Secure Converged 5G Networks Before They Deploy

September 21, 2017 Maurizio Di Paolo Emilio

5G networks hold enormous potential for IoT applications. But escalating security concerns threaten to stifle performance before 5G even deploys.

The challenges start with IoT device density. 5G can support 2.6 million devices per square mile, and every connection must be secure. And the list of security functions keeps growing. Packet inspection, key generation and storage, and end-to-end encryption are just a few issues network architects must consider.

These security requirements can create serious bottlenecks that hamper performance. For instance, a single SSL/TLS handshake can consume up to 2 percent of a processor’s resources and add 5 ms of latency.

Security demands can also increase system costs. Deep packet inspection (DPI), for example, often requires the addition of a dedicated multicore processor or hardware accelerator.

CSPs looking to capitalize on 5G should be wary of the ways security can impact their systems, as well as solutions that can offset those limitations.

Transforming 5G Security Bottlenecks into Floodgates

Intel® Xeon® Scalable Processors offer one possible solution. The new processors support as many as 224 cores and 12 Terabytes of memory in an eight-socket configuration (Figure 1), delivering the packet processing and control plane resources required for secure 5G network operations.

Figure 1. Intel® Xeon® Scalable Processors deliver up to 224 cores and 12 Terabytes of system memory in eight-socket configurations. This provides ample resources for secure 5G communications. (Source: PC Perspective)

The new chips offer impressive performance gains across a range of 5G tasks. These include a 1.77X boost in L3 packet forwarding, a 2.5X acceleration in IPSec performance, and a 2.4X improvement in SSL Web Proxy transmissions (Figure 2).

Figure 2. Intel® Xeon® Scalable Processors accelerate important security workloads. (Source: Intel)

The Intel® Xeon® Scalable Processors also support 1.5X more VMs per server than previous-generation processors. As a result, CSPs can consolidate multiple server platforms, reducing the cost and complexity of 5G rollouts.

Advanced Network Security Performance From the Ground Up

New Intel® Xeon® processors include several significant architectural enhancements that enable them to achieve the above benchmarks. In particular, Intel® Advanced Vector Extensions 512 (Intel® AVX-512), a revamped chip architecture, and updated interconnect and fabric interfaces benefit 5G network security.

Intel® AVX-512 is a new set of instructions designed to optimize ultra-wide (512-bit) vector operations such as those used to generate cryptographic primitives. The instructions are supported by two 512-bit fused multiply-add (FMA) units per core, which help deliver double the FLOPS per clock cycle of AVX-512 over its predecessor.

This performance increase results in 3.1x faster hashing of SHA algorithms and 2x faster processing of Reed Solomon Erasure Code when leveraging Intel® AVX-512.

To prevent the powerful new Intel® Xeon® from becoming I/O bound, the 14 nm Skylake-SP microarchitecture has also been redesigned in a mesh topology (Figure 3). The on-chip mesh interconnect facilitates higher bandwidth, lower latency core-to-core communications. This helps optimize task scheduling/transfers and reduces energy consumption in network servers and UTM systems.

Figure 3. The Skylake-SP microarchitecture features a new on-chip mesh topology that improves bandwidth and reduces latency in resource-intensive multicore networking applications. (Source: Hardware.Info)

Off-chip I/O has also been updated to extend performance beyond a single processor. For starters, the new Intel® Xeon® Scalable Processors include up to 48 PCIe 3.0 links and six memory channels that support 2666 MHz DDR4 DRAM. The latter equates to a 50 percent increase in memory bandwidth over the last generation.

But the main I/O enhancements for massively scalable 5G network infrastructure are in socket-to-socket and system-to-system connectivity.

Between sockets, the Intel® Ultra Path Interconnect (Intel® UPI) provides a cache-coherent, 10.4 GTps data path between CPU sockets (Figure 4). The interconnect can scale to support up to eight processors per system under a single shared address space, with each Intel® Xeon® Scalable Processor, including two or three native Intel® UPI links.

Figure 4. The Intel® Ultra Path Interconnect (Intel® UPI) delivers cache-coherent, 10.4 GTps communications between CPU sockets. This is scalable up to eight sockets using the same shared address space. (Source: Intel)

To enable and secure 5G deployments that consist of millions of devices per square mile, the Intel® Omni-Path Architecture (Intel® OPA) fabric supports 10,000 or more nodes for each high-performance computing (HPC) network cluster.

Intel® OPA is the successor to Intel® TrueScale Fabric, and positioned as the next-generation alternative to InfiniBand. While its cost and 100 Gbps line rates are currently comparable to competing technologies, Intel® OPA’s feature set is the key differentiator for 5G networks:

  • Traffic Flow Optimization – Higher-priority packets can preempt lower-priority packets, regardless of packet ordering
  • Dynamic Lane Scaling – Link continuity is maintained in case of lane failure
  • Packet Integrity Protection – Link-level error checking is applied to all data packets, allowing transparent detection of, and recovery from, transmission errors

Intel® OPA is integrated in the package of Xeon® Scalable Processors to ease the deployment of HPC networks and security applications.

A Companion for Near-Zero Encryption Overhead

To maximize processor performance, the Intel® C620 Series Chipsets (formerly codenamed “Lewisburg”) offload cryptographic workloads from the main processor. The chipsets come pre-equipped with Intel® QuickAssist Technology (Intel® QAT) to provide network security features, including:

  • Symmetric encryption and authentication
  • Asymmetric encryption
  • Digital signatures
  • Lossless data compression
  • RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC) functions

In addition, the chipsets incorporate Intel® Key Protection Technology (Intel® KPT). Intel® KPT is a new feature that helps protect sensitive private keys stored in hardware from software and probing attacks (Figure 5).

Figure 5. Intel® KPT protects sensitive private keys stored in hardware from software and probing attacks. (Source: Intel)

Intel® KPT works with Intel® QAT to enable near-zero encryption overhead for data-at-rest and data-in-motion, reducing the need for dedicated hardware security modules (HSMs).

Intel® QAT also supports all standard device virtualization models. This extends the features of Intel® QAT and Intel® KPT to all virtual machines (VMs) running in a system.

5G and the Converged Infrastructure Shift

5G network architectures are hallmarked by “converged” infrastructure. In this paradigm, dedicated network appliances are replaced with systems that handle multiple network functions simultaneously.

As a result, network equipment providers (NEPs) are bringing standards-based hardware platforms to market that support networking, storage, security, and other functions in a single package.

For instance, the ADLINK Technology MCN-2610 is a compute node based on Intel® Xeon® Scalable Processors (Figure 6). It provides 4×10 GbE lanes to maximize the performance benefits of Intel® Xeon® Scalable Processors in UTM systems and 5G network servers.

Figure 6. The ADLINK Technology MCN-2610 is a data center compute node based on Intel® Xeon® Scalable Processors with up to 28 cores. (Source: ADLINK Technology)

The MCN-2610 adheres to the Open Compute Project (OCP) OpenSled specification. OpenSled is derived from ADLINK Technology’s Open Compute Carrier-grade Edge Reference Architecture (OCCERA), which emphasizes NFV and SDN principles on top of modular industrial design standards.

The standards-based approach of OpenSled allows modules to provide on-demand resources in converged infrastructure platforms. For example, an MCN-2610 module in a UTM system could dynamically switch between DPI and general-purpose routing as demands change.

Such architectures will help ease the transition to 5G network architectures.

Secure 5G Networks Before They Deploy

5G networks have the potential to enable entirely new ecosystems and services, thanks to significant increases in performance. These benefits apply to burgeoning IoT opportunities in addition to traditional networking applications.

CSPs looking to capitalize on 5G benefits should be wary of the ways security can impact the performance of their systems, as well as solutions that can offset that overhead.

With Intel® Xeon® Scalable Processors and compute nodes like the MCN-2610, they need look no further in the transition to converged 5G infrastructure.

About the Author

Maurizio Di Paolo Emilio

Maurizio Di Paolo Emilio is the author of Microelectronic Circuit Design for Energy Harvesting Systems, a book covering the design of microelectronic circuits for energy harvesting, broadband energy conversion, and new methods and technologies for energy conversion.

Follow on Linkedin More Content by Maurizio Di Paolo Emilio
Previous Article
How to Integrate Maritime Networking and Communications
How to Integrate Maritime Networking and Communications

Maritime communications depend on multiple network technologies that can be difficult to manage and secure....

Next Article
Bringing Data Center Compute to the Tactical Edge
Bringing Data Center Compute to the Tactical Edge

The latest iteration of Intel® Xeon® processors equip a range of hardware-based features that improve compu...

×

First Name
Last Name
Your Company
Phone Number
Country/Region
By submitting a form on this site, you are confirming you are an adult 18 years or older and you agree to Intel and Intel® IoT Solutions Alliance members contacting you with marketing-related emails or by telephone. You may unsubscribe at any time. Intel's web sites and communications are subject to our Privacy Notice and Terms of Use.
I would like to be contacted by: - optional
Your contact request is submitted.
Error - something went wrong!
×

The content you are looking for is just a step away.

Country/Region
Subscribe To Intel Updates
Subscribe To Alliance Partner Updates
By submitting a form on this site, you are confirming you are an adult 18 years or older and you agree to Intel and Intel® IoT Solutions Alliance members contacting you with marketing-related emails or by telephone. You may unsubscribe at any time. Intel's web sites and communications are subject to our Privacy Notice and Terms of Use.
Thank you!
Error - something went wrong!