BUD17-306 ODP IPsec Offload Panel

LNG ODP Development Team

ENGINEERS AND DEVICES

WORKING TOGETHER

ParticipantsApplication Perspective● Petri Savolainen, Nokia● Bogdan Pricope, Enea

Implementer Perspective● Bala Manoharan, Cavium● Nikhil Agarwal, NXP

Moderator● Bill Fischofer, Linaro

ENGINEERS AND DEVICESWORKING TOGETHER

IPsec Offload Goals - Lookaside Processing

Synchronous:odp_ipsec_in() for decryptodp_ipsec_out() for encrypt

Asynchronous:odp_ipsec_in_enq() for decryptodp_ipsec_out_enq() for encrypt

ENGINEERS AND DEVICESWORKING TOGETHER

IPsec Offload Goals - Offload Processing

ENGINEERS AND DEVICES

WORKING TOGETHER

Application Perspective

ENGINEERS AND DEVICES

WORKING TOGETHER

Application level entities

● Security Policy Database (SPD-I, SPD-O, SPD-S)

● Security Association Database (inbound, outbound)

● Cache inbound (optional) meant for multicast traffic

● Cache outbound● Custom key management (interaction)

support

Application

ODP

SPDs

SADs

Cache inbound

Cache outbound

Custom key management

ENGINEERS AND DEVICES

WORKING TOGETHER

Asynchronous processing

odp_threadprocessing loop

odp_threadprocessing loop

OursESPAH

Packetodp_ipsec_in_enq()unicast

Cache inbound SA search

multicast

SAD checkAsync event Process next headerProcess

result

Inbound processing

Outbound processing

Packet processing

Cache outbound

Packet found, protectodp_ipsec_out_enq()

odp_threadprocessing loop

Async event

Process result Send packet

Encrypted packet

SPD

not foundKey mgmt

ENGINEERS AND DEVICES

WORKING TOGETHER

Implementation Perspective

ENGINEERS AND DEVICES

WORKING TOGETHER

IPSEC LOOKASIDE API offerings

● Complete IPSEC state machine in ODP(HW)● Pushing IPSEC tunnel headers in HW.● Expose HW accelerators via common ODP APIs.● IPSEC bottlenecks are offloaded in HW for

performance including:○ Sequence number update○ Random IV○ Anti replay checks○ ICV checksum○ Crypto operations

HW crypto Engine with protocol assist

ESP or AH?

SA Lookup

Policy lookup

ODP_PKTIO_ENQIPSEC_OUT_ENQIPSEC_IN_ENQODP_schedule

Route Lookup

Event type?

IPSEC needed?

Enqueue to crypto engine

Pktio-OutPktio-IN

Packet

IPSEC_EVENT No

Yes

Yes

NoCheck IPSEC result

Implementation Domain vs Application Domain

ENGINEERS AND DEVICES

WORKING TOGETHER

IMIX Traffic Performance Comparison

ENGINEERS AND DEVICES

WORKING TOGETHER

Work in Progress:ODP Inline offload APIs

HW crypto Engine with

protocol assistSA Lookup

Policy lookup

ODP_PKTIO_ENQODP_schedule

Route Lookup

Event type?

IPSEC needed?

Pktio-OutPktio-IN

Packet

IPSEC_EVENT

No

Yes

Yes

No

Check IPSEC result

ESP or AH?

Implementation Domain vs Application Domain

ENGINEERS AND DEVICES

WORKING TOGETHER

IPSEC INLINE API proposals

● Packets received directly by IPsec offload engine● SPI based lookup for inbound traffic● Classification rules run on Decrypted IPsec packets

before sending to application● Packets can be transmitted directly through PKTIO

after encryption● Packets could also be sent through Traffic Manager

queues for transmission

ENGINEERS AND DEVICES

WORKING TOGETHER

IMIX Traffic Performance Comparison

Thank You#BUD17

For further information: www.linaro.orgBUD17 keynotes and videos on: connect.linaro.org