Más contenido relacionado La actualidad más candente (20) Similar a 6WINDGate™ - Powering the New-Generation of IPsec Gateways (20) 6WINDGate™ - Powering the New-Generation of IPsec Gateways1. v1.0 | ©6WIND 2014. All rights reserved. All brand names, trademarks and copyright information cited in this presentation shall remain the property of its registered owners.
SPEED MATTERS
2. v1.0 | 2©6WIND 2014
Enable open platform
ecosystem to replace
dedicated hardware
with commodity
servers and
virtualization.
Close the
performance gap for
Service Providers and
Enterprises to
upgrade their network
architecture.
The Promise Of 6WIND
Network Architecture
Transformation
Dedicated Hardware
And Software
Platform
White Box
Ecosystem
Virtualization
Rigid Platform
Long Time To
Market
Open Platform
Inexpensive
Rapid
Services
Creation
$$$
Expensive
$
3. v1.0 | 3©6WIND 2014
Best in class packet processing technology thanks to 6WIND deep
expertise in networking and more than 150 man years of
development.
Since the first shipment of its 6WINDGate software in 2007, 6WIND
has been selected and deployed by Blue Chip companies to unlock
hidden infrastructure performance.
6WIND is an independent software vendor and 6WINDGate is the
only heterogeneous networking stack to support major market-
leading hardware platforms.
6WIND is privately held and headquartered in France, with offices in
Asia and the US.
6WIND Facts
4. v1.0 | 4©6WIND 2014
Service Providers:
Wireless offload schemes to extend coverage for subscribers expose
mobile core networks to security threats and require secure
connections
Cloud Providers:
Data Center Virtualization solutions require secure connections across
virtual networks
Enterprise Providers:
Network equipment (physical and software appliances) must help
secure connections across distributed data centers
IPsec Gateways Are a Requirement to Secure IP
Communications from Internet Attacks
5. v1.0 | 5©6WIND 2014
Use of cost-effective hardware and software solutions
Generic hardware platforms with high performance Ethernet NICs
Hardware or software crypto acceleration
Commercial or open source Linux distributions
High performance packet processing software for
Network security features such as IPsec and IKE to sustain high network throughput of
encrypted traffic
A large number of protocols such as Layer 2 encapsulation, IPv6, routing, virtual routing, firewall,
NAT, QoS… to easily integrate the IPsec gateway into a complete networking infrastructure
Flexible and extensible software architecture
Develop physical IPsec Gateways and prepare the shift to virtualized solutions
Open architecture to reuse in-house or third party application software
Requirements for High Performance and Cost-Effective IPsec
Gateways
6. v1.0 | 6©6WIND 2014
Fastest performance on the
market; in both physical and
virtual environments
Transparent, no change
necessary to OS, hypervisor
and management
Available across all major
platforms
Native support for all major
network protocols
6WINDGate on Standard Platforms:
Paradigm Shift In Packet Processing Software
7. v1.0 | 7©6WIND 2014
6WINDGate Removes Performance Bottlenecks
Performance
(MillionsOfPackets
PerSecond)
...
Fast Path Cores
...
Increase OS stability
by offloading
resource intensive
mundane tasks
Standard Linux
Becomes
Unstable
Performance benefits
scale with the number
of processing cores
1 2 3 8 9 10 ...
8. v1.0 | 8©6WIND 2014
Networking
Stack
Control
Plane
Fast
Path
Transparent to Operating System
?Local
info
Local
info
Fast path packet
Continuous
synchronization
Exception packet
Synchronization
modules
9. v1.0 | 9©6WIND 2014
Available for Industry-Leading Processor Platforms
ZoL™DPDKSimple ExecNetOS
Architecture-independent “Fast Path Modules”
• Generic, processor-independent source code
• Cycle-level and pipeline-level optimizations
Architecture-specific "Fast Path Networking SDK"
• Zero-overhead API for fast path modules
• Support for processor-specific features and
resources
• Leverages processor suppliers' SDKs
Data
Plane
Fast Path
FPN-SDK
FPN-SDK
FPN-SDK
FPN-SDK
10. v1.0 | 10©6WIND 2014
Linux Userland
Linux Kernel
Linux Networking Stack
FastPath
6WINDGate IPsec Architecture
Multicore Processor Platform
FPN-SDK
IPsec
IPv4/IPv6
Other FP
modules
Shared memory
IPsec SPD
IPsec SAD
IPsec
IPv4/IPv6
statistics
IPsec SPD IPsec SAD
Linux / fast path
synchronization
(statistics)
Security table
updates
Netlink
notifications
IKEv1/v2
Linux / fast path
synchronization
(configuration)
DPDK
Cavium
NITROX
Intel® Multi-
Buffer
Intel®
QuickAssist
Crypto Framework
6WIND DPDK Crypto Framework
11. v1.0 | 11©6WIND 2014
Based on dpdk.org
6WINDGate DPDK add-ons available for
increased system functionality,
performance and reliability
Poll Mode Drivers for multi-vendor NICs
Mellanox ConnectX-3® EN Series PMD
Emulex OCE14102 PMD
Performance acceleration for virtualized
networking
Fast vNIC PMD
VMXNET3 Guest VMware PMD
VIRTIO Guest XEN-KVM PMD
Crypto acceleration modules that leverage
Cavium NITROX SDK 5.x Crypto
Intel® Multi-Buffer Crypto
Intel® QuickAssist Crypto
6WINDGate DPDK Features and Benefits
Virtualization
acceleration
Fast vNIC PMD
VMXNET3 Guest
VMware PMD
VIRTIO Guest XEN-
KVM PMD
Crypto
acceleration
Cavium NITROX SDK
5.x Crypto
Intel® Multi-Buffer
Crypto
Intel® QuickAssist
Crypto
dpdk.org
Multi-vendor NIC support
Emulex OCE14102
PMD
Mellanox ConnectX®-
3 EN Series PMD
12. v1.0 | 12©6WIND 2014
6WINDGate IPsec performance
(AES-128 HMAC-SHA1)
5.24 Gbps per core for 1420B
packets
Up to 193.27 Gbps using 40 cores
Performance scales linearly
with the number of cores
configured to run the fast path
Intel Multi-Buffer IPsec
Test Results
13. v1.0 | 13©6WIND 2014
6WINDGate IPsec using Quick
Assist performance
3.52 Gbps per engine for 1420B
packets
Up to 40 Gbps (platform limit) using
16 engines
Performance scales linearly
with the number of engines
configured to process IPsec
transformation
Intel Cave Creek IPsec
Test Results
14. v1.0 | 14©6WIND 2014
6WINDGate IPsec performance using Cavium
Nitrox DPDK add-on
Up to 20.23 Gbps for 1420 bytes
Cavium Nitrox IPsec
Test Results
15. v1.0 | 15©6WIND 2014
High performance IPsec stack to sustain encrypted traffic over several tens of
thousands of IPsec tunnels with low-latency
Optimal use of software and hardware crypto-acceleration for best price/performance
High-capacity IKE control plane to manage several tens of thousands of IKE sessions
on a single server
High capacity for encapsulation protocols such as VLAN, PPP, L2TP and GRE…
High performance and scalable IPv4 and IPv6 forwarding with virtual routing support
for a large number of instances
High performance and capacity firewall and NAT
6WINDGate for IPsec Gateways
16. v1.0 | 16©6WIND 2014
Generic Hardware
Platform
Network Architecture Evolution
Proprietary Hardware
Platform
Application
Proprietary Hardware
Platform
Application
Proprietary Hardware
Platform
Application
Application
Application
Application
Virtualization
Generic Hardware
Platforms
Application
Application
Application
17. v1.0 | 17©6WIND 2014
6WINDGate Extensions to IPsec Gateway Virtualization
NICs
DPDK
(Intel and multi-vendor NIC drivers)
Host Driver
OVS
Acceleration
Additional Features
(L3 Routing,
Firewall, NAT…)
Virtual
Switch
Fast
vNIC
PMD
Virtio
PMD
Fast
vNIC
Linux
Virtio Virtio
Fast
vNIC
vIPsec
Gateway
vRouter
Additional
VNFs Drivers for Virtual Appliance
• Fast vNIC drivers for high
performance communications
• Standard drivers for existing
VAs
• Extensible for all OSs
Accelerated Virtual Switch
• DPDK with multi-vendor NIC
support
• OVS acceleration
• Extended network services
• Host driver for high
performance communications
18. v1.0 | 18©6WIND 2014
High performance switching aggregated bandwidth for VNFs
without any modification in the virtual switch
Hardware independent VNF network attachments for seamless
network hardware upgrades and VNF migration
Low-latency inter-VNF communications
Enhanced features beyond switching (L3 forwarding, virtual routing,
firewall, IPsec and more) for extended chaining capabilities
Support for multi-vendor VNFs based on different OSs
6WIND’s Open Networking Platform For NFVI
19. v1.0 | 19©6WIND 2014
10 x 40 Gbps
Full Duplex
Traffic
Virtual Switch Acceleration
Accelerated Open vSwitch
Open vSwitch
Traffic
Generator
No modification is
required to OVS, OS,
Hypervisor,
Management
L2 switching
capability on 10 cores
using 40G Ethernet
52 Mpps with 64 byte
packets
195 Gbps with 1280
byte packets
OpenFlow
Controller
20. v1.0 | 20©6WIND 2014
Virtual
Network
Function
Virtual
Network
Function
Virtual
Network
Function
Virtual Switch-Based NFVI
Lowest Latency and Flexible Chaining
PCI Express
Local NIC
External Switch
Physical Switching Limitations
• Hardware dependent switching
(SR-IOV, RDMA, NIC embedded switching)
• Throughput is limited by PCI Express (50 Gbps)
and faces PCI Express and DMA additional
latencies
• Available PCI slots limit the number of chained
VNFs
• At 30 Gbps a single VNF is supported per node!
Virtual Switching With 6WINDGate
• Hardware independent virtual switching (NIC
driver)
• Aggregate 500 Gbps bandwidth with low latency
• No external limit to number of chained VNFs
50
Gbps
500 Gbps
6WINDGate Accelerated OVS
21. v1.0 | 21©6WIND 2014
FastPath
IPv4/IPv6
Forwarding
MPLS/VPLS
Encapsulation
IPv4/IPv6
Multi-cast
Filtering
IPv4/IPv6
IPsec SVTI
VLAN
Link
Aggregation
NAT
GRE
TCP/UDP
Termination
Flow
Inspection
L2TP/ PPPoE
BRAS
GTP-UVXLAN
Tunneling
(IPinIP)
IPsec
IPv4/IPv6
Ethernet
Bridging
6WINDGate Module List
DistributedArch.
Fast path
extensions
Control
plane
extensions
ControlPlane
BFD SMR
L2TP,
PPPoE
BRAS
Routing
Virtual
Routing
Security
VRRP LACP
VPN
Monitoring
HighAvailability
LACP
Firewall /
NAT
Routing
ARP / NDP
DPDK
Fast vNIC PMD
VMXNET3
Guest VMware
PMD
Intel®
QuickAssist
Crypto
VIRTIO Guest
XEN-KVM PMD
Intel® Multi-
Buffer Crypto
Cavium
NITROX SDK
5.X Crypto
Mellanox
ConnectX®-3
EN Series PMD
FPN-SDK
OVS
Acceleration
Emulex
OCE14000
Series PMD
QoS
Hardware
platform
independence
Modular
virtualization
extensions
Complete
protocol portfolio
for IPsec gateway
Generic
software
22. v1.0 | 22©6WIND 2014
6WIND Enables Cost-Effective IPsec Gateways for Enterprises
and Service Providers
6WINDGate
Powered IPsec
Gateway and
Firewall
DPDK on Linux
Hardware offload to
Cavium Nitrox for
IPsec
Software based appliance on custom hardware
for additional performance
Allows use of DPDK on multi-vendor NICs for
crypto support
Ready for fully virtual applications
Commodity
Hardware
x86 Processor
Hypervisor
Virtual IPsec
Gateway and
Firewall
IPsec Gateway and
Firewall