Virtio IPsec Acceleration Implementation Details
Explore the Virtio IPsec-LA PoC implementation showcasing Fastpath packet processing, Linux kernel offload, g-API for IPSec management, and hardware acceleration for efficient IPsec packet handling. Learn about setting up IPsec VNF on Freescale LS2085RDB to facilitate encrypted traffic between LAN and WAN sides.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Virtio-IPsec-LA PoC Implementation Subha Venkataramanan, Denis Crasta, Srini Addepalli subhaav@freescale.com denis.crasta@freescale.com 1
Virtio-IPsec-LA PoC Setup Freescale LS2085RDB Hosts the IPsec VNF Implements Virtio-IPsec-LA acceleration Another laptop (LT2) is used for remote GW. IPsec implemented in Linux Laptop LT1 is used to generate clear traffic from LAN side. IPsec GW in VNF using Look- aside IPsec acceleration implemented in Freescale LS2085RDB LS2085 RDB Remote IPsec GW LT2 LT1 WAN side (encrypted traffic) LAN side (clear traffic) 2
Virtio-IPsec-LA PoC implementation details Fastpath Receives packets from virtio- net devices and does forwarding and IPsec Registers with Linux kernel for offload of flows, routes and Sas Both the above are facilitated by fastpath patch to Linux kernel Virtio-IPsec Frontend IPsecFP uses g-API to access the virtio-IPsec device Virtio-IPsec Backend Uses the user mode driver for the IPsec accelerator hardware IPsec Packet Processing Look Aside Accelerator Flow VNF LAN side (clear) traffic WAN side (encrypted) traffic Look-aside IPsec Path SW Interfaces Linux Kernel (iptables, route, IPsec) IPsecFP FastPath IPsec g-API Virtio-net Frontend Virtio-net Frontend Virtio-IPsec Frontend Host Linux User QEMU VRING Virtio-IPsec Backend Transport Host Linux Kernel VHOST-NET KVM br1 br0 Hardware IPsec Accelerator Hardware NICs To LAN side LT1 To peer IPsec GW (LT2) 3
g-API for IPSec Management API g_ipsec_la_get_api_version() Get the API version g_ipsec_la_avail_devices_getinfo() Get the information on available devices g_ipsec_la_active_devices_getinfo() Get the information on active devices g_ipsec_la_open() Open a device g_ipsec_la_close() Close a device g_ipsec_la_group_create() Create a logical group for grouping SAs g_ipsec_la_group_delete() Delete a logical group Control API g_ipsec_la_capabilities_get() Get the capabilities of the underlying devices g_ipsec_la_sa_add() Add SA g_ipsec_la_sa_del() Delete SA g_ipsec_la_sa_mod() Modify SA g_ipsec_la_sa_flush() Flush SA g_ipsec_la_sa_get() Read and Traversal SA g_ipsec_la_notifications_hook_regist er() Register hooks for optional notifications such as Sequence number overflow or lifetime in kilobytes expiry etc. Data API g_ipsec_la_packet_encap() Send a packet for encapsulation g_ipsec_la_packet_decap() Send a packet for decapsulation g_ipsec_la_mult_packet_encap() Send multiple packets for encapsulation g_ipsec_la_multi_packet_decap() Send multiple packets for decapsulation
