Unleash the Power of DPDK IPsec Library for High Performance Data Plan Processing

Table of Contents

1. Introduction
2. Background and Purpose
3. Overview of IPSec Library
4. Core Functionality of the Library
5. Optional Modules and Integration Models
6. Shim Layer for Existing Clients
7. Hardware Acceleration in the Library
8. Components of the Library
9. Focus Areas for Development
10. Feature Sets in the 1902 Release
11. API Overview and Changes
12. Security Policy and Association Databases
13. Crypto Load Balancing
14. Migration of Processing Models
15. Integration with IPSec Security Gateway
16. Roadmap for Ongoing Work
17. Conclusion

Introduction

Hey folks, I'm Declan Tardes Johnson from Intel, and I'm excited to share with you some updates on the ongoing work on the DPA IPSec library. Constantine, one of my colleagues, is leading this project in our team in Shannon. In this article, I'll give you an overview of the project, including its background, purpose, and the recent changes in the community and API levels. The IPSec library aims to create a high-performance solution for IPSec data plan processing, extending the functionality of T PDK. So let's dive in and explore the exciting developments happening in this project!

Background and Purpose

Before we delve into the details, let's understand why we are developing the IPSec libraries. IPSec, a core technology in data plane applications, is becoming increasingly prevalent. It plays a crucial role in ensuring data security and integrity. With the growing need for accelerated IPSec and the potential inclusion of IPSec in smart NICs, having a comprehensive solution in DPDK is vital. The IPSec libraries aim to provide a complete toolkit for IPSec implementation, empowering developers with high performance and scalability. Now, let's explore the various aspects of this project in more detail.

Overview of IPSec Library

The IPSec library is being developed as a modular solution to meet the diverse needs of different integration models. The core functionality of the library revolves around data plan enablement, SA (Security Association) management, and API availability. It aims to provide a flexible, scalable, and high-performance library for IPSec processing. Additionally, the library focuses on enabling hardware acceleration, including lookaside accelerators and inline acceleration models. This allows for efficient and optimized processing from the get-go.

Core Functionality of the Library

At the heart of the IPSec library lies its core functionality. It includes the data path module, which handles packet processing, encapsulation, encryption, and decryption. This module is designed to be independent of the database implementation, allowing seamless integration with existing projects. The library offers low-level APIs for protocol processing, enabling efficient handling of input packets and providing crypto ops for further processing. These APIs lay the foundation for higher-level abstractions that abstract the complexity of crypto processing from the user.

Optional Modules and Integration Models

In addition to the core functionality, the IPSec library offers optional modules for implementing security policy and association databases. These modules can be selectively integrated based on the desired integration model. By providing flexibility in database implementations, the library caters to a wide range of deployment models. This adaptability allows users to choose the best-suited implementation for their specific use cases, whether it involves a small number of high-throughput tunnels or millions of low-throughput tunnels.

Shim Layer for Existing Clients

To facilitate seamless integration with existing clients, the IPSec library includes a shim layer. This layer serves as an integration point, enabling clients to hook up their preferred userland daemon or any other encryption device. By providing this compatibility, the library allows for smooth transitions and easy adoption by projects already utilizing IPSec.

Hardware Acceleration in the Library

One of the key goals of the IPSec library is to enable hardware acceleration. It aims to capitalize on the availability of hardware accelerators, such as lookaside accelerators and inline crypto accelerators. By leveraging these accelerators from day one, the library ensures optimal performance and efficiency. This emphasis on hardware acceleration sets the stage for faster and more robust IPSec processing.

Components of the Library

The IPSec library comprises several components, each playing a specific role in the IPSec data plan processing. The current focus is on the data path and SA management. This involves creating security associations and processing packets through encryption, decryption, and encapsulation. Over the Course of future releases, additional modules, such as a high-performance SI database and security policy database, will be integrated. These modules will utilize existing DPDK libraries, like hash tables and ACL tables, to enhance functionality and scalability.

Focus Areas for Development

In the 1902 release, our primary focus is on enabling tunnel transport ESP for IPv4 implementations. While IPv6 support will also be included, it will be more limited in scope initially. The release aims to provide support for various cryptographic algorithms, including AES CBC, HMAC-SHA1, AES-GCM, and more. Key sizes, such as 256 and 192, will be supported, catering to a wide range of cryptographic requirements. Additionally, the release will focus on enabling CPU-based and lookaside-based crypto processing through the crypto dev APIs. Inline crypto processing on IHGB devices will also be supported to leverage hardware acceleration.

Feature Sets in the 1902 Release

The 1902 release of the IPSec library will introduce significant features and improvements. These features include the tunnel transport ESP, IPv6 support, AES CBC, HMAC-SHA1, AES-GCM, and support for different key sizes. The release will also provide enhanced crypto processing capabilities utilizing CPU-based and lookaside-based methods. Additionally, extended sequence number and anti-replay implementations will be included. These features set the foundation for secure and efficient IPSec processing.

API Overview and Changes

The IPSec library API has undergone some changes based on user feedback and community collaboration. The API now provides standard functions for IPSec creation, destruction, and Lookup. Additional features, such as Essay type functions and session handling, have been introduced to improve flexibility and workflow. The low-level APIs focus on protocol processing, while Helper functions facilitate the grouping and processing of packets associated with a specific security association. Future developments will include a higher-level API that abstracts the crypto processing model, simplifying usage for end users.

Security Policy and Association Databases

To accommodate the diverse deployment models and use cases of IPSec, the library aims to provide standard APIs for security policy and association databases. These APIs will enable users to choose and implement the most suitable database model according to their specific needs. The pluggable nature of these databases allows for seamless integration and customization, ensuring optimal performance and scalability.

Crypto Load Balancing

Efficient resource utilization is crucial for IPSec processing. To optimize resource allocation, the IPSec library incorporates crypto load balancing features. These features allow users to provide quality of service parameters during IPSec creation. The library can then intelligently distribute the processing load based on the available resources and the specific requirements of each tunnel. This simplifies resource management and ensures smooth operation, especially in scenarios with varying throughput and latency demands.

Migration of Processing Models

The IPSec library aims to support dynamic migration between different processing models. This flexibility allows users to adapt their processing model based on resource availability and performance requirements. Whether migrating from CPU-based crypto processing to lookaside or inline processing, the library provides the necessary capabilities. This migration ability ensures efficient utilization of available resources and optimal performance.

Integration with IPSec Security Gateway

To showcase the capabilities of the IPSec library, we will integrate it with the IPSec security gateway sample application. This integration will enable the security gateway to utilize the new library for IPSec processing. Key material negotiation and SI database updates will be handled by an external I daemon, enhancing the security gateway's functionality. The integration will enable seamless IPSec processing and demonstrate the library's effectiveness in real-world scenarios.

Roadmap for Ongoing Work

Although significant progress has been made, there are several areas that require further development and exploration. The immediate plan entails fully migrating the security gateway application to use the IPSec library. Additionally, features like H tunnel transport mode for IPv6, scaling the data path for multi-core processing, and developing a high-level API are on the roadmap. The library's integration with event dev for IPSec processing and the development of a daemon are also planned for future releases. Collaboration and feedback from the community are essential for the successful development and enhancement of the IPSec library.

Conclusion

In conclusion, the ongoing development of the IPSec library aims to provide a high-performance, scalable, and comprehensive solution for IPSec data plan processing. With a modular architecture, hardware acceleration, and flexible integration options, the library caters to a wide range of use cases and deployment models. The 1902 release and future developments promise significant improvements in IPSec processing capabilities. As we continue to work on various components, your collaboration and feedback are invaluable in shaping the future of the IPSec library and ensuring its effectiveness in diverse networking environments.

Highlights

• The IPSec library aims to provide a high-performance solution for IPSec data plan processing.
• It focuses on modular architecture, hardware acceleration, and flexible integration options.
• The 1902 release introduces tunnel transport ESP, AES CBC, HMAC-SHA1, and AES-GCM support.
• The library supports CPU-based and lookaside-based crypto processing.
• Standard APIs for security policy and association databases offer flexibility in deployment models.
• Crypto load balancing enables efficient resource utilization.
• Dynamic migration between processing models ensures optimal performance.
• Integration with the IPSec security gateway application showcases library capabilities.
• The roadmap includes scaling the data path, high-level API development, and daemon integration.

FAQ

Q: What is the purpose of the IPSec library? A: The IPSec library aims to provide a high-performance solution for IPSec data plan processing, extending the functionality of T PDK.

Q: What are some key features of the 1902 release? A: The 1902 release introduces tunnel transport ESP, IPv6 support, AES CBC, HMAC-SHA1, AES-GCM, and various key sizes. It also focuses on CPU-based and lookaside-based crypto processing.

Q: Can the IPSec library accommodate different deployment models? A: Yes, the library provides standard APIs for security policy and association databases, allowing users to choose the most suitable implementation based on their deployment model.

Q: How does the IPSec library optimize resource utilization? A: The library incorporates crypto load balancing, which enables users to provide quality of service parameters for efficient resource allocation during IPSec creation.

Q: Can the processing model be changed dynamically with the IPSec library? A: Yes, the library supports dynamic migration between different processing models, allowing users to adapt based on available resources and performance requirements.

Q: What are the future plans for the IPSec library? A: The roadmap includes scaling the data path, developing a high-level API, integrating with event dev, and creating a daemon for extended functionality.