解密 AMD SEV 在 NFV 部署中的性能损失

Syafiq Al Atiiq, Aris Cahyadi Risdianto
{"title":"解密 AMD SEV 在 NFV 部署中的性能损失","authors":"Syafiq Al Atiiq, Aris Cahyadi Risdianto","doi":"arxiv-2408.02212","DOIUrl":null,"url":null,"abstract":"Network Function Virtualization (NFV) has shifted communication networks\ntowards more adaptable software solutions, but this transition raises new\nsecurity concerns, particularly in public cloud deployments. While Intel's\nSoftware Guard Extensions (SGX) offers a potential remedy, it requires complex\napplication adaptations. This paper investigates AMD's Secure Encrypted\nVirtualization (SEV) as an alternative approach for securing NFV. SEV encrypts\nvirtual machine (VM) memory, protecting it from threats, including those at the\nhypervisor level, without requiring application modifications. We explore the\npracticality and performance implications of executing native network function\n(NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study\nfocuses on running an unmodified Snort NF within SEV. Results show an average\nperformance penalty of approximately 20% across various traffic and packet\nconfigurations, demonstrating a trade-off between security and performance that\nmay be acceptable for many NFV deployments.","PeriodicalId":501280,"journal":{"name":"arXiv - CS - Networking and Internet Architecture","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Demystifying AMD SEV Performance Penalty for NFV Deployment\",\"authors\":\"Syafiq Al Atiiq, Aris Cahyadi Risdianto\",\"doi\":\"arxiv-2408.02212\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network Function Virtualization (NFV) has shifted communication networks\\ntowards more adaptable software solutions, but this transition raises new\\nsecurity concerns, particularly in public cloud deployments. While Intel's\\nSoftware Guard Extensions (SGX) offers a potential remedy, it requires complex\\napplication adaptations. This paper investigates AMD's Secure Encrypted\\nVirtualization (SEV) as an alternative approach for securing NFV. SEV encrypts\\nvirtual machine (VM) memory, protecting it from threats, including those at the\\nhypervisor level, without requiring application modifications. We explore the\\npracticality and performance implications of executing native network function\\n(NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study\\nfocuses on running an unmodified Snort NF within SEV. Results show an average\\nperformance penalty of approximately 20% across various traffic and packet\\nconfigurations, demonstrating a trade-off between security and performance that\\nmay be acceptable for many NFV deployments.\",\"PeriodicalId\":501280,\"journal\":{\"name\":\"arXiv - CS - Networking and Internet Architecture\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-08-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Networking and Internet Architecture\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2408.02212\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Networking and Internet Architecture","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2408.02212","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

网络功能虚拟化(NFV)已使通信网络转向适应性更强的软件解决方案,但这一转变引发了新的安全问题,尤其是在公共云部署中。虽然英特尔的软件防护扩展(SGX)提供了一种潜在的补救措施,但它需要全面的应用调整。本文研究了 AMD 的安全加密虚拟化(SEV),作为确保 NFV 安全的替代方法。SEV 对虚拟机(VM)内存进行加密,保护其免受威胁,包括管理程序级的威胁,而无需对应用程序进行修改。我们探讨了在AMD SEV-SNP(SEV的最新迭代版本)中执行本地网络功能(NF)实现的实用性和性能影响。我们的研究重点是在 SEV 中运行未修改的 Snort NF。结果表明,在各种流量和数据包配置中,平均性能损失约为 20%,这表明安全与性能之间的权衡可能是许多 NFV 部署可以接受的。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Demystifying AMD SEV Performance Penalty for NFV Deployment
Network Function Virtualization (NFV) has shifted communication networks towards more adaptable software solutions, but this transition raises new security concerns, particularly in public cloud deployments. While Intel's Software Guard Extensions (SGX) offers a potential remedy, it requires complex application adaptations. This paper investigates AMD's Secure Encrypted Virtualization (SEV) as an alternative approach for securing NFV. SEV encrypts virtual machine (VM) memory, protecting it from threats, including those at the hypervisor level, without requiring application modifications. We explore the practicality and performance implications of executing native network function (NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study focuses on running an unmodified Snort NF within SEV. Results show an average performance penalty of approximately 20% across various traffic and packet configurations, demonstrating a trade-off between security and performance that may be acceptable for many NFV deployments.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信