Accelerated Network IPSec Stack for VyOS / OpenWRT -- for Routing / Firewall Devices
One of the Key issues in Networking industry is Routing throughput, or performance of a Firewall gateway. Paxym's team developed our Accelerated Network Stack, when challenged with similar problems while working on Projects with VyOS, OpenWRT, Debian, etc. distributions. The Accelerator Stack bypasses Kernel completely and is implemented using Multi-core Data-Plane software.
The Stack utilizes extra CPU Cores on Intel x86 family of CPUs, to run the Data-Plane software with DPDK framework. On Cavium's OCTEON Network CPU, it utilizes the extra MIPS64 cores to run our Data-Plane software in Simple-Exec (SE, SE2) modes.
In both cases, the Control-Plane running Linux, is in full control of Network configuration, Network Administration, Statistics and Monitoring.
We've implemented an increasing number of Network features in the Accelerated Stack to serve our Customers. The stack performs Line-rate switching of IPv4 and IPv6 packets, along with singly and dually tagged VLAN headers under most conditions we tested. The stack also performs most Firewall functions including NAT, ACL, Traffic Shaping, Netfilter controlled features, etc.
The Control-Plane for our past Customers ran a mix of BGP, IS-IS, LDP, OSPF, RIP, etc. Routing daemons, along with DHCP, DNS, NTP, NAT, PPPoE, BusyBox, GRE Tunnels, L2TP, etc.
The Data-Plane is highly optimized to provide the best in class Forwarding performance
- Highly optimized Data-Plane engine
- Data-Plane implemented in portable software Running in DPDK framework (x86) or Simple-Exec (OCTEON)
- Control-Plane Network topology fully replicated to DP. Both initial state and dynamic updates.
- Complete Packet/Byte statistics and accounting visible from Control-Plane.
- Full Operational Management from Linux UI.
- Firewall features off-load in Accelerator Stack, including NAT, ACL, QoS, Traffic-shaping
Optional add-ons:
- GREv2 tunnels offload
- IPSec offload in Accelerator Fast-path
IPSec offload
IPSec acceleration includes complete IPSec handling in Accelerator fast-path utilizing Intel Crypto Assists or OCTEON crypto private instructions)
Support for AES-128, AES-256 with AES GCM subvariation, MD5/SHA-1/SHA-2, etc.
Integration with Strong-Swan in CP User-space for IPSec tunnels establishment and tear-down
IPSec Fast-path functioning with IKE, IKEv2 populating Accelerator tables of SADB, Tunnels db, etc.
Other details
- OCTEON MIPS64: No loss performance testing and tuning for 64B, 300B, 1500B packet sizes on 1 core, 2 cores and 3 cores, with 1000s of flows.
- OCTEON MIPS64: Excellent scaling from 1 - 15 cores.
- Support for Gigabit PHYs from multiple vendors Microsemi, Marvell, Broadcom etc.
Paxym, Inc. is a Software Development and Testing Services Company. Providing Consulting Services to its Customers in the areas of Cloud Software, Web Front and Back-End Applications, Network and Security Stacks, Linux, xBSD Kernel development and Performance Tuning. Along with Solutions to a variety of computing problems using combination of SW and Hardware, by its Consultants.