IPsec for high speed network links: Performance analysis and enhancements

Abstract

Network packets security has always been significantly important and well researched topic but the network throughput and latency are not optimal on high speed network links, when using existing IPsec solutions. Network packet processing in Linux kernel is significantly slow (especially for 10-G/40-G link speed) due to context switching associated with system calls, and transitional copy operations in packet traversal through all network layers. Control plane layered packet processing involve copy operation per layer, which increases the packet processing time and consequently decreases the throughput of the network. In contrast to the kernel networking, data plane solutions like DPDK (Data Plane Development Kit) provide direct access to packets (from NIC) in user-space bypassing kernel stack, with zero intermediate copy operations and no context switching. For the normal packets, Intel DPDK claims 10x improvement in the throughput over kernel networking. Being inspired by that remarkable efficiency, we have done empirical evaluation of IPsec performance in data plane. Towards this goal, primarily we have analyzed the performance effect by individual bottleneck modules of strongSwan (an IPsec implementation); by redesigning them with data plane equivalent modules. Secondarily, we have proposed an efficient solution for strongSwan using DPDK API; which eliminates all previously identified bottleneck modules. In the proposed design, multi-cores design has been incorporated in the crypto module and performance is analyzed in terms of throughput and latency. There is an improvement of up to 3.54x in throughput and 2.54x improvement in latency as compared to existing control plane design. With AES128GCM as encryption scheme, a maximum throughput of 4.795 Gbps is achieved, while using only two cores. (C) 2020 Elsevier B.V. All rights reserved.