Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

IPsec forwarding architecture

Enables multiple processor cores to be purposed and operated as crypto engines simultaneously.

This feature parallelizes the existing support for IPsec in the vRouter data plane, enabling multiple processor cores to be purposed and operated as crypto engines simultaneously. A crypto engine represents a processing element within the vRouter data plane, providing encryption and decryption support for one or more IPsec Security Associations.

Figure 1. Multiple crypto engines overview

Each data plane core can support one crypto engine. All data plane cores that are not associated with interfaces are suitable for crypto engine allocation. If no eligible cores are available, all cores are considered available for crypto engine allocation. A crypto engine is created and associated with a core on demand that is driven by the creation of each Security Association which is then bound to the crypto engine. After crypto engines have been allocated to all eligible cores, Security Associations are bound to the existing crypto engines by using an allocation mechanism that considers the number of Security Associations already allocated to a particular crypto engine and whether the new Security Association is replacing an existing one. A Security Association can be associated with no more than one crypto engine; therefore, the maximum performance of a Security Association is limited by the core to which the individual crypto engine is bound.

Following cryptographic processing, the transformed packet is passed to IP forwarding on the crypto engine. In a tunnel-stitching scenario, this passage could result in the packet being forwarded to and processed on another crypto engine.