Accelerate AIX IPsec with the help of Power in-core capability
Introduction
Advanced Crypto Facility (ACF) is a cryptographic framework which provides crypto services for both AIX kernel and the user space applications. The kernel services are provided through pkcs11 device driver (kernel extension), which abstracts the underlying crypto implementation.
User space applications typically can make use of ACF crypto services through a shared library /usr/lib/libclic.a
Starting from IBM Power 8 processor, a new set of VMX/VSX in-core symmetric cryptographic instructions are provided which are aimed to improve the performance of various cryptographic algorithms . ACF is a framework that provides cryptographic functionalities for both user space and kernel space components, ACF under the cover leverages Power in-core hardware accelerator or in other words make use of VMX/VSX instructions to expedite the encryption process. The leverage of hardware acceleration is done in a manner which is transparent to the callers.
Starting from AIX 7.3 TL 3, ACF is enhanced to make use of incore hardware accelerator for AES-GCM and GMAC algorithm. With this we observe a significant improvement in applications that make use of these algorithm though ACF. AIX IPsec is one of the exploiters of ACF and this blog post is further going to talk about improvements that were observed in a controlled LAB environment with specific system configuration.
IP Security (IPsec) is an open, standard security technology developed by the Internet Engineering Task Force (IETF). IPsec provides cryptography-based protection of all data at the IP layer of the communications stack for both the IP Version 4 and 6 environments. Protection of data traffic can be done through various configurable encryption algorithms. One of the most prominent and strongest IPsec configurable cipher mode is AES-GCM.
In this document, we will outline how IPsec performance is improved when it is configured with AES-GCM algorithm along with enabling ACF to use incore capabilities.
Configuration
Configuration involves two steps:
- Configuring ACF to utilize Hardware incore capabilities
- Establishing ipsec tunnels with AES-GCM algorithm.
Step 1: Configuring ACF
acfo command is used to modify ACF tunable. These tunable are used by pkcs11 device driver to determine if incore crypto acceleration should be used in ACF kernel services. The pkcs11 device driver must be active while running acfo command.
To display all ACF tunable
# acfo -d
nx_enabled : 1.
min_sz : 1024.
in_core_enabled : 0.
By default, “in_core_enabled” is disabled, it is required to enable this tunable to make use of in-core and also the GCM optimizations. If the tunable is set, then it is not required to perform next steps.
We now set the in-core crypto acceleration persistently and do a reboot to enable the capabilities.
# acfo -p -t in_core_enabled=1
# reboot
Once the system comes up, check if the tunable is set
# acfo -d
nx_enabled : 1.
min_sz : 1024.
in_core_enabled : 1
Ensure in_core_enabled tunable is set both on the initiator and receiver partitions.
Step 2: Establishing IPsec tunnel with AES-GCM algorithm
2.1 Create ipsec v4 and v6 devices on both initiator and receiver by using smit or mkdev, mkfilt commands
#smit ipsec4
#smit ipsec6
OR
# /usr/sbin/mkdev -c ipsec – t 4
# /usr/sbin/mkfilt -v 4 -u -z p
# /usr/sbin/mkdev -c ipsec -t 6
# /usr/sbin/mkfilt -v 6 -u -z p
2.2 Load the xml which contains ipsec configurations
# ikedb -p <config xml file>
A sample configuration is shown below
NOTE:
Ensure to set GCM related parameters to ESP_Encryption. For ex: ESP_Encryption can be set to any of below algorithm:
ESP_AES128_GCM_16 | ESP_AES192_GCM_16 | ESP_AES256_GCM_16
Interchange the Local Identity and Remote Identity values and load the xml in the receiver partition
2.3 Start the ike subsystem on both the partitions
# startsrc -g ike
2.4 Finally, activate ike tunnels
# ike cmd=activate
Sample xml File
<?xml version="1.0"?>
<AIX_VPN
Version="2.1">
<IKEProtection
IKE_Flags_UseCRL="No"
IKE_KeyOverlap="90"
IKE_ProtectionName="LP1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMaxMinutes="480"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMinMinutes="1"
IKE_Role="Both"
IKE_Version="2"
IKE_XCHGMode="None">
<IKETransform
IKE_Encryption="AES-CBC-256"/>
<IKETransform
IKE_PRF="PRF_HMAC_SHA1"/>
<IKETransform
IKE_Hash="SHA"/>
<IKETransform
IKE_DHGroup="20"/>
<IKETransform
IKE_AuthenticationMethod="Preshared_key"/>
<IKETransform
IKE_KeyRefreshMinutes="5"/>
</IKEProtection>
<IKETunnel
IKE_Flags_AutoStart="No"
IKE_Flags_MakeRuleWithOptionalIP="No"
IKE_ProtectionRef="LP1Pol"
IKE_TunnelName="LP1">
<IKELocalIdentity>
<IPV4_Address
Value="initiator_ip_address"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address
Value="receiver_ip_address"/>
</IKERemoteIdentity>
</IKETunnel>
<IKEPresharedKey
Format="ASCII"
Value="12345">
<IKEPresharedRemoteID>
<PK_IPV4_Address
Value=" receiver_ip_address "/>
</IKEPresharedRemoteID>
</IKEPresharedKey>
<IPSecProposal
IPSec_ProposalName="LP2Prop">
<IPSecESPProtocol
ESP_Authentication="NONE"
ESP_EncapsulationMode="Transport"
ESP_Encryption="ESP_AES256_GCM_16"
ESP_ExtendedSeqNum="0"
ESP_KeyRefreshKB="0"
ESP_KeyRefreshMinutes="3"/>
</IPSecProposal>
<IPSecProtection
IPSec_Flags_UseCommitBit="No"
IPSec_Flags_UseLifeSize="No"
IPSec_InitiatorDHGroup="0"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="LP2Prop "
IPSec_ProtectionName="LP2Pol"
IPSec_ResponderDHGroup="GROUP_2"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMinMinutes="1"
IPSec_Role="Both"/>
<IPSecTunnel
IKE_TunnelName="LP1"
IPSec_Flags_AutoStart="No"
IPSec_Flags_OnDemand="No"
IPSec_ProtectionRef="LP2Pol"
IPSec_TunnelName="LP2">
<IPSecLocalIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr=" initiator_ip_address "
To_IPAddr=" initiator_ip_address "/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr=" receiver_ip_address "
To_IPAddr=" receiver_ip_address "/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
Observations
Here is a sample of the performance numbers and the corresponding graphs for IPsec with ESP_AES256_GCM_16 algorithm on a P10, P9 and a P8 system. The performance numbers are captured with the help of iperf tool. Run the iperf in client/server mode on both initiator and responder once the ike tunnels are successfully established .
Following charts are generated for an average numbers captured from iperf tool run for five rounds. The numbers are captured for in_core_enabled set to 0(represented in Blue color) and in_core_enabled set to 1(represented in Red color). With in_core_enabled been set to 1, we can see that performance has improved by more than 350%
Similar performance is expected for other supported algorithms like ESP_AES128_GMAC, ESP_AES192_GMAC, ESP_AES256_GMAC, ESP_AES128_GCM_16, ESP_AES192_GCM_16, AH_AES_128_GMAC, AH_AES_192_GMAC, AH_AES_256_GMAC
Power 8 System Configuration:
Initiator: 0.5 Core processor, 4GB memory
Receiver: 0.5 Core processor, 8GB memory
Graphical representation:
Power 9 System Configuration:
Client: zz, 0.1 Core processor, 4GB memory
Server: zz, 0.1 Core processor, 4GB memory
Graphical representation:
Power 10 System Configuration:
Client: Everest 1 Core, 16GB Memory
Server: Everest 1 Core, 16BG Memory
Graphical representation:
Authors
Mansi Jaiswal (mansjais@in.ibm.com)
Sandeep Umesh (sanumesh@in.ibm.com)
Swetha Narayana (swethara@in.ibm.com)
References
AES-GCM: https://en.wikipedia.org/wiki/Galois/Counter_Mode
ACF: https://community.ibm.com/community/user/power/blogs/xinya-wang1/2021/02/18/exploitation-of-nest-accelerators-and-in-core-acce