Fortinet FortiGate VNF Encryption Performance on Advantech SKY-8101D with 2nd gen Intel® Xeon® Scalable Family
The continued growth of communication services stimulated further by the arrival of 5G broadband speeds and network slicing, raises increasing security concerns as more people and things access and transmit critical information over the internet.
At the same time, the rise in consumer purchasing and banking on mobile wireless devices has moved the privacy of mobile subscriber traffic and enhanced wireless security to the forefront. Additional security concerns come from within the 5G network itself, in particular as infrastructure sharing based on network-as-a-service business models enable new virtual network operators where end-to-end operator-specific encryption is required.
In the industrial world, processes are increasingly vulnerable to cybersecurity risks as IIoT exposes newly connected devices and legacy control equipment alike to the Internet to analyse big data and improve operations. The need for authentication and encrypted communications is vital to the security of industrial networks as the ICT and OT worlds converge.
Cloud connectivity is on the increase too, and with it comes a significant demand on virtual private networks (VPN) encrypting, encapsulating and tunnelling traffic for authenticated remote and mobile workers, bridging LANs between multiple company sites and to the cloud. Moreover, securely interconnecting data centres across the globe at high speed will become crucial, as virtual workloads shift geographically to match user demand.
This momentum places an increasing demand on the encryption capabilities and throughput of servers, as open architecture x86 designs become the preferred platform for the next generation of both bare metal and virtual function VPN gateways, routers or firewalls.
This Solution Brief evaluates the encryption performance of the Fortinet FortiGate VNF executing on an Advantech SKY-8101D server based on 2nd Gen Intel® Xeon® Scalable processors, by measuring the performance increase through the use of Intel® QuickAssist Technology.
This year is expected to be pivotal in the development and deployment of NFV & SDN, with communication service providers (CommSPs) preparing their virtual infrastructure roll-outs based on the massive potentiality of 5G. The advancements in workload consolidation and virtualisation technology on commercial-off-the-shelf servers have provided a means for carriers to drive cost and operational efficiencies into their networks ahead of widespread 5G deployment.
The agility that the new virtualized network brings to CommSPs will allow them to spin-up services faster than ever before to meet customer demands and expectations. One specific area upon which Advantech, Intel® and Network Builders are focusing is the security element of the network and more specifically at exploring how to accelerate encryption processing while freeing up CPU cycles for application and VNF processing.
Advantech teamed up with Intel, Red Hat and Fortinet to demonstrate the importance of encryption speeds in a virtual infrastructure context. This Solution Brief describes a demonstration offering further insight into application performance enabled by hardware acceleration using 2nd Gen Intel® Xeon® Processors and Intel® QuickAssist Technology on Advantech’s SKY-8101D server.
Figure 1. NFVI Building Blocks
Intel® Select Solutions
Intel® Select Solutions for NFVI align with the ETSI NFV Reference Architecture and encompass the NFVI-tuned hardware platform along with NFV software. Intel® Select Solutions for NFVI do not specify the NFV management and orchestration nor the VNFs but are developed to be able to support an ecosystem of VNF and management options.
They focus first and foremost on delivering an optimised base platform to provide a level of performance that is tested and verified with industry-leading performance indicators.
Intel-supplied test scripts ensure that the settings recipe for BIOS, firmware, drivers and various OS options are correctly implemented and can deliver on the performance promise, that the platform under test is verified through extensive regression testing, and that it is continuously refreshed to integrate the latest tested and tuned software and drivers.
Intel® Select Solutions for NFVI was designed to offer an ideal foundation for any CommSP wanting to deploy a modernised and transformed 5G ready network efficiently.
Advantech built a demonstration platform to represent real application performance enabled with hardware acceleration. The Advantech SKY-8101D, an NFV-ready server with NUMA balanced Gen 3 PCIe x 16 slots and equipped with two 2nd Gen Intel® Xeon® Gold processors serves as the device under test for the demonstration. As the server is a verified Intel® Select Solution for NFVI v2, Red Hat Enterprise Linux and Red Hat OpenStack Platform certification is checked as a part of the verification process.
System Overview & Data Flows
Figure 2 provides a detailed overview of the system configuration.
- A Spirent packet generator is configured to generate and receive traffic over two Advantech PCIE-2320 Dual 40GbE Ethernet adapters.
- Fortinet’s FortiGate VNF running on CPU #0 (4 dedicated cores) encrypts traffic on the ingress port of the first adapter. Encryption processing in the first performance test employs the Intel® QuickAssist hardware acceleration engines in the chipset and in the second test the CPU cores perform all encryption processing.
- Encrypted traffic is then transmitted via the second port on the same adapter and received on the first port of the second 40GbE adapter.
- A second Fortigate VNF running on CPU #0, (4 dedicated cores) decrypts
the traffic. Decryption processing in the first performance test employs the Intel®
Quickassist hardware acceleration engines in the chipset and in the second test
without acceleration, using just the CPU cores for software decryption.
Figure 2. System set-up deployed for performance testing
Configuration & Testing
The NFVI layer used for the performance test comprised both hardware and software components: Advantech SKY-8101D and Red Hat Enterprise Linux 7.6. Red Hat Openstack Platform 13 was used as the Virtual Infrastructure Manager (VIM) managing the NFVI. Two instances of the Fortigate-VM64-KVM v6.2.0 (utilizing DPDK) function under test, were deployed. Each was configured with two SR-IOV network ports.
An IPsec tunnel was built between the two VNFs, each connected to their own Intel® xl710 40GbE controller. The tunnel was configured for AES256/SHA256 encryption for both tests as shown in Figure 3.
Figure 3. FortiGate VM64-KVM AES-256 IPsec Tunnel Set-up
The performance test shown in Figure 4 indicates CPU usage and throughput using QAT acceleration. Each virtual instance has three QAT Engines attached over SR-IOV. The throughput tops out at 5.6 Gbps as shown by the speed dial. Note the CPU consumption rises to nearly 100% for cores 2 and 3. The network interfaces are handled by cores 3 and 4 while core 2 handles QAT interrupts. See Figure 6 for precise CPU usage.
Figure 4. With Acceleration - Main dashboard with throughput indicators and CPU usage
The tunnel was then brought down with a single Fortinet command line to disable QAT offload. The new tunnel was then configured, and the Spirent set up to generate traffic. As can be seen in the main dashboard, Core 2 is no longer used, and all the encrypted traffic is handled by cores 3 and 4.The throughput counter shows a maximum throughput of 1.56 Gbps. Detailed core usage is shown in Figure 6.
Figure 5. Without Acceleration - Main dashboard with throughput indicators and CPU usage
Figure 6. Detailed CPU usage
Performance Results Summary
Based on the device under test information shown above, the Fortinet FortiGate VNF was able to achieve up to 3.5 times higher IPsec throughput using Intel® QuickAssist acceleration on an Intel® Xeon® Scalable 6230N versus the same processor not making use of Intel® QuickAssist Technology. Advantech estimates that this also results in an extra 10% more headroom available for VNF processing by the CPU.
Advantech SKY-8101D Product Overview
The SKY-8101D high-end server meets the criteria for the Intel® Select Solution for NFVI v2 plus and base configurations and has been designed for maximum performance, scalability and functionality in a 1U rackmount footprint. The configurations verified to meet Intel’s reference benchmark-performance threshold were equipped with dual Intel® Xeon® Gold 6252 processors (24 cores each, 2.1GHz) for both the plus and controller configurations. The server is also available with a broader choice of processors from the Intel® Xeon® processor Scalable family.
The SKY-8101D is a high-end server optimised for computing power, accelerated workloads and high speed, high density I/O with optimum energy efficiency. Two Intel® Xeon® Scalable processors provide the latest architectural enhancements, including rebalanced cache hierarchy, and Intel® Ultra Path Interconnect (Intel® UPI) for increased bandwidth and transfer rates between sockets at up to 10.4GT/s.
In addition, the new Intel® Advanced Vector Extensions 512 (Intel® AVX512) Vector Neural Network Instruction (VNNI) extension increases the throughput of tight inner convolutional loop operations, reduces the memory bandwidth required to perform deep learning operations and will improve the performance of image matching algorithms on Advantech white box servers.
Each socket supports 6 memory channels and up to 12 DDR4 RDIMMs at 2666 MHz for up to 1536GB of ECC memory using the latest technology. Advanced RAS modes such as mirroring and sparing increase platform reliability.
Figure 7: Advantech SKY-8101D front and rear views
The SKY-8101D’s thermal system design enables support for processors with up to 165W TDP. This allows the appliance to scale from 8 core CPUs to the highest performance 28 core processors available today.
With an abundance of PCI Express lanes, the SKY-8101D can support up to four full-height 3/4 length (10.5”) PCIe x16 adapters for modular, configurable networking I/O and acceleration. PCIe Gen3 technology on all slots provides sufficient bandwidth to support multiple 40GbE and quad 10GbE NICs as well as the latest adapters offering 100GbE connectivity.
With integrated security and compression acceleration based on Intel® QuickAssist Technology and two 10GbE ports with SR-IOV and RDMA support, the system offers best-in-class integration in a 1RU form factor.
Advanced Lights Out Management based on Advantech code base BMC and IPMI suite improve system manageability and reliability, providing thermal platform management, H/W monitoring and supervision. Remote firmware upgrade capability and hardware-based BIOS redundancy make the SKY-8101D an ideal platform for mission-critical and highly available networks.
Redundant power supplies, the ability to withstand single fan failures, redundant firmware images with failsafe upgrades and hot swappable FRUs make the SKY-8101D the platform of choice for applications requiring zero downtime.
The SKY-8101D is CE, FCC, UL, CB, CCC, VCCI, RCM, and RoHS compliant.
Table 1 shows the exact hardware configurations of the SKY-8101D verified as an Intel® Select Solution for NFVI v2 and compares them to the latest reference specifications.
Enhanced Platform Features
Advantech’s SKY-8000 series servers come with an enhanced feature set to improve availability, serviceability and usability:
1. Remote Intelligent Platform Monitoring & Control
- Integrated IPMI Based Management Controller
- Development, Customization, Validation and Life Cycle Management
- Standard and Advanced IPMI Features
2. Redundant BIOS
- Physical Redundant Flashes for Current/Backup BIOS
- Watchdog Mechanism to Detect Failing / Corrupted BIOS
- Rollback Mechanism for System Recovery if BIOS Upgrade Fails
- Dedicated Update Utility (ABU)
3. Remote BMC/BIOS Upgrade
- x86 BIOS Upgradable By BMC and ABU (Advantech BIOS Utility)
- Industry Standard HPM.1 Protocol
The safeguard and continuity of business-critical services are also ensured by eliminating single points of failure with LAN bypass. Advantech’s advanced LAN Bypass feature guarantees uptime by preserving network connectivity and maintaining communications in case of a power outage or appliance malfunction. When Bypass Mode is active, multiple interface pairs can be bridged on power failure and will resume normal functionality when power is restored.
Remote Evaluation Service
Advantech’s unique Remote Evaluation Service (RES) offers developers easy and secure access to an entire range of platforms upon which they can rapidly evaluate
Advantech value-add and test new services. In concert with other Intel® Network Builders ecosystem members, Advantech enables developers with early access to the latest technology, which accelerates their next-generation product designs. As a result, they can apply innovative new technology sooner to reduce operating expense and grow new revenue faster. RES offers an evaluation framework that brings together members of the Intel® Network Builders community who share similar philosophies about telecom and edge cloud architecture and where they can openly collaborate on a range of platforms from two Intel® Atom® processor cores to several hundred Intel® Xeon® processor cores.
With RES, developers can get ahead of the curve and begin to test different NFV infrastructures on platforms destined for deployment closer to the subscriber in the access network, mobile edge and customer premises (uCPE) as well as the network core and telecom data centre.
For more information on how to access RES for an evaluation of the Advantech verified Intel® Select Solutions for NFVI, or to order a platform, please email: firstname.lastname@example.org
Click here for more information on Advantech’s 2nd Generation Intel® Xeon® Scalable products.
For a recorded video of this demonstration: http://blog.advantech.com/tech-blogs/ntg/2019/05/encrypt-3-5x-faster/
If you would like to download a PDF version of this Solution Brief please click here