This document discusses proposed IPsec functionality for securing VXLAN traffic in a datacenter. It describes using IPsec in transport mode with AES-CBC and HMAC-SHA1-96 to provide confidentiality, integrity and authentication. A new "vxlanipsec" interface type is proposed to handle VXLAN encapsulation/decap and ESP encapsulation/decap using DPDK cryptodev for hardware acceleration. Performance metrics show encap rates of 2.7-7.1 million packets per second for a single PMD instance on Intel hardware. Future work includes supporting GCM mode, IPsec tunnels, dynamic key re-keying and integrating with OVS and RTE_Security.
10. Proposed IPsec functionality: Vxlanipsec Encap
Hypervisor 1
VM 1
Br-int
Vxlan
ipsec
0
Br0
dpdk0
Vhu-0
Payload
L4
Header
IP
Header
Ethernet
Header
• Packet Arrives at ‘vhu-0’ as follows
• Packet arrives at ‘vxlan-ipsec0’
Outer
IP
Header
Outer
Ethernet
Header
ESP
Header
IV
UDP
Header
VXLAN
Header
VXLAN ETH/IP UDP/VXLAN Headers
ESP Header/Initialization Vector
Original
packet
• Encap packet trailer built as follows
Original
packet
Cipher
Padding
ESP
Trailer
ESP
Digest
• Encap packet header built as follows
Padding/ESP trailer/Digest
11. Proposed IPsec functionality: Vxlanipsec Decap
Hypervisor 2
VM 2
Br-int
Vxlan
ipsec
1
Br1
dpdk1
Vhu-1
• Packet arrives at dpdk1 as follows:
ESP
Header
Encrypted Payload
ESP
Digest
Outer
IP
Header
Outer
Ethernet
Header
IV
UDP
Header
VXLAN
Header
Original
packet
Cipher
Padding
ESP
Trailer
• Encrypted Payload consists of:
• Packet routed to ‘vxlanipsec1’ for decap
• Use crypto dev to:
Payload
L4
Header
IP
Header
Ethernet
Header
• Validate Digest ü
• Decrypt payload ü
• Extract tunnel metadata.
• Pop vxlan/ESP headers and trailers for
recirculation.
12. Design Considerations
Intel ® QAT VDEV Crypto PMDCrypto Dev Creation
• Virtual Function attached
by user to userspace
driver prior to Open
vSwitch launch.
• Created at runtime via
VDEV init API.
RX Queue Pair Capabilities
• 2 queue pairs max per VF. • 8 queue pairs max by default
DPDK PMD requirements
• Intel ® QAT device.
• CONFIG_RTE_LIBRTE_PMD_QAT
• Intel ® Multi-Buffer Crypto for IPSec.
• CONFIG_RTE_LIBRTE_PMD_AESNI_MB
• CONFIG_RTE_LIBRTE_PMD_AESNI_GCM
13. Design Considerations cont.
Asynchronous Operations
• Cryptodev Operations are asynchronous regardless of HW/SW device i.e.
DPDK Cryptodev
• User configures 6 crypto ops and enqueues them to crypto device
• User requests to dequeue the 6 crypto ops from the crypto device
• May not receive 6 crypto ops on dequeue.
rte_cryptodev_enqueue_burst() rte_cryptodev_dequeue_burst()
16. Future Work
• Add GCM combined mode support.
• Add IPsec Tunnel support
• IKEv2: Support for dynamic re-keying
• Integrating with StrongSwan userspace plugin
• Community opinion on 3rd party support for feature.
• OVS architecture changes
• Packet batching with tunnels to replace single encap/decap.
• Integration with RTE_Security
• Enables HW acceleration for inline crypto.