Since the advent of whitebox networking, implementations have struggled in high-throughput scenarios (3Gbps/4Mpps+), with 10Gigabit solutions needing more than 20 cores to push full-duplex linerate IPSec .This is due to kernel inefficiencies (system interrupts vs polling) and unoptimized software unable to scale after a certain threshold. However modern userspace solutions built on top of the hard-work in open source dataplane collaborations have created a scalable, optimized solution to high-volume packet processing called Vector Packet Processing (VPP).
Vector packet processing is the latest toolchain and open source dataplane built to handle the coming terabit workloads efficiently. Now optimized for multicore processing, VPP offers several orders of magnitude in performance improvements to widely used technologies such as IPSes utilizing long touted technologies such as Intel’s DPDK to implement full platform crypto on top of cutting edge hardware acceleration.
This next evolution in optimized whitebox packet processing not only benefits high-end solutions, but scales down to low-power gigabit networking. Previous implementations upgraded with VPP capable software will also see a monumental performance increase and stability. Take the popular fw-7525 for example, this appliance is hard-pressed to push gigabit linerates, and struggles when adding encryption and complex traffic workloads with popular software. This same hardware using VPP-based software such as TNSR, now guarantees gigabit line saturation regardless of traffic complexity and encryption.
Whitebox CPE’s utilizing SD-WAN, which heavily relies upon encryption and high-speed packet processing for tunneling, stands to benefit greatly from the highly optimized software implementations built on top of VPP. Communication service providers can maximize hardware efficiency and scalability ultimately using less resources hardware than before. The FD.io community highlights it’s drastic improvements in IPSec with their latest release. IPSec performance has been a very difficult protocol to support in higher-throughput situations, traditionally requiring expensive, powerful hardware to handle. VPP finally breaks that paradigm.
“The first performance figures we’d like to highlight are around IPsec. FD.io VPP 20.05 testing with a 1518 byte packet size utilizing a four (4) core CPU yields an impressive NDR rate of 47 Gbps. These results hold whether using 1000, 10,000, 20,000 or even 40,000 tunnels. Full testing was performed with varying packet sizes and encryption algorithms (see highlighted results below), using a 2.5GHz Skylake Platinum 8180 CPU with Turbo boost off, and two (2) threads/core. Employed NICs were Intel xxv710-DA2 2p25GE.”
|Packet size||#cores||#tunnels||Throughput (Gbps)|
These performance figures show just how massive the improvements are in the widely used technology (IPSec) for whitebox CPE’s, and highlight the great leaps the open source community has made towards optimizing whitebox solutions. With other great features in the newest release, such as Mellanox RDMA, Kubernetes Calico integration, Generic Segmentation Offload (GSO), IKEv2 usability improvements and much much more, the outlook for high-performance whitebox networking is looking excellent. It has become clear that VPP-based software offers greater efficiency in many high throughput uCPE implementations (especially for secure WAN tunneling) and extracts scalable performance from modern hardware.
These software improvements naturally elevate Lanners SD-WAN whitebox hardware offerings to new heights, optimizing IPSec tunnelling and encryption offloading in a myriad of high throughput situations. If you are looking to deploy a state-of-the-art cost effective whitebox SD-WAN solution, try Lanner new uCPE Whitebox Finder tool where you can input an IPSec WAN-to-LAN throughput range, NIC types and various CPE-relevant hardware features to pinpoint the right platform(s) for the job.