To Embed or Not to Embed SHA in Programmable Network Interface Cards

Abstract

Cryptographic hash functions are widely used to provide from digital time stamping to authenticity and digital signatures, mapping an extensive collection of messages into a small set of message digests and help to secure network connection and data, consequently consuming CPU resources. P4 enables data plane customisation using a high-level programming language to facilitate in-network computing development across diverse hardware targets, including Network Interface Cards (NICs). Currently, most P4 targets do not implement secure hash functions due to a lack of hardware instructions or the absence of formal functions to expose their native hardware-based implementation. Moreover, many applications and protocols cannot be instantiated using in-network computing due to stringent requirements based on these hash functions. In order to empower the security and other hash-based applications, in this paper we propose and implement a P4 shared object library for a secure hash algorithm 2 (SHA-2). Our goal is to enable SHA-2 to be used as an embedded Network Function (eNF), overcoming the lack of support in a SmartNIC architecture, in order to address the latency and throughput requirements of Service Function Chain (SFC) forwarding performance within the Network Function Virtualization (NFV) paradigm. Thus, our prototype is evaluated against kernel-level Open vSwitch (OvS) and user-space Data Plane Development Kit (DPDK) implementations. The outcomes demonstrate different tradeoffs over each platform, from the randomness added by the OS to the high cost of executing the aforesaid function using a network programmable device, leading us to highlight the best choice for each specific application.