It’s all about the money
Operators of telecom infrastructure, enterprise networks and data centers are increasingly exploring the deployment of network security functions as virtual appliances instead of physical appliances.
There are two obvious business drivers for this trend. The first is reduced CAPEX, resulting from the use of high-volume, standard hardware platforms rather than low-volume proprietary hardware. The second is reduced OPEX, thanks to the improved resource utilization achieved through virtualization. The major focus on Network Functions Virtualization (NFV) throughout the telecom industry is a strong indicator of the major cost savings that operators believe to be possible through this strategy of network virtualization.
Additions not replacements
At 6WIND, most of our customers are network equipment manufacturers and many are working on virtual security appliances, implementing functions like UTMs, IPSs, firewalls etc. But they typically view the virtual appliances as extensions to their current portfolio of physical appliances, rather than immediate replacements.
This makes perfect sense given that physical appliances are not going to disappear at any time in the near future. Realistically, we can expect to see the gradual introduction of virtual appliances in scenarios with compelling Return-on-Investment (like NFV), accompanied by exhaustive evaluations to ensure that the cost-performance and especially reliability meet the standards set by physical appliances.
Given our customers’ strategy of introducing virtual security appliances while maintaining their current portfolios of physical appliances, we place great importance on providing a comprehensive set of network protocols that can be deployed in both solutions, with consistent APIs, features and performance.
IPsec is a good example of a protocol that is critical for network security, and 6WIND provides an IPsec solution for both physical and virtual appliances. IPsec is widely used for VPNs in telecom infrastructure (LTE femto gateways, security gateways, GGSNs etc.) as well as in enterprise networking (UTMs, IPSs, firewalls etc.). There are also emerging use cases in multi-tenant data centers, where secure tunnels are increasingly adopted for VM-to-VM communication.
IPsec provides authentication (session management) and data confidentiality (encryption/decryption) at Layer 3. IPsec is actually a suite of protocols, including IKE (Internet Key Exchange), AH (Authentication Header) and ESP (Encapsulating Security Payload) amongst others, with the IPsec standard defining how these protocols communicate.
Offloads maximize CPU utilization
Within IPsec, 3DES, AES, SHA1 and MD5 are all resource-hungry algorithms used for authentication and encryption that are increasingly offloaded to specialized hardware-based engines. This offloading maximizes the availability of CPU resources for running applications, rather than security. Given the large variety of available processor platforms, supporting the appropriate crypto engine is not a simple task and requires a processor-agnostic approach for optimum efficiency. The 6WINDGate™ networking software integrates support for several widely-used crypto accelerators, including:
- Intel® Communications Chipset 89xx series “Cave Creek” (hardware acceleration)
- Intel® Multi Buffer Crypto for IPsec Library (software acceleration).
Advanced features, open configuration
6WINDGate provides a high performance IKE daemon, thereby increasing the tunnel establishment rate. The Security Association (SA) look-up mechanism is based on a 16-bit hash table. The Security Policy (SP) mechanism supports either a linear lookup, or a hash table lookup based on SP selector address prefixes, or a trie-based lookup, which can be selected and combined based on configurable thresholds.
6WINDGate also supports open, standard Linux-based APIs, enabling the SA and SP databases (SAD and SPD) to be configured by third-party IKE control plane modules. In order to minimize the latency of the system, both SPD and SAD are located in shared memory. Through its support of IKEv1, IKEv2 and Anti Replay features for security re-enforcement, as well as NAT traversal for enabling IPsec in complex networks, the 6WIND IPsec module addresses a wide range of common usage scenarios.
Industry-leading IPsec performance for physical appliances
Thanks to its optimized architecture and advanced features, 6WINDGate delivers industry-leading IPsec performance for physical appliances.
For example, on a 2.7GHz dual-socket Intel “Sandy Bridge” platform (two 8-core processors) with 16GB RAM, 6WINDGate achieves IPsec performance of 5.4 Gbps per core (1,420-byte packets), for a total platform performance of 73 Gbps using 14 cores.
(Why 14 cores? Because the reference platform has seven NICs and a configuration with seven cores represents the best way to balance the traffic.)
Besides the raw performance, the graph illustrates that the IPsec performance scales linearly with the number of cores configured to run the 6WINDGate fast path. This scalability is a key benefit of the 6WINDGate architecture, explained in more detail here.
What about IPsec for virtual appliances?
Stay tuned for the next post in this series, where we’ll explain how 6WINDGate addresses the networking performance constraints imposed by standard hypervisors and discuss the IPsec performance that 6WINDGate delivers for virtual security appliances.