Cryptodev - DPDK

1y ago
8 Views
2 Downloads
1.52 MB
28 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Sabrina Baez
Transcription

cryptodevOverview, status & future workDeclan DohertyDPDK Summit Userspace – Dublin, Oct 2016

cryptodevOverview

Overview Framework for processing symmetric crypto workloads in DPDK.Defines a standard API which supports both hardware accelerated lookaside andsoftware based crypto processing.Underlying method of crypto operation processing is transparent to user application,allowing migration of work from hardware to software dynamically.Poll mode driver infrastructure for crypto devices.Supports cipher, authentication and AEAD symmetric crypto operations.Supports provisioning of chained cipher / authentication operations.Provide session management APIsAsynchronous burst processing API to amortise the cost of crypto operations acrossmultiple packets and also to maximise performance when offloading to hardwareaccelerators.

Crypto processing pipelineIngress PacketLookup SessionCreate OpAttach SessionAttach PacketSet s PacketFree Crypto Op

API ComponentsDPDK CRYPTODEV API ric AlgorithmsDefinitionsSymmetric SessionManagementQueue gOperation ProcessingEnqueue/Dequeue

Application Crypto Packet Processing Flow

cryptodevDevelopment

Feature delivery since userspace ‘15R2.2R16.04R16.07R16.11 Cryptodev Experimental Release AESNI MB PMD, QAT PMD Cryptodev Stable Release Added AESNI GCM PMD, NULL PMD, Snow3G PMD Algorithm enablement QAT PMD Kasumi PMD QAT PMD algorithm enablement Kasumi PMD Openssl PMD QAT PMD algorithm enablement* QAT Intel(R) QuickAssist Technology

Changes from experimental release Moved from a rte mbuf orienteduint16 t rte cryptodev enqueue burst (dev id, qp id, struct rte mbuf **pkts, int16 t nb pkts);uint16 t rte cryptodev dequeue burst (dev id, qp id, struct rte mbuf **pkts, int16 t nb pkts); to rte crypto op burst APIuint16 t rte cryptodev enqueue burst (dev id, qp id, struct rte crypto op **ops, int16 t nb ops);uint16 t rte cryptodev dequeue burst (dev id, qp id, struct rte crypto op **ops, int16 t nb ops);Simplified mbuf management, no need for extra metadata on mbuf. Norequirement to check if crypto op needs to be freed on freeing of mbuf. Also stopped elements of cryptodev code being introduced into otherparts of DPDK library code.

Crypto Poll Mode Drivers crypto aesni gcm – AESNI / vectorised accelerated software PMDcrypto aesni mb – AESNI / vectorised accelerated software PMDcrypto kasumi – Vectorised accelerated software PMDcrypto openssl – PMD which shims crypto operations into the Openssl’slibcryptocrypto null – software PMD crypto qat – Intel QuickAssist Technology hardware accelerator crypto snow3g – Vectorised accelerated software PMD crypto zuc – Vectorised accelerated software PMD

Supported AlgorithmsAlgorithmQAT*SW VECTORIZEDSW LEGACYAlgorithmQAT*SW VECTORIZEDSW LEGACYAES GMAC 128-bit 3DES CBC 128-bit AES GMAC 192-bit 3DES CBC 192-bit AES GMAC 256-bit 3DES CTR 128-bitAES XCBC 128-bit KASUMI F9 3DES CTR 192-bit AES CBC 128-bit MD5MD5 HMAC SHA1SHA1 HMAC SHA224SHA224 HMAC SHA256SHA256 HMAC SHA384SHA384 HMAC SHA512 AES CBC 192-bit AES CBC 256-bit AES CTR 128-bit AES CTR 192-bit AES CTR 256-bit KASUMI F8 NULL SNOW3G UEA2 ZUC EEA3 AlgorithmQATSW VECTORIZED AES GCM 128-bit SHA512 HMAC SNOW3G UIA2 AES GCM 192-bit AES GCM 256-bit ZUC EEA3 SW LEGACY* QAT Intel(R) QuickAssist Technology

cryptodevFuture Work

Framework / PMDs Adding rte mbuf scatter-gather support to all software crypto PMDs Migration of crypto aesni gcm to ISA-L crypto, enabling AES-GCM 256bit Cipher only/ authentication only operations to crypto aesni mb PCI Hot-plug support to framework Crypto operation performance optimisations

Crypto Performance Application New application to enable benchmarking of crypto PMD performance onany system. Modular to allow any crypto PMD to be tested if it can support thealgorithm combination. Allows configuration of all components of the PMD and all configurationof elements of the crypto operations to be executed. Will support throughput and latency measurement initially./crypto-perf eal options -- --ptest throughput --devtype crypto aesni gcm --optype aead --cipher-algo aes-gcm -cipher-op encrypt --cipher-key-sz 16 --auth-algo aes-gcm --auth-op generate --auth-key-sz 16 --auth-aad-sz 12 -auth-digest-sz 16 --total-ops 10000000 --silent --burst-sz 32 --buffer-sz 2048

Crypto Scheduler Allows multiple crypto devices to be slaved under a single device. Investigating per queue, per flow and per packet scheduling paradigms. Pluggable scheduling/ordering logic, may allow user to define there ownscheduler and dynamically load. Many scheduling modes being investigated: fat flow – load balancing a single flow across multiple hardware accelerators sw fallback – allow flows to processed on core when hw accelerator is oversubscribed. per packet scheduling – packet size / session type and PMD utilization used to decidecrypto PMD to use. distributor – balance across many cores for sw crypto

Crypto Scheduler PMDLegendProcessApplication CodeApplication CodeDPDK APIExtended CryptoScheduler APIDPDK Userspace Poll Mode DriverCryptodev APICRYPTO SCHEDULER PMDKernel Module/ Device Driver.load balancingordering logicscheduling logicroundrobin.flow/packet basedPhysical Devicecustom.AESNI MB PMDQAT PMDIPsec MB.aKernel / Userspace BoundaryIntel VT-dQAT PF Driverigb uio/vfioHW / SW BoundaryPFVFIntel QuickAssistTechnology Accelerator

Questions?Declan Dohertydeclan.doherty@intel.com

Enabling IPSecCryptodev OffloadSergio González MonroyNetwork Software Engineer @ IntelDPDK Summit Userspace - Dublin- 2016

Agenda IPSec Development EnablingCryptodev in FD.IO/VPP Preliminary Performance Future Work Questions

IPSec DevelopmentDPDK 16.04 IPSec-secgw sample appBasic data path functionalityAES-CBCHMAC-SHA1-96ESP tunnelVPP 16.06OpenSSL libcryptoIKEv2 (responder only)Anti-Replay WindowExtended SequenceNumber (ESN) Nested SAs IPSec interface (VPN) DPDK 16.07 Transport Mode IPv6 supportVPP 16.09 L2GRE over IPSecDPDK 16.11 AES-GCM AES-CTR Config fileVPP 17.01 Enable Cryptodev AES-GCM Dynamic Anti-ReplayWindow

Enabling Cryptodev in FD.IO/VPP tetransitinterfaceoutputip4 inputTUNNELVPP IPSec interface graph – outbound path if -output if -txipsec-ifoutputespencrypt

Enabling Cryptodev in FD.IO/VPP tetransitinterfaceoutput if -output if putPoll cryptodevices (AESNI, QAT etc.)for processedpacketsdpdk-espencryptpostip4 inputCompleteprocessing forCrypto packet e.g.next header typeafter decryptionConfigureCrypto operationand submitpacket for cryptoprocessing

Test SetupTrafficGeneratorCleartext TrafficCiphertext Traffic Intel Xeon DP-based Server (2 CPU sockets). Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz (Haswell) 18 physical cores per CPU (i.e. per socket) 128 GB DDR4 RDIMM Crucial Server capacity 64 GB RAM (16 x 8 GB).Tested with 128 G 1 x Intel 82599 10 Gigabit Ethernet Controller 1 x Intel Corporation DH895XCC SeriesIntel QuickAssist Technology (Coletto Creek) Operating System: Ubuntu 16.04, Kernel version: 4.4.0-22-generic VPP commit ID: 154d445f7f8f1553d9bb00d1be42bf1b06eda9f1 Intel(R) DPDK 16.04 Single data processing core All hardware local to socketDUTPatchedVPPBIOS SettingsEnhanced Intel SpeedStep Processor C3Processor C6Intel Hyper-Threading Technology (HTT)Intel Virtualization TechnologyIntel Virtualization Technology for Directed I/O EDDISABLEDMLC StreamerMLC Spatial PrefetcherDCU Data PrefetcherDCU Instruction PrefetcherDirect Cache Access (DCA)CPU Power and Performance PolicyMemory Power formancePerformanceOptimizedOFFENABLEDIntel Turbo boostMemory RAS and Performance Configuration - NUMAOptimizedResults will vary depending on software, workloads and system configuration

VPP Configurationset int ip address TenGigabitEthernet86/0/0 192.168.10.1/24set int promiscuous on TenGigabitEthernet86/0/1set int ip address TenGigabitEthernet86/0/1 192.168.1.1/24set int promiscuous on TenGigabitEthernet86/0/1create ipsec tunnel local-ip 192.168.1.1 local-spi 1111 remote-ip 192.168.1.2 remote-spi c0ipsec0local crypto aes-cbc-128 2b7e151628aed2a6abf7158809cf4f3dlocal integ sha1-96 6867666568676665686766656867666568676669remote crypto aes-cbc-128 2b7e151628aed2a6abf7158809cf4f3dremote integ sha1-96 6867666568676665686766656867666568676669ip route add 192.168.20.2/32 via ipsec0set ip arp TenGigabitEthernet86/0/0 192.168.1.2 90:e2:ba:b0:dc:69set int state TenGigabitEthernet86/0/1 upset int state TenGigabitEthernet86/0/0 upset int state ipsec0 up

Early Development PerformanceDPDK & VPP IPsec Encryption Throughput (AES128 -SHA1)100%Test SetupLimitation90%% 10G LINE RATE80%VPPIntel VPP30%20%10%0%64128256512PKT SIZE102412801420Results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software orconfiguration may affect your actual performance.All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Future Work Cryptodev Load-Balancer/Scheduler Crypto PMDs improvements Support for more crypto algorithms Scatter-Gather List Support

Questions?Sergio González Monroysergio.gonzalez.monroy@intel.com

Legal DisclaimersNo license (express or implied, by estoppel or otherwise) to any intellectual property rights is grantedby this document.Intel disclaims all express and implied warranties, including without limitation, the implied warrantiesof merchantability, fitness for a particular purpose, and non-infringement, as well as any warrantyarising from course of performance, course of dealing, or usage in trade.This document contains information on products, services and/or processes in development. Allinformation provided here is subject to change without notice. Contact your Intel representative toobtain the latest forecast, schedule, specifications and roadmaps.Intel technologies’ features and benefits depend on system configuration and may require enabledhardware, software or service activation. Performance varies depending on system configuration. Nocomputer system can be absolutely secure. Check with your system manufacturer or retailer or learnmore at intel.com. 2016 Intel Corporation. Intel, the Intel logo, Intel. Experience What’s Inside, and the Intel.Experience What’s Inside logo are trademarks of Intel. Corporation in the U.S. and/or other countries.*Other names and brands may be claimed as the property of others.

Overview Framework for processing symmetric crypto workloads in DPDK. Defines a standard API which supports both hardware accelerated lookaside and software based crypto processing. Underlying method of crypto operation processing is transparent to user application, allowing migration of work from hardware to software dynamically. Poll mode driver infrastructure for crypto devices.

Related Documents:

DPDK Cryptodev Framework Crypto framework for processing symmetric crypto workloads in DPDK. DPDK Cryptodev consists of: SW and HW Crypto PMDs A standard API supports all PMDs Multi-queues for multi-thread sharing Effortless migration (SW -HW, PHY-VIRT) Asynchronous enqueue/dequeue. User Application DPDK Cryptodev API Device Management Device .

DPDK Summit North America 2018 - Dec 3-4, 2018, San Jose, CA DPDK Integration [1/2] nDPI is packet-capture neutral (DPDK, PF_RING, netmap, pcap ) Inside nDPI/example there is an application named ndpiReader that demonstrates how to use the nDPI API when reading from pcap files and DPDK.!17 cd nDPI/example make -f Makefile.dpdk

DPDK CRYPTODEV API COMPONENTS Symmetric Session Management Operation Processing Enqueue/Dequeue Device Capabilities Operation Provisioning Device Statistics Symmetric Algorithms Definitions Device Management Queue Pair Management User Application. QAT* PMD. QAT* Hardware. AESNI** ZUC PMDs. KASUMI PMD. SNOW3G PMD. OPENSSL PMD.

Register driver configuration structure with DPDK EAL using the existing RTE_PMD_REGISTER_PCI macro. Physical devices are identified by PCI ID during the EAL PCI scan and allocated a unique device identifier. Device initiation is also along the same principles as DPDK cryptodev and ethdev. Devices are first configured

Cryptodev Roadmap 2.2 16.04 16.07 16.11 17.02 Future? Cryptodev API introduced. PMD for Intel QuickAssist Technology. PMD for Intel AES-NI Multi-Buffer software lib. Added Intel AES-NI GCM PMD Support for SNOW 3G algorithm. Discovery mechanism. NULL PMD. SNOW 3G software PMD support for bit-level operations.

DPDK's use of SIMD instructions has grown over time, expanding to include PMDs supporting Intel's 40 - and 100-Gigabit Ethernet . (ACL) libraries. A recent example is DPDK adding Cryptodev support for Intel's new Vector AES ( VAES) instruction set extension supported on 3rd Generation Intel Xeon Scalable processors, which is offering .

Full Detail in Red Hat Customer Portal at https://access.redhat.com. IP STACK NETWORK DRIVER SERVER HARDWARE . container: dpdk-app vfio hardware Intel XL710 IOMMU kernel dpdk-lib dpdk-app uio_pci_generic virt machine . Technology Review Performance analysis & tuning of Red Hat Enterprise Linux Wednesday, June 24 1:20 pm - 3:20 pm .

Textbook of Algae , O. P. Sharma, Jan 1, 1986, Algae, 396 pages. Aimed to meet requirements of undergraduate students of botany. This book covers topics such as: evolution of sex and sexuality in algae; and, pigments in algae with their. An Introduction to Phycology , G. R. South, A. Whittick, Jul 8, 2009, Science, 352 pages. This text presents the subject using a systems approach and is .