How FD.io 20.01 Release Improves Multicore IPSec

By March 23, 2020April 8th, 2020Blog

By Neal Hartsell, CMO at Netgate and FD.io community member 

The most established (and only standards-based) VPN protocol is Internet Protocol Security (IPSec). IPsec encrypts data packets for confidentiality – and ensures sender integrity via authentication – protecting data flowing over public, e.g., Internet, or private infrastructure from prying eyes.

The rise in worker mobility and increasingly complex multi-cloud architectures is escalating organizations’ reliance on encryption. This puts computational strain on VPN products, especially as they evolve, for example, from 1 to 10 to 40 Gbps or more. Traditional router/VPN appliances buckle under the load, forcing the quest for higher performance solutions that won’t break the bank.

Good news. High-performance IPSec is an application where VPP clearly shines – especially when compared to traditional solutions underpinned by kernel-based, single packet at a time processing approaches.

In fact, one vendor who has productized VPP reports observing the following performance numbers (based on AES-GCM-128 encrypted IMIX traffic being processed by a stock Intel® Xeon® Gold 6130 CPU @ 2.10GHz CPU):

  • 3.07 MPPS (8.86 Gbps) (QAT assist)
  • 2.13 MPPS (6.14 Gbps) (no QAT assist)

Ready for the punchline? That was on a single core.

Try getting near 10 Gbps IMIX performance through a kernel-based packet processing solution. Let that sink in for just a moment. A reader may say, “I can get 10 Gbps IPSec through a single core using kernel processing and a QAT offload card – no problem.” You’d be right. But IMIX traffic – more representative of real-world traffic conditions – is about 3X harder than 1500 byte iPerf frames.

We know some of our readers may want to dig deep here. Let’s peel it back…

For a 1Gbps link using 1518 byte packets (1500 MTU, 1538 with all overhead), you need 81,274 PPS to achieve “line rate”.

If that same 1 Gbps link is moving 64 byte packets (84 bytes with all overheads), you’ll need 1,488,095 PPS to hit line rate.
IMIX is between these two. Simple IMIX is (7) 40 byte packets plus (4) 576 byte packets plus (1) 1500 byte packet. But, you have to add Ethernet overhead, so 40 byte packets are really 78 bytes (shorter than the minimum length Ethernet packet of 84 bytes, so 40 byte packets actually become 84 bytes on the wire), 576 byte packets are actually 614 bytes, and 1500 byte packets are actually 1538 bytes.
So, we have 36,656 bits – (7*84+4*614+1*1538)*8 – for every Simple IMIX sequence (remember this is a total of 12 packets).
The math says you need 327,368 PPS (1,000,000,000 bits per sec / 36,656 bits per packet x 12) to forward IMIX at line rate on a 1 Gbps link. This is 4X the packet per second rate of just using large frames.
Now, if your system was barely able to forward 1500 byte packets, what chance do you have when you run an expensive AES operation on all the bytes of the payload and do more packet processing (headers, running the integrity algorithm, etc.)?
But we’re not done. Let’s increase that by 10X, because we’re going to be running on a 10 Gbps link. VPP can forward packets at 14M per second (PPS) on a single core. For 64 byte packets, we need 14,880,952 PPS for line rate. For IMIX, we‘ll need 3,273,680 PPS, so we have all that excess capacity to do IPSec.
Net net, since VPP is so efficient, it can get out of the way of packet forwarding, and leave more room (time, instruction counts) for crypto operations.

There was just one little problem. Prior to FD.io’s VPP Release 20.01, IPSec processing was restricted to a single core. Pitted against a multi-core traditional IPSec product, the aggregate numbers didn’t look so great. Sort of like “My squirrel spins the cage a lot faster than your squirrels. Uh-oh. I see you have 20 squirrels to my one. I guess I lose.”

VPP Release 20.01 makes it so IPSec can now be processed in a single solution instance – whether appliance, VM, or cloud instance – across multiple cores. This makes it safe to run multi-core, because now the Security Associations (SAs) are bound to the initial core they were seen on.

Need more IPSec processing? Add cores. VPP will do the rest. Screaming fast encryption done in software. End users get transparent secure networking at greater speed. IT budget owners are heroes for spending less money to enable the same. Score one for the entire team. Everyone wins!