IPSec using Bluefield-2

Updated: Dec 17, 2021


Recently, our team received Bluefield 2 DPU from NVIDIA. Our team experienced the network offload performance of this DPU "for the first time".







We documented all the steps needed to run BF2 with default distribution from Nvidia. We conducted a short test on IPSEC offload and IPSEC+VXLAN offload.


IPSec_with_Bluefield-2_DOCA_Blog
.pdf
Download PDF • 953KB

And I learned the following precious lessons.

  • BF2 documents are insufficient, but Nvidia provides immediate and helpful support.

  • I haven't found many documents about DOCA yet.

  • In Linux, the low-level infrastructure TC offloads the flow to the BF2 ASIC (ASAP2).

  • For IPSEC, the mlx5 driver is connected to the general linux ipsec offload infrastructure.

  • In DPDK, the low-level infrastructure rte_flow offloads the flow to (ASAP2).

  • We haven't found the IPSEC offload performance in DPDK yet.


Bluefield2 can improve and optimize data center redundancy several times while keeping overall TCO low. At the same time, however, we need software innovation to make the right use of off-road technology in modern data centers.


Please watch more interesting news about our work on network offloading.


Update - Nov 2021


Above steps use various open-source tools, which are actually so difficult to stabilize and make the whole thing work. NetLOX Loxilight now fully supports Mellanox BF2 IPSEC. No need for complex and non-intuitive configuration steps to get IPSEC running.


Please follow the guide here. If you need the commercial and production grade Loxilight for Mellanox Bluefield2, which is free to use, just email (contact@netlox.io) us for further info.

255 views0 comments

Recent Posts

See All