WIXLIB

white paperCommunications Service ProvidersNetwork SecurityF5 Accelerates CryptographicProcessing with Intel QATBandwidth increases from 5G and IoT networks along with increased demand for cryptoworkloads challenge application performance. F5 tested its BIG-IP Virtual Editionapplication delivery controller software suite with Intel QuickAssist Technology (Intel QAT) and saw dramatic performance increases in throughput and transactions along with adecrease in CPU utilization.1Data security is an imperative for enterprises and communications serviceproviders (CommSPs), but higher bandwidth networks and the dramaticallyincreasing number of internet-connected devices make it harder for CPUs in edgenetworking devices to keep up with the need for wire-speed data encryption/decryption. One solution is to add a hardware cryptography accelerator in theedge server to shoulder the increased traffic and free up the CPU for othercompute tasks. To determine the impact of adding an accelerator to an edgeserver, Intel Network Builders ecosystem partner F5 tested the throughput itsown F5 BIG-IP Virtual Edition (VE) application delivery controller (ADC) onservers with and without Intel QuickAssist Technology (Intel QAT).The Challenge: Boosting Application Performanceand EncryptionThe availability of 5G networks will enable new high-speed data services andcapabilities for handsets and other mobile devices. At the same time, CommSPsanticipate the addition of billions of connected IoT devices to the network fromcompanies taking advantage of LTE Cat-M and Narrowband IoT (NB-IoT) networks.Even as these trends drive up data traffic and network connections, CommSPs arealso seeing much more data traffic that needs encryption/decryption.Table of ContentsThe Challenge: BoostingApplication Performance andEncryption. . . . . . . . . . . . . . . . . . . . . . . 1F5 BIG-IP Virtual EditionImproves Security, ApplicationPerformance. . . . . . . . . . . . . . . . . . . . . 2Intel Xeon Scalable ProcessorsSupport Intel QAT . . . . . . . . . . . . . . . 3Testing BIG-IP with Intel QAT. . . . . 3Conclusion. . . . . . . . . . . . . . . . . . . . . . . 4About F5. . . . . . . . . . . . . . . . . . . . . . . . . 5About Intel Network Builders. . . . . 5Network functions virtualization (NFV) and software defined networking (SDN)applications such as virtual customer premises equipment (vCPE), softwaredefined wide area networking (SD-WAN), virtual application delivery controllers(vADC), vIPsec, and virtual firewalls need to perform compute-intensive securitytasks while maintaining high throughput and low latency. Encryption of web trafficis also growing with the adoption of protocols like HTTP/2 and the increased useof secure sockets layer/transport layer security (SSL/TLS) encryption/decryption.Another emerging use case is DNS over HTTPS.The performance and CPU utilization of these workloads can be significantlyimproved by using dedicated hardware accelerators, such as Intel QuickAssistTechnology (Intel QAT), which can offload cryptographic workloads from the CPUand accelerate processing. This performance increase allows CommSPs to supportincreased crypto workloads in a way that also improves virtual network function(VNF) performance.Many edge servers are optimized for cost, including using lower performanceCPUs, which can reduce the amount of computing power available for encryptiontasks. When CPU cores must be dedicated to crypto workloads, that means fewercompute cycles are available for other functions. F5 has built its reputation ondeveloping web application and network software that helps user traffic to get toits destination quickly and securely. To demonstrate the increased performance1

White Paper F5 Accelerates Cryptographic Processing with Intel QATof encryption acceleration, the company has tested theperformance of its BIG-IP Virtual Edition suite of applicationdelivery controller (ADC) virtual network functions (VNFs)on an Intel architecture-based edge server utilizing IntelQuickAssist Technology (Intel QAT).F5 BIG-IP Virtual Edition Improves Security,Application PerformanceF5 Networks is a leader in multi-cloud application servicesand network functions for enterprises and CommSPs. F5'sBIG-IP VE products are optimized for virtualizedenvironments and run on servers powered by Intelarchitecture CPUs. F5 solutions address multiple use casesin CommSPs and enterprises: Intelligent traffic management, load balancing, and DNS Protocol fluency and tunneling capabilities such as TCP,HTTP/2, Diameter, IPsec SGi-LAN/N6 consolidation (policy enforcement, firewall,CGNAT, DDoS) IoT security Web application firewall Identity and access managementHere are some specific BIG-IP VE solutions that addressthe above use cases and require high performance cryptoprocessing and compression: F5 BIG-IP Local Traffic Manager (LTM) providesadvanced load balancing that can control and helpsecure network traffic by selecting the right destinationserver based on server performance and availability.The result is fast application performance and increasedavailability and security. F5 BIG-IP DNS provides a DNS infrastructure that sendsuser traffic to the closest or best-performing physical,virtual, or cloud environment. BIG-IP DNS is designed forhyperscale environments and provides a defense againstDDoS attacks. F5 BIG-IP Access Policy Manager (APM) is a scalableaccess gateway that provides management of userconnectivity to help secure, simplify, and protect useraccess to applications. F5 BIG-IP Advanced Firewall Manager (AFM) addressesnetwork threats before they disrupt critical data centerresources through security services including firewall,DDoS mitigation, DNS security, and intrusion protectionsystem. F5 Advanced Web Application Firewall protects webapplications using behavioral analytics, proactive botdefense, and application-layer encryption ofsensitive data such as credentials.High encryption performance is critical for the BIG-IPproduct family because, as a full proxy that resides betweenthe client and backend server, the BIG-IP products mustnot be a bottleneck while transferring client and server datathat needs to be encrypted/decrypted at scale, whether forsecurity inspection purposes or to make a traffic steeringdecision.Before the availability of Intel QAT, F5 software wouldleverage CPU-based solutions for encryption such as Intel Advanced Encryption Standard New Instructions (Intel AESNI). These software-based encryption solutions deliver veryhigh performance when taking advantage of Intel AES-NI butstill consume a percentage of CPU capacity depending onthe amount of data and how many requests are directed atthat particular application or service. Scaling performanceof software-based encryption requires distributing theload across many servers or deploying servers with higherperformance CPUs or with multiple CPUs. Utilizing encryptionhardware, like Intel QAT, provides increased performance andfrees up CPU processor cycles for other compute needs.2

White Paper F5 Accelerates Cryptographic Processing with Intel QATIntel Xeon Scalable ProcessorsSupport Intel QATCPU, providing the ability to scale cryptographic performancebeyond Intel AES-NI functionality.F5 solutions deliver optimized throughput when used onservers that feature Intel Xeon Scalable processors or 2ndgeneration Intel Xeon Scalable processors.Testing BIG-IP with Intel QATIntel Xeon Scalable processors are designed for cloudoptimized, virtualized networks. The platform features anopen architecture that scales and adapts with ease to handlethe demands of emerging applications. Intel Xeon ScalableCPUs provide a future-ready foundation for agile networksthat provides the right cost-performance balance for cloudnetworks, are highly automated and responsive, and supportrapid and more secure delivery of new and enhancedservices. These CPUs are designed to enable enterprisesand CommSPs to transition to virtualized, software-definedinfrastructure to enable cloud capabilities for agile servicedelivery throughout the network.The 2nd generation Intel Xeon Scalable processorsprovide the foundation for a powerful data center serverperformance and features for expanded agility andscalability. The innovative processor platform providesplatform convergence and capabilities across compute,storage, memory, network, and security.All 2nd generation Intel Xeon Scalable processors supportchipsets with integrated Intel QAT, which offers compressionfunctionality acceleration in addition to public key accelerationand symmetric cryptography acceleration. This technology,which is also available in a PCIe card or on selected Intel CPUsand SoCs, processes these workloads separately from theIn a set of tests run on a server board powered by a 2ndgeneration Intel Xeon Gold 6230N processor, the use of anIntel QAT adapter resulted in an up to five times1 better bulkthroughput and transactions per second when comparedwith a system that utilized the CPU only for cryptography.The tests used eight vCPUs/physical cores from one socketwith no hyperthreading cores. Using this hardware, theperformance of the BIG-IP Local Traffic Manager solutionwas tested with and without Intel QAT providing cryptoacceleration functionality. The test results, as can be seen inFigures 1 through 3, include better performance and lowerCPU utilization.1 The CPU utilization, shown in Figure 3, isbased on aggregated average across all physical cores.Figure 1 shows an improvement of between two- to fivetimes the encrypted HTTP throughput when using Intel QAT,depending on packet size; while Figure 2 shows consistentlyhigher transactions per second with Intel QAT engaged,including five times the performance at 128 B packet sizes.CPU utilization across the different tested packet sizes isshown in Figure 3 with consistently lower percentages whenIntel QAT is turned on. At 128 B packet sizes, the utilizationis almost half the utilization of the solution that didn’tuse Intel QAT, meaning that the CPU is at 100% capacityoperating by itself, compared to 56% utilization whencombined with Intel QAT. CPU utilization is typically theheaviest with small packet sizes.1Bulk Throughput18,00015,359.8Throughput 62.24,0002,00001,494.9131.827.1128 B298.95 KBThroughput with Intel QAT860.516 KB512 KBThroughput without Intel QATFigure 1. Bulk throughput with Intel QAT and without.13

White Paper F5 Accelerates Cryptographic Processing with Intel QATTransactions per SecondSSL/TLS Transactions per 660.31,846.20128 B5 KBTransactions per second with Intel QAT16 KB512 KBTransactions per second without Intel QATFigure 2. SSL/TLS transactions per second with Intel QAT and without.1CPU Utilization PercentageCPU utilization, %99.9100.099.910097.0CPU utilization percentage908074.0706067.462.856.150403020100128 B5 KBCPU utilization with Intel QAT16 KB512 KBCPU utilization without Intel QATFigure 3. CPU utilization for encryption functionality with Intel QAT and without.1ConclusionMore encrypted data traffic is a mainstream reality andnetwork core, edge, and data center infrastructure will needto handle this traffic while designing for cost efficiency.The impact will come from an increase in data traffic fromsmartphones and mobile devices and increased deviceconnectivity from IoT. CommSPs and enterprises arelooking for solutions to build a network and data centerinfrastructure that is responsive to these increases whileoffering high-performance crypto processing for datasecurity. Intel QAT accelerates crypto performance andaccording to tests from F5 offers dramatic performanceimprovements with a decrease in CPU utilization.1 Thiscombination helps CommSPs and enterprises to maintainVNF and application performance in a 5G world.4