Transforming IPsec Deployments with NVIDIA DOCA 2.0

Announced in March 2023, NVIDIA DOCA 2.0, the newest release of the NVIDIA SDK for BlueField DPUs, is now available. Together, NVIDIA DOCA and BlueField DPUs accelerate the development of applications that deliver breakthrough networking, security, and storage performance with a comprehensive, open development platform.

NVIDIA DOCA 2.0 includes newly added support for the BlueField-3 Data Path Accelerator (DPA) subsystem and adds enhancements to DOCA storage emulation and VirtIO emulation. DOCA 2.0 also introduces the new GPUNetIO library, the IPsec encryption and decryption library, and adds functionality to the DOCA Flow library.

As highlighted in the announcement during the recent NVIDIA GTC, NVIDIA DOCA 2.0 enables a number of security-focused use cases for BlueField-3. This post discusses workload transformation and how DOCA and BlueField together achieve new levels of performance and efficiency. We start by reviewing the new DOCA IPsec library and how it offers an opportunity for you to create next-generation IPsec security solutions.

Legacy IPsec solutions

IPsec is a popular protocol used for secure communication both over the Internet and between servers within a data center. It provides a robust mechanism for encryption, decryption, and authentication. This makes it an ideal solution for securing data in transit, protecting any traffic running on IP packets from unauthorized access, tampering, or eavesdropping.

IPsec can be deployed in various ways. In legacy deployments, it was often implemented using dedicated hardware. This hardware was typically installed at the network gateway, such as routers or firewalls. It generally provided fast performance but an inflexible infrastructure, unable to protect traffic except when running between these fixed routers or firewalls. It also required reconfiguration or replacement as the network infrastructure changed. This time-consuming process was resource-intensive and could also result in network downtime.

While dedicated-hardware deployments of IPsec are effective at securing network communication, they come with several disadvantages. The dedicated hardware required for IPsec is often costly, requiring specialist knowledge to install and configure.

Solution scalability and performance are also often limited. As organizations grow and network traffic increases, systems using dedicated hardware are slow to deploy and limited in terms of capacity and features, resulting in a performance or functionality bottleneck, slowing down network performance.

On the other hand, CPU-based IPsec processing is easy to deploy but carries its own burden, where it cannot keep up with application traffic. Increased demand for secure and high-speed communication affects broader application and system performance.

As each packet must be encrypted and decrypted, IPsec adds overhead to network traffic. The additional overhead and processing requirements of IPsec increase network latency, affecting application responsiveness and user experience.

Deploying IPsec using NVIDIA BlueField

With the advent of NVIDIA DOCA and the newly developed IPsec library, IPsec can now be deployed through offloads to an NVIDIA Bluefield DPU. This is a paradigm shift and a stark contrast to legacy deployments of IPsec. This evolution offers developers and partners new advantages and highlights how BlueField DPUs are set to benefit customers in the enterprise space.

BlueField DPUs offer a programmable solution that can be used to offload network processing tasks from the CPU. In the case of IPsec, DPUs can be used in several ways to improve the IPsec process while simultaneously accelerating the encryption and decryption of network traffic.

Offloading IPsec to a BlueField DPU improves IPsec performance and results in simplified network management and a reduction in administrative overhead, thus freeing the CPU to handle other tasks. The encryption/decryption process—and any other network security tasks—are now isolated from the server’s CPU and application domain. This makes security more resilient and breaches easier to detect if an adversary attacks the server.

In today’s data center, efficiency and effectiveness are still important. In response, next-generation solutions must be scalable, flexible, and composable. BlueField DPUs can be programmed to handle specific network-related processing tasks as well as supporting a wide range of network protocols and encryption algorithms. For example, the DPU could perform packet routing, packet inspection, or load-balancing functions while it also accelerates IPsec.

As the network infrastructure evolves, hardware does not have to be replaced with each new feature requirement. BlueField DPUs present a highly scalable, customizable, and cost-effective offering.

Software architecture for NVIDIA DOCA 2.0 — *Figure 1. NVIDIA DOCA 2.0 software framework*

BlueField-3, NVIDIA DOCA 2.0, and IPsec for a distributed firewall

For a real-world use case, review a firewall with accelerated IPsec encryption and decryption. In such a deployment, offloading IPsec processing to a BlueField-3 DPU brings significant benefits to the network infrastructure.

As I mentioned earlier, IPsec provides a series of functions to protect IP packets from unauthorized access, tampering, and eavesdropping. These CPU-intensive functions mean that offloading is an attractive solution.

In a software-based, distributed firewall, offloading to a BlueField-3 DPU optimizes operation and accelerates performance. Trusted traffic is offloaded to the DPU and sent to the receiving host using the IPsec protocol. This reduces CPU utilization and manages the trusted traffic quickly and efficiently. The balance of traffic, which still requires threat inspection, is routed through the firewall logic.

As the CPU is no longer managing the IPsec traffic, the process is now optimized, delivering better application performance for the firewall. By having the IPsec connection terminate on the DPU, you can perform network inspection. That would not be possible if the server were simply passing all Ipsec-encrypted traffic through without decrypting it.

In terms of the development of these next-generation firewalls (NGFW), the pool of resources contained within the new DOCA IPsec library helps to simplify the process and reduce time to market. These combined resources assist in creating a more efficient control plane that provides increased scale and improved performance to the order of many thousands of concurrent connections.

In addition to NGFW, the new DOCA IPsec library can be employed to use IPsec delivery through an NVIDIA DPU for a variety of use cases:

Virtual private network (VPN) gateways
Intrusion detection and prevention systems (IDPS)
Encryption for load balancing and micro-segmentation.

DOCA IPsec can also be used for storage network encryption and transparent IPsec encryption for east-west traffic.

BlueField and NVIDIA DOCA: Benefiting business

This example is just one of the use cases where the combination of BlueField-3 and NVIDIA DOCA adds commercial and technical value:

Reducing resource utilization so that you have more time for other projects.
Reducing the time to market, offering a potential competitive edge for application developers and systems integrators.
Technology gains where the root process is accelerated without any significant impact on CPU usage.

Summary

The NVIDIA DOCA SDK is the enablement platform for BlueField-3 DPUs. Using NVIDIA DOCA components—APIs, runtimes, libraries, and drivers—aids faster application development. Used with NVIDIA DPUs, it delivers previously unfeasible levels of performance.

Interested in using the DOCA IPsec API for developing security applications for the BlueField DPU? Get started by reviewing the NVIDIA DOCA IPsec Programming Guide. To download DOCA 2.0, see NVIDIA DOCA Software Framework.

For more information, see the following resources: