Executive Summary. Introduction. Test Highlights

Similar documents
ADVA FSP 150 ProVMe. Performance and Functionality Test Report. Introduction. VNF Lifecycle Management

Introduction. Executive Summary. Test Highlights

NFV Infrastructure for Media Data Center Applications

Intel Network Builders Solution Brief. Etisalat* and Intel Virtualizing the Internet. Flexibility

Agenda. Introduction Network functions virtualization (NFV) promise and mission cloud native approach Where do we want to go with NFV?

Introduction to Cisco and Intel NFV Quick Start

Accelerating 4G Network Performance

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

FlexE Router Card. 5G Ready. HUAWEI 50GE Flex Ethernet Card. Introduction. About EANTC. Table of Contents

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

Virtualization of Customer Premises Equipment (vcpe)

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

NEC Virtualized Evolved Packet Core vepc

Survey of ETSI NFV standardization documents BY ABHISHEK GUPTA FRIDAY GROUP MEETING FEBRUARY 26, 2016

MWC 2015 End to End NFV Architecture demo_

LANCOM Techpaper Routing Performance

TRANSFORM YOUR NETWORK

Scaling Acceleration Capacity from 5 to 50 Gbps and Beyond with Intel QuickAssist Technology

AMD EPYC Processors Showcase High Performance for Network Function Virtualization (NFV)

Network Function Virtualization Using Data Plane Developer s Kit

The Interoperability Challenge in. Telecom and NFV Environments. Carsten Rossenhövel, EANTC Chris Price, Ericsson Ildikó Váncsa, OpenStack Foundation

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

Demonstrating Data Plane Performance Improvements using Enhanced Platform Awareness

Tunneling Configuration Guide for Enterprise

Alten Calsoft Labs Virtual B-RAS Solution

Ixia Test Solutions to Ensure Stability of its New, LXC-based Virtual Customer Premises Equipment (vcpe) Framework for Residential and SMB Markets

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

Intel Select Solution for ucpe

Experience Sharing: the National Experiment Network for NFV Testing in China Mobile

Cisco Virtual Routers, CSR 1000V and ISRv

Introduction. Hardware and Software. Test Highlights

Performance Considerations of Network Functions Virtualization using Containers

and public cloud infrastructure, including Amazon Web Services (AWS) and AWS GovCloud, Microsoft Azure and Azure Government Cloud.

OpenStack and Hadoop. Achieving near bare-metal performance for big data workloads running in a private cloud ABSTRACT

VNF Benchmarking. Customer Profile. The Move to Virtualization. The Challenges. Case Study

Corente Cloud Services Exchange

Overview of the Juniper Networks Mobile Cloud Architecture

Independent Scalability and Functionality Test: Sandvine Virtualized Traffic Steering Engine (TSE) and Virtualized Policy Traffic Switch (PTS)

Accelerating SDN and NFV Deployments. Malathi Malla Spirent Communications

TITANIUM CLOUD VIRTUALIZATION PLATFORM

Building the Networks of the Future: The Rise of the Scalable

Network Services Benchmarking: Accelerating the Virtualization of the Network

Parallelizing IPsec: switching SMP to On is not even half the way

THE OPEN DATA CENTER FABRIC FOR THE CLOUD

Red Hat OpenStack Platform 13

Intel s Architecture for NFV

Cisco XR Series Service Separation Architecture Tests

Virtual CDN Implementation

TOLLY. VPN Gateway 3070 SSL VPN Throughput, Scalability and Voice Quality Benchmark Evaluation. Test Summary. Test Highlights

Enabling Efficient and Scalable Zero-Trust Security

The Road to a Secure, Compliant Cloud

Thomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia

DEPLOYING NFV: BEST PRACTICES

CLOUD ARCHITECTURE & PERFORMANCE WORKLOADS. Field Activities

20 Fast Facts About Microsoft Windows Server 2012

Introduction. Delivering Management as Agile as the Cloud: Enabling New Architectures with CA Technologies Virtual Network Assurance Solution

6WINDGate. White Paper. Packet Processing Software for Wireless Infrastructure

Migrating Session Border Controllers to the Cloud

MyCloud Computing Business computing in the cloud, ready to go in minutes

NFV Platform Service Assurance Intel Infrastructure Management Technologies

Nokia Virtualized Mobility Manager

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Cisco Virtualized Infrastructure Manager

Innovating to Increase Revenue

Design and Implementation of Virtual TAP for Software-Defined Networks

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

Cisco SD-WAN and DNA-C

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Where is the Network Edge? MEC Deployment Options, Business Case & SDN Considerations

Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances

Accelerating Telco NFV Deployments with DPDK and SmartNICs

Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide

Virtual Private Cloud. User Guide. Issue 03 Date

Dataplane Networking journey in Containers

Reconstruct to re-energize

UNIFY SUBSCRIBER ACCESS MANAGEMENT AND EXPLOIT THE BUSINESS BENEFITS OF NOKIA REGISTERS ON VMWARE vcloud NFV

VM-SERIES FOR VMWARE VM VM

Going Mobile with Affirmed on AWS

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

EANTC Test Report Huawei CloudMetro Performance and Functionality

Radisys* and Intel Deliver Agile and Flexible Rack-Scale NFV Infrastructure for. Communications Service Providers

Benefits of SD-WAN to the Distributed Enterprise

Overview of the Juniper Mobile Cloud Architecture Laying the Foundation for a Next-gen Secure Distributed Telco Cloud. Mobile World Congress 2017

Nokia Cloud Mobile Gateway

Security Everywhere Within Juniper Networks Mobile Cloud Architecture. Mobile World Congress 2017

Towards 5G RAN Virtualization Enabled by Intel and ASTRI*

QoS/QoE in future IoT/5G Networks: A Telco transformation infrastructure perspective.

Total Cost of Ownership Analysis for a Wireless Access Gateway

Oracle Solaris 11: No-Compromise Virtualization

Virtuozzo Hyperconverged Platform Uses Intel Optane SSDs to Accelerate Performance for Containers and VMs

Cisco Integrated Services Virtual Router

OpenStack Networking: Where to Next?

How to abstract hardware acceleration device in cloud environment. Maciej Grochowski Intel DCG Ireland

Lowering Network TCO with a Virtualized Core. Mavenir vepc S O L U T I O N B R I E F

QLogic/Lenovo 16Gb Gen 5 Fibre Channel for Database and Business Analytics

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Cavium FastLinQ 25GbE Intelligent Ethernet Adapters vs. Mellanox Adapters

Cisco Nexus 1000V InterCloud

The Top Five Reasons to Deploy Software-Defined Networks and Network Functions Virtualization

OPEN COMPUTE PLATFORMS POWER SOFTWARE-DRIVEN PACKET FLOW VISIBILITY, PART 2 EXECUTIVE SUMMARY. Key Takeaways

Transcription:

Executive Summary Today, LTE mobile operators typically deploy All-IP and flat network architectures. This elegant and flexible solution requires deployment of an adequate security infrastructure. One of the major security challenges is to protect and secure the connections between the access network (enodeb) and the evolved packet core (EPC). The virtualization of telecom networks (NFV) opens the doors for vendors to provide innovative and powerful security solutions decoupled from hardware appliances. They can be deployed in automated, efficient ways. An interesting question is whether such virtualized network functions (VNFs) will perform adequately, compared with physical appliances. EANTC was commissioned by Lenovo to verify the performance and service scalability of the Fortinet FortiGate as a virtual security gateway (SecGW). The VNF was deployed on Lenovo ThinkSystem SR650 compute nodes conforming to the Intel Select Solution for NFVI program. The project was supported by Red Hat; Red Hat OSP 13 was used as the virtual infrastructure manager (VIM). During the tests, Lenovo leveraged their organic Open Cloud automation toolset for rapid deployment of the OpenStack environment. Test Highlights 31,684 active site-to-site IPSec tunnels between enodeb and SecGW Stable/peak setup rate of 1,300 tunnels/sec Up to 2.55 Gbit/s unidirectional throughput Communications service providers (CoSPs) are looking to transform their infrastructure to better support 5G and IoT. Data traffic over communications networks is expected to continue growing rapidly over the next decade. As a result CoSPs are evaluating and implementing Network Functions Virtualization (NFV). This enables applications in a performance-optimized, secure and cost-effective manner spanning from data center to central office and network edge. Cloudscale agility, scalability and rapid deployment of network services are critical considerations guiding CoSPs as they deploy this next-generation infrastructure. Lenovo and Intel are collaborating on solutions to simplify the selection and deployment of hardware and software needed for today s network workloads and accelerate the migration of CoSPs to NFV. [1] 1 Introduction 3GPP TS 33.210 V15.2.0 defines the security architecture for mobile networks, defining how to protect IP-based control plane signaling for the EPC. The Security Gateway (SecGW) is described as a security node that terminates all IPSec tunnels between the enodeb and the EPC. The SecGW is considered a mandatory element in the LTE architecture when deployed with an untrusted backhaul network. Please refer to Figure 1. The majority of SecGW deployments are used to protect the S1-MME interface. In this case, the SecGW functions include authenticating network elements, encrypting traffic and rejecting any nonauthorized access by rogue enodebs. In parallel, mobile network operators (MNOs) are rearchitecting their networks towards Network Function Virtualization (NFV) to enable dynamic and rapid provisioning of new services. Commonly, MNOs virtualize the EPC as one of the earlier components to start the network transformation journey towards a Telco Cloud architecture. The virtual Security Gateway (vsecgw) is considered as one of the complementary elements of the vepc, so it needs to be virtualized alongside the vepc. In this test report, EANTC sheds light on many performance and security aspects for the vsecgw to secure the S1-MME interface. Figure 1: LTE Network To achieve the goal of accelerating NFV deployments, Lenovo has launched validated configurations of Lenovo ThinkSystem SR650 and SR630 Servers and Lenovo Ethernet switches as part of Intel Select Solution for NFVI program. 1. https://en.resources.lenovo.com/solution-briefdocuments/lenovo-intel-select-solution-for-networkfunctions-virtualization-infrastructure Page 2 of 7

Test Bed Description NFV products have to be tested as a "Full-stack" solution starting from the infrastructure level to virtualized network function and certainly the management layer. As shown in Figure 2, Network Function Virtualization Infrastructure (NFVI) layer includes compute nodes and controller nodes provided by Lenovo ThinkSystem SR650 Server and Lenovo ThinkSystem SR630 Server respectively. The function under test (FUT) was a virtual SecGW provided by Fortinet, which is a virtualized version of FortiGate. Red Hat OpenStack Platform 13 (Red Hat OSP 13) managed the NFVI on the Lenovo servers as shown in Figure 4. The FortiGate VNF was configured with: 2 SR-IOV capable network ports. Single-Root input/output virtualization (SR-IOV) allows multiple VNFs to share access to a single PCI Express card in this case the Ethernet NIC 16 virtual CPU Cores 24 Gigabyte RAM Figure 2: Lenovo ThinkSystem SR650 Server Compute node servers were equipped with two Intel Xeon Platinum 8176 processors and Intel XXV710 NIC cards. Lenovo RackSwitch G8052 and Lenovo ThinkSystem NE2572 RackSwitch were used for management purpose and for data traffic, respectively. Hardware Type FortiGate Lenovo ThinkSystem SR650 Servers and SR630 Servers Software Version FortiGate-VM64-KVM v6.2.0,build0817,19012 8 (Interim) BMC Version: V2.12 (Build ID: CDI328N) UEFI Version: V1.41 (Build ID: IVE126O) LXPM Version: V1.30 (Build ID: PDL114N) Figure 3: Lenovo ThinkSystem NE2572 RackSwitch For maximizing the data plane performance, the Lenovo NFVi environment has accelerated NUMA partitioning for the 2 socket server configuration and huge pages enabled. Additional configuration and optimization information for Lenovo s NFVi environment can be found at https://lenovopress. com/lp0913.pdf. Host OS Intel NIC XXV710 Lenovo ThinkSystem NE2572 RackSwitch Spirent Avalanche 4.93 Table 1: Hardware and Software Versions Test Equipment RHEL 7.6 (Maipo) Driver: i40e Version: 2.3.2-k Firmware version: 6.01 0x8000385c 1.1892.0 Software 10.9.1.0 Grub: 10.9.1.0 Tests were conducted using Spirent Communications C100-S3 high-performance appliance hardware with Avalanche software. Avalanche provides an assessment framework to test and stress next generation firewalls and other networking solutions with stateful application and encrypted traffic on interfaces from 1Gbps to 100Gbps. Test results with Avalanche determine real-world maximum bandwidth, connectivity capacities, new session setup rates, IPsec tunnel performance and security policy accuracy. The C100-S3 also supports Spirent s CyberFlood assessment solution for advanced mixed traffic, attack, malware and NetSecOPEN methodologies. Figure 4: Logical Test Bed Topology Page 3 of 7

The test tool was configured with two 10 Gigabit Ethernet client ports and one 10 Gigabit Ethernet server port. Spirent Avalanche set up IPsec tunnels. With reference to 3GPP TS 33.210 V15.2.0 and IETF RFCs 4303 and 7321, the following IPSec profile was selected: Parameter Authentication Encryption Algorithm HASH IKE Mode IKE version IP version IPSec Mode Value Preshared Key AES-CBC-256 SHA-1 Aggressive Mode v2 IPv4 Tunnel Table 2: IPSec Parameters Test Results EANTC and Fortinet selected the following test cases to verify the most important aspects of vsecgw performance: 1. Maximum number of active IPSec tunnels 2. Maximum IPSec tunnel setup rate 3. Maximum throughput Maximum number of Active IPSec tunnels The first performance test was to measure the maximum number of IPSec tunnels that can be handled by the FortiGate VNF. The traffic generator was configured to instantiate site-to-site IPSec tunnels with pre-defined IP gateway that is set on FortiGate, based on the parameters in Table 2. On the other hand, FortiGate was configured to handle the IPSec tunnels based on the dial-up VPN mode. During the test execution, IPSec tunnels were established between client gateway and FortiGate VNF with a low throughput per connection to reach the maximum IPSec tunnels. The logical topology used for determining the maximum number of tunnels in the performance test is shown in Figure 6. During the test, up to 31,684 IPSec tunnels were established successfully as shown in Figure 5. Maximum Tunnels Number 35000 30000 Number of Tunnels 25000 20000 15000 10000 Cumulative IPSec Attempts (31828 Tunnels) Cumulative IPSec Tunnel Successes (31684 Tunnels) 5000 0 0 113 226 339 452 565 678 791 904 1017 1130 1243 1356 1469 1582 1695 1808 1921 2034 2147 2260 2373 2486 2599 2712 2825 2938 3051 3164 3277 3390 3503 3616 3729 3842 3955 4068 4181 4294 4407 4520 4633 4746 4859 4972 5085 Time in Seconds Figure 5: Maximum Number of Tunnels Page 4 of 7

Maximum Throughput The third performance index tested was the traffic throughput that can be handled by Fortinet FortiGate VM with four CPU cores assigned to handle data plane traffic from SR-IOV enabled NICs. The test was performed with packet sizes that comply with the IMIX distribution shown in Table 3. The client side of the tester was configured to build the 2500 IPSec tunnels, for measuring the maximum IMIX throughput. The test was performed by increasing the traffic load on 2500 tunnels to reach the maximum throughput at the Fortinet FortiGate VNF and until the four CPU cores reach the maximum utilization. The generated encrypted traffic has a larger packet size due to the ESP encapsulation overhead. We observed 2.65 Gbps throughput at client side and 2.54 Gbps at server side due to added encapsulation overhead at the client side as shown in Table 4. Figure 6: IPSec Test Case Logical Topology Maximum IPSec Setup Rate Another important performance test case is to verify the limit of the IPSec tunnels setup rate. This parameter is crucial in stateless high availability scenarios once multiple nodes are implemented as a pool of SecGWs in case there is no control plane synchronization between the nodes. Spirent Avalanche was configured to create tunnels at a high rate; each of them was torn down after five seconds to avoid exceeding the maximum number of tunnels supported by the security gateway in the course of this test case. The test was continuously run for 300 seconds to measure a stable setup rate. We observed a maximum rate of 1300 tunnel setups per second without any failed tunnel setup attempts as shown in Figure 7. Packet Size 64 3 100 26 373 6 570 5 1300 6 1518 16 Weight Table 3: IMIX Distribution Frame Size (Bytes) Throughput (Gbit/s) Client IMIX 2.655864352 Server IMIX 2.546013036 Table 4: Maximum Throughput Results Figure 7: Tunnel Setup Rate Page 5 of 7

Conclusion The test results confirm Fortinet s claims regarding the performance of the data plane (packet throughput) and control plane (tunnel setup rate and maximum number of IPSec tunnels supported). The EANTC spot checks did not reveal any hurdles against the use of the Fortinet FortiGate as a security gateway to protect the EPC from the access network. Certainly, a more extensive test of realistic configurations such as the NetSecOpen methods would be useful to assess the performance of a security gateway under versatile, realistic conditions. Outlook Boosting the network security solutions to the next level of performance could be achieved by integrating the generic compute nodes with a hardware-based acceleration technology. Intel QuickAssist Technology (QAT) might provide promising performance improvements in the virtualized environment by off-loading the compute-intensive encryption/decryption security operations to QAT adapters. For future tests, the security solutions that have QAT enabled capability could be targeted to verify incremental performance enhancements. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. About EANTC EANTC (European Advanced Networking Test Center) is internationally recognized as one of the world's leading independent test centers for telecommunication technologies. Based in Berlin, the company offers vendor-neutral consultancy and realistic, reproducible high-quality testing services since 1991. Customers include leading network equipment manufacturers, tier 1 service providers, large enterprises and governments worldwide. EANTC's Proof of Concept, acceptance tests and network audits cover established and next-generation fixed and mobile network technologies. Page 6 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback