IPsec Cryptographic Acceleration¶
There are three types of cryptographic acceleration available for use on TNSR:
Software cryptographic acceleration
CPU-based AES-NI cryptographic acceleration
Hardware-based Intel® QuickAssist Technology (QAT) cryptographic acceleration
The list above is in order of likely performance boost, from least to most. In other words, software acceleration is slowest, QAT is fastest. The availability of AES-NI CPU instructions and QAT vary by platform and installed hardware.
Software Cryptographic Acceleration¶
TNSR will automatically configure software cryptographic acceleration for VPP if an IPsec tunnel is defined in the configuration. To enable this configuration, the VPP service must be restarted manually so it can enable the feature and allocate additional memory.
The cryptographic accelerator setting applies to all tunnels, so the restart is only required after the first IPsec tunnel configured by TNSR. The restart is not required for additional tunnels or when changing IPsec settings.
Restart the VPP dataplane from the TNSR basic mode CLI using the following command:
tnsr# config tnsr(config)# service dataplane restart
If the TNSR configuration contains no IPsec tunnels, TNSR will not require the memory resources associated with cryptographic acceleration and TNSR will not require a restart of the VPP dataplane service.
AES-NI cryptographic acceleration¶
AES-NI cryptographic acceleration takes advantage of AES acceleration instructions available in most modern CPUs. Since this feature relies on CPU support, it is not available on all hardware and, depending on the hypervisor and its configuration, may not be passed through from a host to a VM.
AES-NI offers a significant performance boost with AES-based ciphers, especially with AEAD ciphers such as AES-GCM.
AES-NI is automatically used if available.
QAT cryptographic acceleration¶
TNSR Supports hardware compatible with Intel® QuickAssist Technology (QAT) for accelerating cryptographic operations, such as IPsec. This requires the presence of a compatible QAT device, which may be a component of the hardware platform or an add-in card such as the CPIC devices sold by Netgate.
To configure a QAT device, follow the procedures described in Setup QAT Compatible Hardware to enable the device in the dataplane configuration.
There is a known incompatibility between QAT and VT-d on some platforms which can prevent IPsec traffic from passing when QAT acceleration is enabled. See Disable VT-d in the BIOS for details.