Send in your ideas. Deadline October 1, 2024
More info available :
Theme fund: Internet Hardening Fund
Start: 2017-08
End: 2019-05

Faster and configurable datapath/Linux xfrm

Rewriting nftables to optimise for xfrm

The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems.

Why does this actually matter to end users?

nftables is the successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project introduces powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). The nftables project is part of the Linux mainstream kernel.

xfrm is an IP framework for transforming packets (such as encrypting their payloads). This framework is used to implement the IPsec protocol suite (with the state object operating on the Security Association Database, and the policy object operating on the Security Policy Database). xfrm is a basic building block for IPSec on Linux, among other things.

The existing layered network stack model (OSI layers) is rather unflexible. In very specific and controlled network setups, this results in wasted CPU running code that you probably don't need, reducing overall network performance. The goal of this project is to enhance nftables to allow flexible network datapath configuration by reusing existing Linux networking stack components in a Lego(R) Fashion. The idea is to plug the specific network components that model your network datapath, to improve overall performance of Linux xfrm, hence IPSec.

There are a number of programmable datapath kits now available under FOSS license. This contribution is different in the sense that the goal is kind of achieve a hybrid, by combining stable Linux kernel networking code with a higher degree of configurability. Programming your network datapath from scratch can be error-prone. This approach fills the gap between rigid network stack (as in Linux) with this fully programmable kits.

Logo NLnet: abstract logo of four people seen from above Logo Netherlands Ministry of Economic Affairs and Climate Policy

This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy.