Chelsio Cryptographic Offload and Acceleration Solution Overview

24 min Encryption at 100 Gb/sec

3 min Chelsio T6 Crypto Offload

Terminator Features RDMA – iWARP TCP Offload Engine (TOE) iSCSI Offload FCoE Offload SMB Direct Wire Direct Network Direct Virtualization Packet Filtering Traffic Management Stream Engine DCB GPUDirect RDMA Crypto Offload

Chelsio’s Terminator 6 (T6) Unified Wire ASIC enables concurrent secure communication and secure storage with support for integrated TLS/SSL/DTLS and inline cryptographic functions, leveraging the proprietary TCP/IP offload engine for acceleration. Chelsio’s full offload TLS/SSL/DTLS is uniquely capable of 100Gb line-rate performance. DTLS runs on UDP, while TLS runs on TCP. In addition, the accelerator can be used in a traditional Co-processor Lookaside mode to accelerate TLS/SSL, IPsec, SMB 3.X crypto, data at rest encryption/decryption and data-deduplication fingerprint computations. With its sixth‐generation T6 ASIC and Ethernet adapters, Chelsio has taken the unified wire solution to the next level. T6 delivers an unmatched feature set combined with a single‐chip design. No other vendor offers a single SKU for NVMe-oF, NIC, TOE, SR-IOV, iSCSI, FCoE and iWARP RDMA that concurrently supports in-line TLS/SSL, SMB 3. X crypto, IPsec and DTLS.

Key Features

• Standard PCIe Gen 3 x16 form factor, network and storage adapters, integrated TLS/SSL, DTLS, IPsec, SMB 3.X Crypto offload and acceleration capabilities.
• Supports following Ciphers and Digest:
  • SHA1, SHA224, SHA256, SHA384, SHA512
  • HMAC-[SHA1, SHA224, SHA256]
  • HMAC-[SHA512_224, SHA512_256, SHA512_384, SHA512_512]
  • AES-CBC/CTR/GCM/CCM/XTS
• Concurrent support for TCP/IP, UDP, iSCSI, iSER, iWARP RDMA and NVMe-oF
• Transparent support for both traditional Co-processor and Inline mode cryptographic functions.
• TLS/SSL PDU offload.
• Transparent encryption capabilities built into applications with TLS/SSL and DTLS mechanisms.
• Active session keys storage on protected DDR memory.
• Support relies on host software or other means for IKE (key negotiation), RSA, Diffie-Hellman, Elliptic Curver Cryptography (ECC), etc.

• Enables encrypted, authenticated media streaming (single or multiple connections; each with different session keys).
  • Encryption support for Adaptive Bitrate Streaming (ABS) flows
• T6 adapter registers its capabilities with the Crypto API framework for the supported crypto protocols, leverages all benefits provided by the host operating system and enables the offloading of crypto operations on to the adapter.
• Support for Socket and API interfaces.

Key Benefits

Figure 1 – Chelsio Crypto Solution

• Low Power & Low Cooling: Standard dual port, low profile, 100Gb Ethernet adapter, requiring maximum 200 LFM airflow at 19W maximum power usage.
• Saving on CPU and Memory usage: Cryptographic and Network I/O functionalities are compute and memory intensive. Chelsio adapters offload protocol traffic, providing a low power, no-compromise, high performance solution and keep CPU and memory free for other datacenter applications.
• Lower CAPEX and OPEX: By offloading cryptographic functions to the T6 NIC rather than investing in a more powerful processor with crypto capabilities, and capabilities to process cryptographic functions along with regular network traffic concurrently, while leveraging standard Ethernet infrastructure, Chelsio’s solution is uniquely positioned to keep CAPEX and OPEX low.
• No third party software development required to enable encryption if application has built in TLS/SSL, DTLS, and IPsec crypto mechanisms.

Supported Cryptographic Offload & Acceleration Modes

Figure 2 – Co-Processor Crypto Mode

Cryptographic functions can be enabled in different mechanisms and support different protocols. At a high level, traditional Co-processor mode is known for processing data-at-rest encryption/decryption and data-deduplication fingerprint computation, while Inline Crypto mode has the capabilities to authenticate and process encrypted packets for the application at the port level and encrypt outgoing packets when requested by the application. Chelsio adapters support both modes and solution is programmable enough in nature to make the desired modifications for optimization.

This mode of operation is supported for TLS/SSL, SMB 3.X and IPsec protocols, for functionalities like data at rest encryption, decryption, authentication and data de-dupe fingerprint generation.

• In the Co-processor mode of operation, either cleartext is sent to the adapter over the PCIe bus for encryption and authentication, or encrypted and authenticated cipher text is sent to the T6 for decryption and authentication.
• Key negotiation is performed by software on the host computer.
• The T6 crypto Co-processor mode of operation can be combined with other offload capabilities.

Figure 3 – Inline Crypto Mode

Chelsio Inline crypto solution supports TCP/IP and TLS/SSL AES/SHA processing in cut-through fashion to achieve optimal bandwidth and latency. Offloaded connection is used to transmit and receive data. Handshake is executed in host while data is encrypted and decrypted by crypto engine offloaded to hardware.

• T6 adapters offload the TLS PDU crypto, while handshake is still performed by the host.
• Chelsio OpenSSL modifies and provides hooks for data transmission, receive and key programming.
• Third party /customized TLS/SSL implementations are also supported.
• Supports crypto for all TLS/SSL ports.
• User can also apply COP (Chelsio Offload Policy) to enable TLS offload setting for filter chosen.

Key Negotiation/Exchange

Figure 4 – Key Exchange Mechanism

Chelsio cryptographic solution supports popular protocols like IKE (key negotiation), RSA, Diffie-Hellman, Elliptic Curver Cryptography (ECC), etc., provides encryption capabilities built into application with TLS/SSL and DTLS mechanisms. Chelsio adapters offload the TLS/SSL PDU crypto, while handshake and key exchange are still performed by the host.

Key Negotiation Rate Use cases

• Web server with high transaction rates from many different users requires support for high negotiation rate, e.g., distributed software or dedicated hardware.
• Media streaming requires a low rate, typically negotiate session keys and then watch, e.g., Netflix show or movie for 30min-2hours using the same session key.

Supported Operating Systems

Currently Chelsio’s Crypto Offload drivers for Co-processor and Inline modes are available for Linux, supporting following kernel versions:

• Kernel.org linux-4.9
• Kernel.org linux-4.8

Linux drivers support both user-space as well as kernel-space module interfaces. The user-space applications can leverage the af_alg interface to use Chelsio crypto offload feature, while the kernel-space modules are supported directly using Linux’s crypto framework to access the Chelsio crypto offload features.

Latest drivers/software are available at http://service.chelsio.com.

Supported Adapters

The following are the currently shipping Chelsio adapters that are supported and compatible with Chelsio’s crypto offload drivers:

• T6225-CR: Low Profile, Dual Port 1/10/25GbE Unified Wire Adapter
• T6225-SO-CR: Low Profile, Memory Free, Dual Port 1/10/25GbE Server Offload Adapter
• T6225-LL-CR: Low Latency, Low Profile, Dual Port 1/10/25GbE Unified Wire Adapter
• T62100-CR: Half Size, Dual Port 40/50/100GbE Unified Wire Adapter
• T62100-LP-CR: Low Profile, Dual Port 40/50/100GbE Unified Wire Adapter
• T62100-SO-CR: Low Profile, Memory Free, Dual Port 40/50/100GbE Server Offload Adapter

Reference Use Cases

Inline Encryption for Media Streaming – CDN Secure Cloud

Content delivery networks (CDNs) are globally distributed network of Point of Presence (POP) or proxy servers deployed in multiple datacenters. The goal of these large, broad-distribution of CDNs is to serve content, including on-demand/live streaming media, web servers providing downloadable media files to end-users over HTTP with high availability and high performance.

Figure 5 – Inline Crypto Use Case

In the above figure (Chelsio Crypto Enabled Video Streaming Capabilities), a CDN server (1) delivers 20K 5Mpbs streams of content (video, movie, IPTV, etc.) using a single T6 adapter. It offloads 20K TLS/SSL connections (3) and each of these connections is traffic-managed by the integrated traffic manager (2) to proceed at 5Mbps rate with low jitter.

This combined with other capabilities like TCP/UDP Segmentation Offload, Pacing, TCP Traffic Management and Traffic classification/filtering provides much needed acceleration for the on-demand/live streaming media edge servers. The inbuilt T6 traffic manager is capable of supporting up to 16 traffic classes concurrently. For example, there can be a 25Mbps group in addition to the 5Mbps group.

Data-at-Rest encryption/decryption

The T6 Data at-rest encryption/decryption uses the T6 crypto Co-processor mode of operation, as shown in the following diagram. The cleartext to be encrypted, e.g., with AES-XTS algorithm, is sent to the T6 crypto engine and the ciphertext is returned. The decryption proceeds by sending the ciphertext, and the cleartext is returned. If encrypted data arrives on inbound T6 port, it is decrypted and/or authenticated and delivered to storage server stack:

Figure 6 – Co-processor Crypto Use Case

• Using T6 Co-processor mode, storage server encrypts and/or adds SHA authentication hash on its way to SAS/FC/NVMe storage.
• Data is sent and returned via DMA from T6 Co-processor; (multiple copies of) re-encrypted data is written to SAS/FC/NVMe/NVMf
• The reverse flow is also enabled by T6 using a combination of Co-processor and Inline modes.

Data de-duplication fingerprint

The T6 crypto Co-processor can also be used for de-duplication fingerprint generation. For example, when offloaded iSCSI or NVMe-oF data is received, a fingerprint of the data is computed by injecting the data into the T6 crypto Co-processor and generating a SHA hash for the storage blocks, spreadsheets or PDF documents contained in the received data. The computed fingerprint can then be used to identify opportunities for de-duplication in the storing of the data.

Secure Cloud: Inline Encryption for Web servers, IoT Devices and Overlay Networks

Security threats for web server clusters (normally located at the edge of the networks), cloud connected IoT devices (security camera, printers, medical devices) and autonomous vehicles are growing at a very fast pace. Chelsio’s 1/10/25/40/50/100GbE cryptographic offload and acceleration solution has integrated capabilities to enable point-to-point encryption (P2PE) network to secure both ends of the network.

Figure 7 – Inline Crypto for IoT Devices, and Web Servers Use Case

As shown in the diagram above, IoT devices connected to an Edge server can be configured either to have an encrypted overlay network tunnel or provide an encrypted Direct Data Path access over the browser. Enabling security at the host level and capabilities to manage the network traffic at per flow basis provides a stringent security solution for today’s datacenter networks.