Upload
linaro
View
93
Download
0
Embed Size (px)
Citation preview
BUD17-306 ODP IPsec Offload Panel
LNG ODP Development Team
ENGINEERS AND DEVICES
WORKING TOGETHER
ParticipantsApplication Perspective● Petri Savolainen, Nokia● Bogdan Pricope, Enea
Implementer Perspective● Bala Manoharan, Cavium● Nikhil Agarwal, NXP
Moderator● Bill Fischofer, Linaro
ENGINEERS AND DEVICESWORKING TOGETHER
IPsec Offload Goals - Lookaside Processing
Synchronous:odp_ipsec_in() for decryptodp_ipsec_out() for encrypt
Asynchronous:odp_ipsec_in_enq() for decryptodp_ipsec_out_enq() for encrypt
ENGINEERS AND DEVICESWORKING TOGETHER
IPsec Offload Goals - Offload Processing
ENGINEERS AND DEVICES
WORKING TOGETHER
Application Perspective
ENGINEERS AND DEVICES
WORKING TOGETHER
Application level entities
● Security Policy Database (SPD-I, SPD-O, SPD-S)
● Security Association Database (inbound, outbound)
● Cache inbound (optional) meant for multicast traffic
● Cache outbound● Custom key management (interaction)
support
Application
ODP
SPDs
SADs
Cache inbound
Cache outbound
Custom key management
ENGINEERS AND DEVICES
WORKING TOGETHER
Asynchronous processing
odp_threadprocessing loop
odp_threadprocessing loop
OursESPAH
Packetodp_ipsec_in_enq()unicast
Cache inbound SA search
multicast
SAD checkAsync event Process next headerProcess
result
Inbound processing
Outbound processing
Packet processing
Cache outbound
Packet found, protectodp_ipsec_out_enq()
odp_threadprocessing loop
Async event
Process result Send packet
Encrypted packet
SPD
not foundKey mgmt
ENGINEERS AND DEVICES
WORKING TOGETHER
Implementation Perspective
ENGINEERS AND DEVICES
WORKING TOGETHER
IPSEC LOOKASIDE API offerings
● Complete IPSEC state machine in ODP(HW)● Pushing IPSEC tunnel headers in HW.● Expose HW accelerators via common ODP APIs.● IPSEC bottlenecks are offloaded in HW for
performance including:○ Sequence number update○ Random IV○ Anti replay checks○ ICV checksum○ Crypto operations
HW crypto Engine with protocol assist
ESP or AH?
SA Lookup
Policy lookup
ODP_PKTIO_ENQIPSEC_OUT_ENQIPSEC_IN_ENQODP_schedule
Route Lookup
Event type?
IPSEC needed?
Enqueue to crypto engine
Pktio-OutPktio-IN
Packet
IPSEC_EVENT No
Yes
Yes
NoCheck IPSEC result
Implementation Domain vs Application Domain
ENGINEERS AND DEVICES
WORKING TOGETHER
IMIX Traffic Performance Comparison
ENGINEERS AND DEVICES
WORKING TOGETHER
Work in Progress:ODP Inline offload APIs
HW crypto Engine with
protocol assistSA Lookup
Policy lookup
ODP_PKTIO_ENQODP_schedule
Route Lookup
Event type?
IPSEC needed?
Pktio-OutPktio-IN
Packet
IPSEC_EVENT
No
Yes
Yes
No
Check IPSEC result
ESP or AH?
Implementation Domain vs Application Domain
ENGINEERS AND DEVICES
WORKING TOGETHER
IPSEC INLINE API proposals
● Packets received directly by IPsec offload engine● SPI based lookup for inbound traffic● Classification rules run on Decrypted IPsec packets
before sending to application● Packets can be transmitted directly through PKTIO
after encryption● Packets could also be sent through Traffic Manager
queues for transmission
ENGINEERS AND DEVICES
WORKING TOGETHER
IMIX Traffic Performance Comparison
Thank You#BUD17
For further information: www.linaro.orgBUD17 keynotes and videos on: connect.linaro.org