Securing InfiniBand Networks with the Bluefield-2 Data Processing Unit

Abstract

Interest in securing InfiniBand networks with encryption is growing. However, the performance benefit realized by InfiniBand’s use of Direct Memory Access (DMA) to bypass the kernel and avoid intervention from host Central Processing Units (CPUs) is at odds with IP datagram encryption techniques. Encryption forces data through the CPU before transmission and decryption, incurring multiple clock cycles. The Bluefield-2 Data Processing Unit (DPU) is Nvidia-Mellanox’s latest system on chip that combines a high-performance, programmable processor, network interface card (NIC), and flexible hardware accelerators. This research characterizes the Bluefield-2’s capability to accelerate IPsec encryption in hardware. Results show that the Bluefield-2’s hardware accelerators are capable of supporting a secure IPsec tunnel with a throughput of nearly 16 Gb/s. Offloading IPsec encryption operations to the hardware accelerators on the Bluefield-2 is a promising method for adding confidentiality, integrity, and authentication to InfiniBand networks.