Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association

As the mobile Internet traffic increases, the workload of the base stations processing this traffic increases with it. To cope with this, the telecommunication providers responsible for the systems deployed in these base stations have looked to parallelism. This, together with the fact that these pr...

Full description

Bibliographic Details
Main Authors: Hellsing, Mattias, Albin, Odervall
Format: Others
Language:English
Published: Linköpings universitet, Programvara och system 2018
Subjects:
Online Access:http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-151984
id ndltd-UPSALLA1-oai-DiVA.org-liu-151984
record_format oai_dc
spelling ndltd-UPSALLA1-oai-DiVA.org-liu-1519842018-10-16T06:02:19ZEfficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security AssociationengEffektiv, flerkärnig implementation av IPsec Encapsulating Security Payload protokollet för en Security AssociationHellsing, MattiasAlbin, OdervallLinköpings universitet, Programvara och systemLinköpings universitet, Programvara och system2018Telecom 5G Eventdev Data Stream ProcessingComputer SciencesDatavetenskap (datalogi)As the mobile Internet traffic increases, the workload of the base stations processing this traffic increases with it. To cope with this, the telecommunication providers responsible for the systems deployed in these base stations have looked to parallelism. This, together with the fact that these providers have a vested interest in protecting their users' data from potential attackers, means that there is a need for efficient parallel packet processing software which handles encryption as well as authentication. A well known protocol for encryption and authentication of IP packets is the Encapsulating Security Payload (ESP) protocol of the IPsec protocol suite. IPsec establishes simplex connections, called Security Associations (SA), between entities that wish to communicate. This thesis investigates a special case of this problem where the work of encrypting and authenticating the packets within a single SA is parallelized. This problem was investigated by developing and comparing two multi-threaded implementations based on the Eventdev, an event driven programming library, and ring buffer libraries of Data Plane Development Kit (DPDK). One additional Eventdev-based implementation was also investigated which schedules linked lists of packets, instead of single packets, in an attempt to reduce the overhead of scheduling packets to the worker cores. These implementations were then evaluated in terms of throughput, latency, speedup, and last level cache miss rates. The results showed that the ring buffer-based implementation performed the best in all metrics while the single packet-scheduling Eventdev-based implementation was outperformed by the one using linked lists of packets. It was shown that the packet generation, which was done by the receiving core, was the main limiting factor for all implementations. In addition, the memory resources such as the memory bus, memory controller and prefetching hardware were shown to likely be an area of contention and a possible bottleneck as the packet generation rate increases. The conclusion drawn from this was that a parallelized packet retrieval solution such as Receive Side Scaling (RSS) together with minimizing memory resource contention is necessary to further improve performance. Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-151984application/pdfinfo:eu-repo/semantics/openAccess
collection NDLTD
language English
format Others
sources NDLTD
topic Telecom 5G Eventdev Data Stream Processing
Computer Sciences
Datavetenskap (datalogi)
spellingShingle Telecom 5G Eventdev Data Stream Processing
Computer Sciences
Datavetenskap (datalogi)
Hellsing, Mattias
Albin, Odervall
Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
description As the mobile Internet traffic increases, the workload of the base stations processing this traffic increases with it. To cope with this, the telecommunication providers responsible for the systems deployed in these base stations have looked to parallelism. This, together with the fact that these providers have a vested interest in protecting their users' data from potential attackers, means that there is a need for efficient parallel packet processing software which handles encryption as well as authentication. A well known protocol for encryption and authentication of IP packets is the Encapsulating Security Payload (ESP) protocol of the IPsec protocol suite. IPsec establishes simplex connections, called Security Associations (SA), between entities that wish to communicate. This thesis investigates a special case of this problem where the work of encrypting and authenticating the packets within a single SA is parallelized. This problem was investigated by developing and comparing two multi-threaded implementations based on the Eventdev, an event driven programming library, and ring buffer libraries of Data Plane Development Kit (DPDK). One additional Eventdev-based implementation was also investigated which schedules linked lists of packets, instead of single packets, in an attempt to reduce the overhead of scheduling packets to the worker cores. These implementations were then evaluated in terms of throughput, latency, speedup, and last level cache miss rates. The results showed that the ring buffer-based implementation performed the best in all metrics while the single packet-scheduling Eventdev-based implementation was outperformed by the one using linked lists of packets. It was shown that the packet generation, which was done by the receiving core, was the main limiting factor for all implementations. In addition, the memory resources such as the memory bus, memory controller and prefetching hardware were shown to likely be an area of contention and a possible bottleneck as the packet generation rate increases. The conclusion drawn from this was that a parallelized packet retrieval solution such as Receive Side Scaling (RSS) together with minimizing memory resource contention is necessary to further improve performance.
author Hellsing, Mattias
Albin, Odervall
author_facet Hellsing, Mattias
Albin, Odervall
author_sort Hellsing, Mattias
title Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
title_short Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
title_full Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
title_fullStr Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
title_full_unstemmed Efficient Multi-Core Implementation of the IPsec Encapsulating Security Payload Protocol for a Single Security Association
title_sort efficient multi-core implementation of the ipsec encapsulating security payload protocol for a single security association
publisher Linköpings universitet, Programvara och system
publishDate 2018
url http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-151984
work_keys_str_mv AT hellsingmattias efficientmulticoreimplementationoftheipsecencapsulatingsecuritypayloadprotocolforasinglesecurityassociation
AT albinodervall efficientmulticoreimplementationoftheipsecencapsulatingsecuritypayloadprotocolforasinglesecurityassociation
AT hellsingmattias effektivflerkarnigimplementationavipsecencapsulatingsecuritypayloadprotokolletforensecurityassociation
AT albinodervall effektivflerkarnigimplementationavipsecencapsulatingsecuritypayloadprotokolletforensecurityassociation
_version_ 1718773972498120704