Envoy Proxy and VPP based IPSEC

concentrator for SASE/SSE

Srinivasa Addepalli & Ritu Sood, Aryaka

Mrittika Ganguli, Jeff Shaw, Intel Corporation
 Srinivasa Addepalli Ritu Sood
CTO Distinguished Engineer
Aryaka Aryaka

November 12, 2024

Salt Lake City

Mrittika Ganguli Jeff Shaw

Demo, benchmarks: Principal Engineer Software Architect
Abhirupa Layek, Network Engineer, Intel Intel Corporation Intel Corporation
Introduction

• What is SASE/SSE?
- The need for a proxy in SASE/SSE.
- Why Envoy is the right choice for a proxy.
- Enhancements made to optimize Envoy for SASE/SSE.
- The role of VPN concentrators in SASE/SSE.
- Why single-tunnel throughput performance is crucial.
- The need for VPP-based IPsec.
- Essential VPN concentrator functionalities beyond IKEv2/IPsec.
- Performance metrics and a demo.
Q&A
 Cloud Delivered Network Security (SASE/SSE)
for Modern Enterprises
Makes secure connectivity harder than ever
Distributed Increased Security Hybrid Application
Workforce Threats and Attacks Deployment

Web Sites
Web
SWG
HQ sites

CASB SaaS

Internet
Branches LLM Guardrails
GenAI

ZTNA

VPN DC/IaaS
Remote Users Concentrator NGFW

SDWAN
 SASE/SSE Security requires Proxy technology
Makes secure connectivity harder than ever

Security Functions Requirements

• Context based • SSL/TLS Decryption Proxy

Access Controls to get the deeper technology
• URL filtering protocol data. supporting
• Content filtering ----------------- Forward
• DLP Reverse and
• Anti-Malware • Termination of TCP transparent
• LLM firewall • Termination of SSL proxy
• API Firewall • Upstream methods
Connection
Origination
• Mimick Certs
Envoy Proxy for SASE/SSE – Why?

Reverse & Transparent Proxy support IPv4, IPv6 support

Some support for forward proxy too WASM and Lua support

Multi-Threaded Envoy Proxy

Non-blocking & lock-less Opensource Extensible Architecture
architecture
Technology

Comprehensive HTTP Support

Built-in RBAC & OAUTH2 support
(HTTP/1.1, 2.0 and 3.0)

Advanced Load balancing Support

 Making Envoy SASE/SSE ready
Makes secure connectivity harder than ever

Multi-tenancy
Configuration Isolation Rewritten OAUTH filter
VRF Support (Multiple OIDC clients)
Multi Criteria tenant identification

Common Policy Framework

Beyond foundational changes, many
(for multiple functions, Objects
Forward Proxy Authentication security functions as filters
support)
(Kerberos, UN/PWD, Recycling)

Configuration Reuse across multiple

MITM TLS Inspection listeners
(Mimic Cert generation)
SASE/SSE – Opensource Beyond Envoy

Automation
Customer 1
➢ Horizontal
Pod scaling

Enforcement o VPN Tunnels one

Laptop with Plane
VPN Client Amazon.com per tenant location
Power
Keycloak
DNS o Geneve tunnels
Env
Envoy
Envoy
oy one per tenant
EXT
o Internal IP
VPNC
VPNC
Google.com
Guacamole address allocation

GCP/GKE/Pop and routes per

tenant per service
Yahoo.com

IPSec Tunnels ➢ Vertical

Geneve Tunnels
Scaling
 VPP VPNC

Performance of VPP IPsec Workload Running with Different Number of Worker Cores with acceleration

Source: Intel® AVX-512 - High Performance IPsec with Intel® Xeon® Scalable Processor
https://networkbuilders.intel.com/docs/networkbuilders/intel-avx-512-high-performance-ipsec-with-intel-xeon-scalable-processor-technology-guide-
1683018859.pdf
P-core and E-core ipsec scaling

Baseline performance of VPP IPsec Workload Running on different types of CPU without acceleration
VPP VPNC Architecture

Connection setup Configuration & Telemetry

(control plane) (management plane)
IKEv2
strongSwan agent

VPP
Packet processing
(data plane)
ESP & GENEVE
NIC … NIC

VPP VPNC High Level Architecture

See Whitepaper titled “FD.io VPP-SSwan and Linux-CP – Integrate StrongSwan with World’s First Open Sourced 1.89 Tb IPsec Solution Technology Guide”
Multi Tenancy

SASE
PoP Web
Proxy/ VPN SaaS
Tenant 1 PC
LB Concentrator … GenAI
…
IaaS
Point of Presence (PoP) SASE
…
PoP

Tenant N PC
Tenant 1 Tenant N
Gateway Gateway
10.1.0.0/16 10.1.0.0/16

▪ Need to isolate traffic between tenants

▪ Tenants have overlapping IP addresses
Multi-Tenant VPNC

Envoy geneve0 VRF ipsec0

Proxy

eth1 VPNC eth2

GENEVE IPsec
Envoy
tunnels tunnels
Proxy geneveX VRF ipsecY
 Envoy Acceleration summary

Config xDS
File (Control Plane)

T
L
S
 Envoy Performance acceleration
Ingress scaling P99 Latency Under
50 T L S / S S L P E R F O R M AN C E – H I G H E R I S
SLA(50ms) - lower is better BETTER
159%

42274
40 40
200%
Latency [ms]

33076
ICX_HTT

REQUESTS PER SECOND

28381
P1.1

25480
30

25559
27 SPR_HT

17090

16317
no accel

14377
TP1.1

14378
20 19

8778

8486
cryptoMb

7588
17

7597
16 ICX_HTT

4362

4267
2166
P2
10 QATcrypto: 1
9 9 9
2… SPR_HT
3 2.7 3.1 TP2 QATcrypto: 2
0 1.9 2 2.2 3.3 1C2T 2C4T 4C8T 8C16T
1C2T 2C4T 4C8T 8C16T INGRESS CORES
Ingress cores

TLS/SSL Latency P99 [ms] – lower is better

L7 message size-Load-balanced
1500
lower is better

Latency [ms]
1000
600
Latency P99 [ms]

489 500 90% no accel

400
0 cryptoMb
96% 70%
200 no DLB QATcrypto: 1
162
37 48 DLB QATcrypto: 2
0 4 2 15 16
1kB 10kB 1MB mixed Ingress cores
Response size
Next Steps

▪ Links:
▪ VPP VPNC
▪ Intel Network builders paper
▪ Collaboration
Backup
Dynamic Configuration and Scaling of VPN Concentrator
and Envoy SASE Proxy in Multi-Tenant Edge
Srinivasa Addepalli & Ritu Sood, Aryaka
Mrittika Ganguli & Jeff Shaw, Intel Corporation
This discussion shows a framework that integrates a VPN Concentrator with Envoy-based Secure Access Service Edge
(SASE) proxy, leveraging APIs for configuration and management of network functions within containers. This is designed to
dynamically scale.
The VPN Concentrator (VPNC) establishes secure IPSec tunnels that encapsulate data traffic, providing privacy and
protection against threats. As number of tenants or volume of traffic increases, the need for additional VPNCs, IPSec tunnels
and proxies arise.
The SASE proxy is a network filter at the edge, enforcing security policies, optimizing traffic flow, providing a zero-trust
network access to cloud-based services. Number of proxies is changed as a ratio-based scaling approach to IPSec tunnels or
tenants based on metrics like:
▪ Throughput, Latency, Error rates
▪ Active, denied connections
▪ Security breaches
▪ Number of active user sessions
▪ Number of route changes for load-balancing
▪ Envoy utilization with/without optimization
Title
Speaker Name
Title

Content
 Title

November 12, 2024 Speaker Name

Salt Lake City
Job Title Speaker Name
Company Job Title
Company
 Title

November 12, 2024

Salt Lake City
Speaker Name
Job Title
Company
Title

Speaker Name Speaker Name Speaker Name

Job Title Job Title Job Title
Company Company Company

November 12, 2024

Salt Lake City

Speaker Name Speaker Name

Job Title Job Title
Company Company