By Neal Hartsell, CMO at Netgate and FD.io community member
The most established (and only standards-based) VPN protocol is Internet Protocol Security (IPSec). IPsec encrypts data packets for confidentiality – and ensures sender integrity via authentication – protecting data flowing over public, e.g., Internet, or private infrastructure from prying eyes.
The rise in worker mobility and increasingly complex multi-cloud architectures is escalating organizations’ reliance on encryption. This puts computational strain on VPN products, especially as they evolve, for example, from 1 to 10 to 40 Gbps or more. Traditional router/VPN appliances buckle under the load, forcing the quest for higher performance solutions that won’t break the bank.
Good news. High-performance IPSec is an application where VPP clearly shines – especially when compared to traditional solutions underpinned by kernel-based, single packet at a time processing approaches.
In fact, one vendor who has productized VPP reports observing the following performance numbers (based on AES-GCM-128 encrypted IMIX traffic being processed by a stock Intel® Xeon® Gold 6130 CPU @ 2.10GHz CPU):
- 3.07 MPPS (8.86 Gbps) (QAT assist)
- 2.13 MPPS (6.14 Gbps) (no QAT assist)
Ready for the punchline? That was on a single core.
Try getting near 10 Gbps IMIX performance through a kernel-based packet processing solution. Let that sink in for just a moment. A reader may say, “I can get 10 Gbps IPSec through a single core using kernel processing and a QAT offload card – no problem.” You’d be right. But IMIX traffic – more representative of real-world traffic conditions – is about 3X harder than 1500 byte iPerf frames.
We know some of our readers may want to dig deep here. Let’s peel it back…
For a 1Gbps link using 1518 byte packets (1500 MTU, 1538 with all overhead), you need 81,274 PPS to achieve “line rate”.
There was just one little problem. Prior to FD.io’s VPP Release 20.01, IPSec processing was restricted to a single core. Pitted against a multi-core traditional IPSec product, the aggregate numbers didn’t look so great. Sort of like “My squirrel spins the cage a lot faster than your squirrels. Uh-oh. I see you have 20 squirrels to my one. I guess I lose.”
VPP Release 20.01 makes it so IPSec can now be processed in a single solution instance – whether appliance, VM, or cloud instance – across multiple cores. This makes it safe to run multi-core, because now the Security Associations (SAs) are bound to the initial core they were seen on.
Need more IPSec processing? Add cores. VPP will do the rest. Screaming fast encryption done in software. End users get transparent secure networking at greater speed. IT budget owners are heroes for spending less money to enable the same. Score one for the entire team. Everyone wins!