Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtio-IPsec-LA PoC Implementation

Published byRoberta Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Virtio-IPsec-LA PoC Implementation"— Presentation transcript:

1 Virtio-IPsec-LA PoC Implementation
Subha Venkataramanan, Denis Crasta, Srini Addepalli

2 Virtio-IPsec-LA PoC Setup
Freescale LS2085RDB Hosts the IPsec VNF Implements Virtio-IPsec-LA acceleration Another laptop (LT2) is used for remote GW. IPsec implemented in Linux Laptop LT1 is used to generate clear traffic from LAN side. IPsec GW in VNF using Look-aside IPsec acceleration implemented in Freescale LS2085RDB LS2085 RDB LT1 Remote IPsec GW LT2 WAN side (encrypted traffic) LAN side (clear traffic)

3 Virtio-IPsec-LA PoC implementation details
IPsec Packet Processing – Look Aside Accelerator Flow Fastpath Receives packets from virtio- net devices and does forwarding and IPsec Registers with Linux kernel for offload of flows, routes and Sas Both the above are facilitated by fastpath patch to Linux kernel Virtio-IPsec Frontend IPsecFP uses g-API to access the virtio-IPsec device Virtio-IPsec Backend Uses the user mode driver for the IPsec accelerator hardware VNF Linux Kernel (iptables, route, IPsec) LAN side (clear) traffic WAN side (encrypted) traffic Look-aside IPsec Path SW Interfaces FastPath IPsecFP IPsec g-API Virtio-net Frontend Virtio-net Frontend Virtio-IPsec Frontend Host Linux User QEMU VRING Transport Virtio-IPsec Backend Host Linux Kernel VHOST-NET KVM br0 br1 Hardware NICs IPsec Accelerator Hardware To LAN side LT1 To peer IPsec GW (LT2)

4 g-API for IPSec Data API Control API Management API
g_ipsec_la_packet_encap() Send a packet for encapsulation g_ipsec_la_packet_decap() Send a packet for decapsulation g_ipsec_la_mult_packet_encap() Send multiple packets for encapsulation g_ipsec_la_multi_packet_decap() Send multiple packets for decapsulation Control API g_ipsec_la_capabilities_get() Get the capabilities of the underlying devices g_ipsec_la_sa_add() Add SA g_ipsec_la_sa_del() Delete SA g_ipsec_la_sa_mod() Modify SA g_ipsec_la_sa_flush() Flush SA g_ipsec_la_sa_get() Read and Traversal SA g_ipsec_la_notifications_hook_register() Register hooks for optional notifications such as Sequence number overflow or lifetime in kilobytes expiry etc. Management API g_ipsec_la_get_api_version() Get the API version g_ipsec_la_avail_devices_getinfo() Get the information on available devices g_ipsec_la_active_devices_getinfo() Get the information on active devices g_ipsec_la_open() Open a device g_ipsec_la_close() Close a device g_ipsec_la_group_create() Create a logical group for grouping SAs g_ipsec_la_group_delete() Delete a logical group

5 OPNFV Introduction

Download ppt "Virtio-IPsec-LA PoC Implementation"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.

Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Keith Wiles Keith.Wiles@Intel.com DPACC vNF Overview and Proposed methods Keith Wiles Keith.Wiles@Intel.com 2015.04.03 – v0.5.

Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
Accelerating the Path to the Guest

Accelerating the Path to the Guest
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Cryptography and Network Security

Cryptography and Network Security
DPACC vNF Overview and Proposed methods Keith Wiles 1 2015.04.03 – v0.5.

DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.

IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.
© 2010 IBM Corporation Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking Alex Landau, David Hadas, Muli Ben-Yehuda IBM Research –

© 2010 IBM Corporation Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking Alex Landau, David Hadas, Muli Ben-Yehuda IBM Research –

Similar presentations

Ads by Google