_sym_xform { struct rte_crypto_sym_xform *next; enum rte_crypto_sym_xform_type type; union { struct rte_crypto_auth_xform auth; struct rte_crypto_cipher_xform cipher; }; struct rte_crypto_auth_xform { enum rte_crypto_auth_operation op; enum rte_crypto_auth_algorithm algo; struct rte_crypto_key key; uint32_t digest_length; uint32_t add_auth_data_length; }; struct rte_crypto_auth_xform { enum rte_crypto_auth_operation op; enum rte_crypto_auth_algorithm algo; struct rte_crypto_key key; uint32_t digest_length; uint32_t add_auth_data_length; }; struct rte_crypto_cipher_xform { enum rte_crypto_cipher_operation op; enum rte_crypto_cipher_algorithm algo; struct rte_crypto_key key; }; struct rte_crypto_cipher_xform { enum rte_crypto_cipher_operation op; enum rte_crypto_cipher_algorithm algo; struct rte_crypto_key key; }; 20

DPDK Crypto APIs - Operation Management struct rte_crypto_sym_op struct rte_mbuf *src; struct rte_mbuf *dst; enum rte_crypto_sym_op_sess_type type; union { struct rte_crypto_session *session; struct rte_crypto_xform *xform;// Sessionless } struct { struct {..} data; // Offsets/sizes of cipher data struct {..} iv; // Parameters for the IV } cipher; struct { struct {..} data; // Offsets/sizes of hash data struct {..} digest; // Parameters for the digest struct {..} aad_auth; // Parameters for the //Additional Auth Data } auth; }; struct rte_crypto_sym_op struct rte_mbuf *src; struct rte_mbuf *dst; enum rte_crypto_sym_op_sess_type type; union { struct rte_crypto_session *session; struct rte_crypto_xform *xform;// Sessionless } struct { struct {..} data; // Offsets/sizes of cipher data struct {..} iv; // Parameters for the IV } cipher; struct { struct {..} data; // Offsets/sizes of hash data struct {..} digest; // Parameters for the digest struct {..} aad_auth; // Parameters for the //Additional Auth Data } auth; }; Crypto API also includes generic helper functions to allocate and free rte_crypto_ops from a mempool. struct rte_crypto_op { enum rte_crypto_op_type type; // sym/future enum rte_crypto_op_status status; //result struct rte_mempool *mempool; phys_addr_t phys_addr; //unused void *opaque_data; /* for user data */ union { struct rte_crypto_sym_op *sym; }; } 21