More Related Content
Similar to Optimizations for ssl tls certificate lookup (20)
Optimizations for ssl tls certificate lookup
- 2. SSL-TLS Certificate Lookup
Introduction
Withsteadyincrease in mobility sector,therehasdemandinencryptingdatasharedbetweenWeb
clientandserver.Thisalsohasto leadto increase indemandfornetworkvisibilityforsecurity
monitoringandInline performance analysiswithQualityof service fordesiredcontents.The SSLproxy
solutionhelpsvendorstoachieve the same atdemandingline ratesof 20Gbit/secwithsustaining
connectionrate fordemandinguse cases.
For servicingthishuge connectionrate;optimizationinSSLdatais necessary.Deployingsolutionon
multicore withHardware acceleratedPKI,RNGandCrypto operationinproxyhasitschallenges. One
such challenge tolookupthe proxygeneratedcertificatesatconnectionrates30000 connections/secfor
keysizesof 1024 and more.
Abstract
Thiswhite paperexaminesvariousoptimizationsdone tobuildanefficient certificatelookupinthe SSL
proxyrunningonmulticore solutionsasthreads(perprocessingcore). Note certificate cachingand
cleanupisexecutedbystandalonethread,whilelookupcanbe triggeredbySSL proxythreads.
- 3. SSL-TLS Certificate Lookup
Issue
For SSL proxy instance oneachthreadhas issue proxycertificate containingthe original detailsof master
certificate like SubjectkeyIdentifier,BasicConstraints,KeyUsage,IssuerIdentifier,Extensionsetc…
Basedon certificate cachingpreviouslygeneratedyetvalidcertificate canbe reused.
Followingreasonscanadverselyaffect lookup performance
1. Concurrentconnectiontowebservercanleadto similarproxycertificate generatedperthread.
2. Duringpeakcertificate addtocache, not all certificate canbe addedfromspare tile leadingto
false positive.
3. Spare cache fill uponeach threadcan leadto drop to addnew certificate leadinglookup
failures.
4. Same certificate mightbe used informultipleIPof web servers(DNSallow same service to
available forsame webservercontent). GeneratingandCache perIPwill be costlyandmemory
hogging.
5. Each certificate are unique bycertificate IssuerandSubjectname.
6. Certificate revocationonexistingcache lookupleadstoinvalidandthere flushof contents.
7. Lookupfor certificate istime bounded,increase intime complexitywillbe TLS-SSLproxy
connectiontermination.
Solution
To addressabove issuesfollowingideaswere developedfromgroundup tosupportfasterlookup
1. Employed2lookups,i.e.:MasterCache Lookupand PerThreadSpare Cache Lookup.
2. Addedfieldscertificate descriptorforvalidationof expiry,serial,digestetc…
3. EmployedIPIndex arraywithSubject-Unique IdentifierHashtable toreduce collision and
numberof entries.
4. Made use of RR of fixedentriesfetchforcache add.
5. UsedHardware specificatomictosetstatesfor validbool state andinuse counter.
6. Use of vector ISA reducestime incalculatinghashesandindexforlookup.
- 4. SSL-TLS Certificate Lookup
Application
Future Roadmap
Port the solutionfromRISCmulticore toMIPS,PPCand ARMsolutionsforSSLproxy.
Conclusion
Utilizingmulticoreandoptimizationtechniquesspecifictothe probleminhand;we were able to
accelerate certificate lookupwith resultoriented optimizations.
1600 950 625
8000
2400 2970
30000
12000
7500
0
5000
10000
15000
20000
25000
30000
35000
1024 2048 4096
CONNECTIONSPERSEC
KEYSIZES
Performance Comparison
Linked List Array Hash Array