Alexander Krizhanovsky

Tempesta TLS is an implementation of TLS handshakes for the Linux kernel. Since the kernel already provides symmetric ciphers, we focus on asymmetric cryptography only, elliptic curves in particular.

Use used the mbed TLS library as the foundation and almost fully rewrote it to make is x40 faster. During our development we also use parts of WolfSSL library. While WolfSSL outperforms OpenSSL, it uses the same algorithms, which are 5-7 years of old. Tempesta TLS uses newer and more efficient algorithms from the modern cryptography research.

While we still improving performance of Tempesta TLS, the implementation already establishes 40-80% more TLS handshakes per second than OpenSSL/Nginx and provides up to x4 lower latency in several tests.

This talk covers following topics with plenty of benchmarks:

• The fundamentals of elliptic curve computations and the most "hot spots"

• Side channel attacks (SCA) and methods to prevent them

• How the recent CPU vulnerabilities impact TLS handshakes

• Basics of the new fast algorithms used in the Tempesta TLS

• The design trade offs in OpenSSL, WolfSSL, mbed TLS, and Tempesta TLS

• The funny assembly code with is more straightforward than C

Tempesta FW is a high performance open source Linux application delivery controller (ADC). The project is built into the Linux TCP/IP stack to get maximum performance for normal Web content delivery and efficient traffic filtering for volumetric DDoS mitigation.

I'll start by considering a simple example of how to build an ADC using traditional open source software. I'll describe drawbacks of the approach and why we started Tempesta FW's development. Next I'll go into the project internals and conclude the presentation with Tempesta FW performance benchmarks and several examples.

Application delivery controllers (ADCs) are typically hardware appliances that accelerate Web content delivery, intelligently balance loads among upstream servers, employ QoS and traffic shaping to efficiently and elegantly mitigate DDoS on all network layers, and provide Web application firewalling and application performance monitoring. However, it seems there are no open source projects that are able to perform these tasks with comparable performance and accuracy.

In this presentation I'll describe Tempesta FW - a high performance, open source Linux application delivery controller. The project is built into the Linux TCP/IP stack to get maximum performance for normal Web content delivery and efficient traffic filtering for volumetric DDoS mitigation.

I'll start by considering a simple example of an installation of Nginx, Fail2Ban, and IPtables. Alternative configurations containing other open source projects will be covered as well. I'll describe why such configurations usually do a poor job, and why we started Tempesta FW's development.

Next I'll describe how Tempesta FW services HTTP requests, and how the HTTP layer works with low-layer filter logic. There are several HTTP load-balancing strategies, including flexible distribution of requests by almost any HTTP field and predictive strategy by monitoring application performance. Several technologies at the basis of Tempesta FW's performance will also be covered:

• Linux TCP/IP stack optimizations for efficient HTTP proxying

• stateless HTTP parsing and using AVX2 instruction set to efficiently process HTTP strings

• lightweight in-memory database, TempestaDB, based on a cache-conscious lock-free data structure used for servicing a web cache

I'll conclude with Tempesta FW performance benchmarks and show several installation and configuration examples.