{"title":"Demystifying AMD SEV Performance Penalty for NFV Deployment","authors":"Syafiq Al Atiiq, Aris Cahyadi Risdianto","doi":"arxiv-2408.02212","DOIUrl":null,"url":null,"abstract":"Network Function Virtualization (NFV) has shifted communication networks\ntowards more adaptable software solutions, but this transition raises new\nsecurity concerns, particularly in public cloud deployments. While Intel's\nSoftware Guard Extensions (SGX) offers a potential remedy, it requires complex\napplication adaptations. This paper investigates AMD's Secure Encrypted\nVirtualization (SEV) as an alternative approach for securing NFV. SEV encrypts\nvirtual machine (VM) memory, protecting it from threats, including those at the\nhypervisor level, without requiring application modifications. We explore the\npracticality and performance implications of executing native network function\n(NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study\nfocuses on running an unmodified Snort NF within SEV. Results show an average\nperformance penalty of approximately 20% across various traffic and packet\nconfigurations, demonstrating a trade-off between security and performance that\nmay be acceptable for many NFV deployments.","PeriodicalId":501280,"journal":{"name":"arXiv - CS - Networking and Internet Architecture","volume":"17 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Networking and Internet Architecture","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2408.02212","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Network Function Virtualization (NFV) has shifted communication networks
towards more adaptable software solutions, but this transition raises new
security concerns, particularly in public cloud deployments. While Intel's
Software Guard Extensions (SGX) offers a potential remedy, it requires complex
application adaptations. This paper investigates AMD's Secure Encrypted
Virtualization (SEV) as an alternative approach for securing NFV. SEV encrypts
virtual machine (VM) memory, protecting it from threats, including those at the
hypervisor level, without requiring application modifications. We explore the
practicality and performance implications of executing native network function
(NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study
focuses on running an unmodified Snort NF within SEV. Results show an average
performance penalty of approximately 20% across various traffic and packet
configurations, demonstrating a trade-off between security and performance that
may be acceptable for many NFV deployments.