On STH, you are going to see more 400GbE over the next few weeks. It has been a while since we did 400GbE, like with Inside an Innovium Teralynx 7-based 32x 400GbE Switch. We wanted to cover a few of the cards and options around the new ecosystem. One we have had on the to-do list is the AMD Versal Premium 400Gbps in-line IPSec Demo.
AMD Versal 400Gbps In-Line IPSec Demo
At OFC 2023, AMD showed off the new demo. The importance of in-line IPSec is that it requires some form of acceleration. While in the 1GbE/ 10GbE generation, one could use CPU cores for IPSec, in the 100GbE and over speed range, it is a workload that needs acceleration. AMD for its part is using the Xilinx Versal Premium IP. We covered the AMD Xilinx Versal Premium ACAP previously.
Key aspects of AMD’s 400G IPSec demonstration include:
- 100G-400G scalable DCMAC and HSC hardened blocks.
- 400G Security policies and Security database lookup with AMD’s CAM & STCAM IPs.
- Integration of IPSec control and data plane with up to 32K tunnel setup using industry-standard strongSwan APIs running on the AMD platform using EPYC processors and Versal Premium series devices. (Source: AMD)
AMD has the ability to tie 400G I/O, hardened IP blocks, and the FPGA-based fabric together to build a 400G IPSec in-line accelerator.
Final Words
We asked AMD about getting photos from the event of the demo. We were told we could probably get some, but we never received them. Still, since both the IPSec acceleration and 400Gbps speeds are themes we have been working on at STH, we wanted to at least cover the story in some capacity.
Update 2023-03-20: AMD got back to us with an image of the demo:
For those that have not used 100GbE+ networking, the need for this kind of acceleration may not make sense. We have done pieces like our Intel Xeon D-2700 Onboard QuickAssist QAT Acceleration Deep-Dive just to show some of this acceleration. Hopefully, we will get to show more of these acceleration demos in the future.
Integration with strongSwan IPSec at 400 Gbps is impressive.
Given the complexity of IPSec and the difficulty to verify a particular setup doesn’t have weird failure modes that lead to unencrypted operation, it’d be great to see 400 Gbps with something simpler and more modern such as WireGuard.
Are there any thoughts about the feasibility of WireGuard?
Strongswan is what’s being used at all hyperscalers for encryption, don’t see a direct case for wireguard support there @Eric Olsen
strongSwan also provides support for PKI (Public Key Infrastructure), which is a framework for managing digital certificates and public-private key pairs. PKI is used to authenticate and secure communication between network devices.
QKD (Quantum Key Distribution) is a method for distributing cryptographic keys securely using the principles of quantum mechanics. QKD is not directly related to strongSwan or IPSec, but it can be used to generate strong cryptographic keys that can be used with IPSec. QKD is a promising technology that may play a role in future cryptography systems.