Xinming Chen, Zhen Chen, Beipeng Mu, Lingyun Ruan, Jinli Meng Towards High-performance IPsec on Cavium OCTEON Platform Research Institute of Information.

Slides:

Advertisements

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

Advertisements

Computer architecture

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

Exploiting Graphics Processors for High- performance IP Lookup in Software Routers Author: Jin Zhao, Xinya Zhang, Xin Wang, Yangdong Deng, Xiaoming Fu.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

1 Packet Classification Algorithms: From Theory to Practice Author: Yaxuan Qi, Lianghong Xu, Baohua Yang, Yibo Xue, and Jun Li Publisher: IEEE INFOCOM.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Parallel IP Lookup using Multiple SRAM-based Pipelines Authors: Weirong Jiang and Viktor K. Prasanna Presenter: Yi-Sheng, Lin ( 林意勝 ) Date:

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

1 Improving Hash Join Performance through Prefetching _________________________________________________By SHIMIN CHEN Intel Research Pittsburgh ANASTASSIA.

Architectural Impact of SSL Processing Jingnan Yao.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

1 DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author: Baohua Yang, Xiang Wang, Yibo Xue and Jun Li Publisher: International.

K. Salah1 Security Protocols in the Internet IPSec.

Router Architectures An overview of router architectures.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Network Layer (3). Node lookup in p2p networks Section in the textbook. In a p2p network, each node may provide some kind of service for other.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

CSCE 715: Network Systems Security

Multi-dimensional Packet Classification on FPGA 100 Gbps and Beyond Author: Yaxuan Qi, Jeffrey Fong, Weirong Jiang, Bo Xu, Jun Li, Viktor Prasanna Publisher:

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

ECE 526 – Network Processing Systems Design Packet Processing I: algorithms and data structures Chapter 5: D. E. Comer.

TCP/IP Protocols Contains Five Layers

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Karlstad University IP security Ge Zhang

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Converge-Cast: On the Capacity and Delay Tradeoffs Xinbing Wang Luoyi Fu Xiaohua Tian Qiuyu Peng Xiaoying Gan Hui Yu Jing Liu Department of Electronic.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IP Routing Processing with Graphic Processors Author: Shuai Mu, Xinya Zhang, Nairen Zhang, Jiaxin Lu, Yangdong Steve Deng, Shu Zhang Publisher: IEEE Conference.

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.

Kargus: A Highly-scalable software-based network intrusion detection awoo100 Anthony Wood.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Chapter 27 IPv6 Protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

Author: Weirong Jiang and Viktor K. Prasanna Publisher: The 18th International Conference on Computer Communications and Networks (ICCCN 2009) Presenter:

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Network Layer Security Network Systems Security Mort Anvari.

Author: Weirong Jiang, Viktor K. Prasanna Publisher: th IEEE International Conference on Application-specific Systems, Architectures and Processors.

Authors : Baohua Yang, Jeffrey Fong, Weirong Jiang, Yibo Xue, and Jun Li. Publisher : IEEE TRANSACTIONS ON COMPUTERS Presenter : Chai-Yi Chu Date.

K. Salah1 Security Protocols in the Internet IPSec.

@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.

Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection Author: Baohua Yang, Fong J., Weirong Jiang, Yibo Xue, Jun Li Publisher:

Cryptography CSS 329 Lecture 13:SSL.

High-throughput Online Hash Table on FPGA

Network Core and QoS.

Hash Functions for Network Applications (II)

IXP C Programming Language

SPINE: Surveillance protection in the network Elements

Network Core and QoS.

Presentation transcript:

Xinming Chen, Zhen Chen, Beipeng Mu, Lingyun Ruan, Jinli Meng Towards High-performance IPsec on Cavium OCTEON Platform Research Institute of Information Technology, Tsinghua University Intrust 2010 December 13, 2010

NSLab, RIIT, Tsinghua Univ Outline About us Background Implementation Experiment and Performance Conclusion

NSLab, RIIT, Tsinghua Univ Our Lab Network Security Lab (NSLab) belongs to the Research Institute of Information Technology (RIIT), Tsinghua Univ. Research Area Network security algorithmics Network processor architecture and parallel processing P2P overlay network routing and network coding

NSLab, RIIT, Tsinghua Univ Our Recent Projects 20 Gbps Security Gateway National 863 Project 100 Gbps Network Algorithms Packet classification Pattern matching Datacenter Networks Distributed Security Architecture Central Control Management

NSLab, RIIT, Tsinghua Univ Our Recent Publication Yaxuan Qi, Kai Wang, Jeffrey Fong, Weirong Jiang, Yibo Xue, Jun Li and Viktor Prasanna, FEACAN: Front-End Acceleration for Content-Aware Network Processing, the 30th IEEE INFOCOM, Yaxuan Qi, Zongwei Zhou, Yiyao Wu, Yibo Xue and Jun Li, Towards High- performance Pattern Matching on Multi-core Network Processing Platforms, Proc. of GLOBECOM, Fei He, Yaxuan Qi, Yibo Xue and Jun Li, YACA: Yet Another Cluster-based Architecture for Network Intrusion Prevention, Proc. of IEEE GLOBECOM Yaxuan Qi, Lianghong Xu, Baohua Yang, Yibo Xue, and Jun Li, Packet Classification Algorithms: From Theory to Practice, Proc. of the 28th IEEE INFOCOM, Tian Song, Wei Zhang, Dongsheng Wang, and Yibo Xue, Memory Efficient Multiple Pattern Matching Architecture for Network Security, Proc. of the 27th IEEE INFOCOM, Bo Xu, Yaxuan Qi, Fei He, Zongwei Zhou, Yibo Xue, and Jun Li, Fast Path Session Creation on Network Processors, Proc. of ICDCS, Yaxuan Qi, Bo Xu, Fei He, Baohua Yang, Jianming Yu, and Jun Li, Towards High-performance Flow-level Packet Processing on Multi-core Network Processors, Proc. of the ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2007.

NSLab, RIIT, Tsinghua Univ Our Team

NSLab, RIIT, Tsinghua Univ Outline  About us  Background  Implementation  Experiment and Performance  Conclusion

NSLab, RIIT, Tsinghua Univ Motivation Problem: Internet’s openness brings security risks Solution: Security mechanisms supply confidentiality, data integrity, anti-replay attack, etc. But, In fact: 10% of Internet Info. are protected Reason: Security mechanisms reduce Quality of Performance, bring additional Cost and Payload Our goal: efficient and high-performance parameters selection and implementation to protect more info. across the Internet

NSLab, RIIT, Tsinghua Univ Outline About us Background Implementation Experiment and Performance Conclusion

NSLab, RIIT, Tsinghua Univ Implementation Hardware Platform: Cavium OCTEON Security mechanism: IPsec

NSLab, RIIT, Tsinghua Univ Cavium OCTEON NP: Hardware acceleration of packet processing and encrypting (micro instructions)

NSLab, RIIT, Tsinghua Univ Mechanisms Run-to-completion Execute the whole processing of a flow in the same core Pipeline Divide the processing procedure of packet into several simple executives or stages, and one stage in one core. Multiple cores can deal with packets in different stage from the same flow simultaneously. While the completion of one packet processing needs multiple cores.

NSLab, RIIT, Tsinghua Univ State of work flow

NSLab, RIIT, Tsinghua Univ IPsec Add security fields between IP field and transport layer

NSLab, RIIT, Tsinghua Univ States of IPsec work flow Defragment: reconstruct IP packet with data fragment. IPsec decrypt: decrypt the incoming packets and recover to the original ones. Lookup: while forwarding the packet, it needs to check the SPD table and SA table according to the hash value of five- tuple of the packet. Process: the necessary processing of packets before sending them out, such as NAT translation or TCP sequence number adjustment. IPsec encrypt: encrypt the output packets. Output: places the packet into an output queue and let Tx driver sent it out.

NSLab, RIIT, Tsinghua Univ Outline About us Background Implementation Experiment and Performance Conclusion

NSLab, RIIT, Tsinghua Univ Parameters Algorithms: AES, DES, 3DES Packet length: 64 bytes ~ 1280 bytes Core numbers: 1~16 System mechanisms: Pipeline vs Run-to- completion

NSLab, RIIT, Tsinghua Univ Test Environments DPB: data processing block Agilent N2X: multi-service test solution

NSLab, RIIT, Tsinghua Univ Different Algorithms and Packet Length

NSLab, RIIT, Tsinghua Univ Different core numbers

NSLab, RIIT, Tsinghua Univ Pipeline and Run-to-completion

NSLab, RIIT, Tsinghua Univ Outline About us Background Implementation Experiment and Performance Conclusion

NSLab, RIIT, Tsinghua Univ Conclusion On Cavium OCTEON CN58XX Algorithms: AES128 Packet length: the longer the better Core numbers: the more the better Mechanism: Pipeline is better than Run-to- completion Why?

NSLab, RIIT, Tsinghua Univ Algorithms AES speed is almost the same as DES speed in hardware implementation Smaller key makes higher processing speed

NSLab, RIIT, Tsinghua Univ Packet length The work for processing each packet is fixed The longer the packet length is =>The less the processed packets during a certain period are =>The smaller the factor of processing time is =>The larger the processing speed is =>The better the performance is

NSLab, RIIT, Tsinghua Univ Core number Without any interaction between the cores The throughput is linear to the core number

NSLab, RIIT, Tsinghua Univ Mechanism PipelineRun-to-completion when access critical region Quite and De- schedule May be blocked Cache hit-rateLocality, highlow

NSLab, RIIT, Tsinghua Univ Future work Comparison with other NP and security mechanisms General standard mechanisms of encrypting the Internet

NSLab, RIIT, Tsinghua Univ Q&A Thank you for your listening!