Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

PowerMode IPsec

Improving IPsec Performance with PowerMode IPsec

PowerMode IPsec (PMI) is a mode of operation that provides IPsec performance improvements using Vector Packet Processing and Intel Advanced Encryption Standard New Instructions (AES-NI). PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing that gets activated when PMI is enabled.

PMI Processing

You can enable or disable PMI processing:

  • Enable PMI processing by using the set security flow power-mode-ipsec configuration mode command.
  • Disable PMI processing by using the delete security flow power-mode-ipsec configuration mode command. Executing this command deletes the statement from the configuration.

For SRX4100, SRX4200 devices running Junos OS Release 18.4R1, SRX4600 devices running Junos OS Release 20.4R1, and vSRX running Junos OS Release 18.3R1 after you enable or disable the PMI, you must reboot the device for the configuration to take effect. However, for SRX5000 line devices and vSRX instances running Junos OS Release 19.2R1, reboot is not required.

PMI Statistics

You can verify the PMI statistics by using the show security flow pmi statistics operational mode command.

You can verify the PMI and fat tunnel status by using the show security flow status operational mode command.

Intel QuickAssist (QAT) and Inline Field-Programmable Gate Array (FPGA)

Starting in Junos OS release 20.4R1, you can enhance PMI performance by using Intel QAT and AES-NI. AES-NI and QAT in PMI mode helps in balancing the load in SPUs and supports the symmetric fat tunnel in SPC3 cards. This results in accelerated traffic-handling performance and higher throughput for IPsec VPN. PMI uses AES-NI and QAT for encryption and FPGA for decryption of cryptographic operation.

To enable QAT with AES-NI, include the power-mode-ipsec-qat statement at the [edit security flow] hierarchy level.

To enable or disable inline FPGA, include the inline-fpga-crypto (disabled | enabled) statement at the [edit security forwarding-process application-services] hierarchy level.

Supported and Non-Supported Features for PMI

A tunnel session can either be PMI or non-PMI.

If a session is configured with any non-supported features listed in Table 1 and Table 2, the session is marked as non-PMI and the tunnel goes into non-PMI mode. Once the tunnel goes into the non-PMI mode, the tunnel does not return to the PMI mode.

Table 1 summarizes the supported and non-supported PMI features on SRX Series Devices.

Table 1: Summary of Supported and Non-supported Features in PMI (SRX Series Devices)

Supported Features in PMI

Non-Supported Features in PMI

Internet Key Exchange (IKE) functionality

IPsec-in-IPsec tunnels

AutoVPN with traffic selectors

Layer 4 - 7 applications: application firewall and AppSecure

High availability

GPRS tunneling protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewalls

IPv6

Host traffic

Stateful firewall

Multicast

st0 interface

Nested tunnels

Traffic selectors

Screen options

NAT-T

DES-CBC encryption algorithm

GTP-U scenario with TEID distribution and asymmetric fat tunnel solution

3DES-CBC encryption algorithm

Quality of Service (QoS)

Application Layer Gateway (ALG)

First path and fast path processing for fragment handling and unified encryption.

NAT

AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GCM encryption algorithm for optimal performance.

AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA1 encryption algorithm

AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA2 encryption algorithm

NULL encryption algorithm

QAT

Table 2 summarizes the supported and non-supported PMI features on MX-SPC3 services card.

MX-SPC3 services card does not support np-cache and IPsec session-affinity.

Table 2: Summary of Supported and Non-supported Features in PMI (MX-SPC3 Services Card)

Supported Features in PMI

Non-Supported Features in PMI

Internet Key Exchange (IKE) functionality

Layer 4 - 7 applications: application firewall, AppSecure, and ALGs

AutoVPN with traffic selectors, ADVPN

Multicast

High availability

Nested tunnels

IPv6

Screen options

Stateful firewall

Application Layer Gateway (ALG)

st0 interface

Traffic selectors

Dead Peer Detection (DPD)

Anti-Replay check

NAT

Post/Pre-Fragment

incoming clear-text fragments and ESP fragment

AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GCM encryption algorithm for optimal performance.

AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA1 encryption algorithm

AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA2 encryption algorithm

NULL encryption algorithm

Note the following usage considerations with PMI:

  • Antireplay window size
    • Antireplay window size is 64 packets by default. If you configure fat-tunnel, then it is recommended to increase the Antireplay window size to greater than or equal to 512 packets.

  • Class of Service(CoS)
    • Starting in Junos OS Release 19.1R1, Class of Service(CoS) supports configuration of behavior aggregate (BA) classifier, multifield (MF) classifier, and rewrite-rule functions in PMI on SRX5K-SPC3 Services Processing Card (SPC) cards.
  • Encryption algorithm
    • Junos OS Release 19.3R1 supports options aes-128-cbc, aes-192-cbc, and aes-256-cbc on SRX4100, SRX4200, and vSRX in PMI mode to improve IPsec performance, along with the existing support in normal mode.

  • GTP-U
    • Starting in Junos OS Release 19.2R1, PMI supports GTP-U scenario with TEID distribution and asymmetric fat tunnel solution.
    • Starting in Junos OS Release 19.3R1, GTP-U scenario with TEID distribution and asymmetric fat tunnel solution and Software Receive Side Scaling feature on vSRX and vSRX 3.0.
  • LAG and redundant (reth) interfaces
    • PMI is supported on link aggregation group (LAG) and redundant Ethernet (reth) interfaces.
  • PMI fragmentation check
    • PMI does a pre-fragmentation and post-fragmentation check. If the PMI detects pre-fragmentation and post-fragmentation packets, packets are not allowed through the PMI mode. The packets will return to non-PMI mode.

    • Any fragments received on an interface does not go through PMI.

  • PMI for NAT-T
    • PMI for NAT-T is supported only on SRX5400, SRX5600, SRX5800 devices equipped with SRX5K-SPC3 Services Processing Card (SPC), or with vSRX.
  • PMI support (vSRX)
    • Starting in Junos OS Release 19.4R1, vSRX instances support:

      • Per-flow CoS functions for GTP-U traffic in PMI mode.

      • CoS features in PMI mode. The following CoS features are supported in PMI mode:

        • Classifier

        • Rewrite-rule functions

        • Queuing

        • Shaping

        • Scheduling

Benefits of PMI

  • Enhances the performance of IPsec.

Configuring Security Flow PMI

The below section describes you how to configure security flow PMI.

To configure security flow PMI, you much enable session cache on IOCs and session affinity:

  1. Enable the session cache on IOCs (IOC2 and IOC3)

  2. Enable VPN session affinity

  3. Create security flow in PMI.

  4. Confirm your configuration by entering the show security command.

Example: Configuring Behavior Aggregate Classifier in PMI

This example shows how to configure behavior aggregate(BA) classifiers for a SRX device to determine forwarding treatment of packets in PMI.

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

  • Determine the forwarding class and PLP that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 3: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.

  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.

  3. Configure a best-effort forwarding class classifier.

  4. Configure an expedited forwarding class classifier.

  5. Configure an assured forwarding class classifier.

  6. Configure a network control forwarding class classifier.

  7. Apply the behavior aggregate classifier to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Make sure that the classifier is applied to the correct interfaces.

Action

From the operational mode, enter the show class-of-service interface ge-0/0/0 command.

Meaning

The interfaces are configured as expected.

Example: Configuring Behavior Aggregate Classifier in PMI for vSRX instances

This example shows how to configure behavior aggregate (BA) classifiers for a vSRX instance to determine forwarding treatment of packets in PMI.

Requirements

This example uses the following hardware and software components:

  • A vSRX instance.

  • Junos OS Release 19.4R1 and later releases.

Before you begin:

  • Determine the forwarding class and Packet loss priorities(PLP) that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 4: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.

  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.

  3. Configure a best-effort forwarding class classifier.

  4. Configure an expedited forwarding class classifier.

  5. Configure drop profiles.

  6. Configure the forwarding classes queues.

  7. Apply the classifier to the interfaces.

  8. Configure the schedulers.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Verify that the classifier is configured properly and confirm that the forwarding classes are configured correctly.

Action

From the operational mode, enter the show class-of-service forwarding-class command.

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI

This example shows how to configure a firewall filter to classify traffic to different forwarding class by using DSCP value and multifield (MF) classifier in PMI.

The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. MF classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explain how to configure the firewall filter mf-classifier. To configure the MF classifier, create and name the assured forwarding traffic class, set the match condition, and then specify the destination address as 192.168.44.55. Create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.

In this example, create and name the expedited forwarding traffic class and set the match condition for the expedited forwarding traffic class. Specify the destination address as 192.168.66.77. Create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Create and name the network-control traffic class and set the match condition.

In this example, create and name the forwarding class for the network control traffic class as nc-class and name the forwarding class for the best-effort traffic class as be-class. Finally, apply the multifield classifier firewall filter as an input and output filter on each customer-facing or host-facing that needs the filter. In this example, the interface for input filter is ge-0/0/2 and interface for output filter is ge-0/0/4.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a Firewall Filter for a Multifield Classifier for a device in PMI:

  1. Create and name the multifield classifier filter.

  2. Create and name the term for the assured forwarding traffic class.

  3. Specify the destination address for assured forwarding traffic.

  4. Create the forwarding class and set the loss priority for the assured forwarding traffic class.

  5. Create and name the term for the expedited forwarding traffic class.

  6. Specify the destination address for the expedited forwarding traffic.

  7. Create the forwarding class and apply the policer for the expedited forwarding traffic class.

  8. Create and name the term for the network control traffic class.

  9. Create the match condition for the network control traffic class.

  10. Create and name the forwarding class for the network control traffic class.

  11. Create and name the term for the best-effort traffic class.

  12. Create and name the forwarding class for the best-effort traffic class.

  13. Apply the multifield classifier firewall filter as an input filter.

  14. Apply the multifield classifier firewall filter as an output filter.

Results

From configuration mode, confirm your configuration by entering the show firewall filter mf-classifier command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying a Firewall Filter for a Multifield Classifier Configuration

Purpose

Verify that a firewall filter for a multifield classifier is configured properly on a device and confirm that the forwarding classes are configured correctly.

Action

From configuration mode, enter the show class-of-service forwarding-class command.

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying Rewrite Rules on a Security Device in PMI

This example shows how to configure and apply rewrite rules for a device in PMI.

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explains how to configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other SRX devices. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure the rewrite rules, apply them to the correct interfaces.

In this example, configure the rewrite rule for DiffServ CoS as rewrite-dscps. Specify the best-effort forwarding class as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control class as nc-class. Finally, apply the rewrite rule to the ge-0/0/0 interface.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure and apply Rewrite Rules for a device in PMI:

  1. Configure rewrite rules for DiffServ CoS.

  2. Configure best-effort forwarding class rewrite rules.

  3. Configure expedited forwarding class rewrite rules.

  4. Configure an assured forwarding class rewrite rules.

  5. Configure a network control class rewrite rules.

  6. Apply rewrite rules to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Rewrite Rules Configuration

Purpose

Verify that rewrite rules are configured properly.

Action

From the operational mode, enter the show class-of-service command.

Meaning

Rewrite rules are configured on ge-0/0/0 interface as expected.

Configure IPsec ESP Authentication-only Mode in PMI

The PMI introduced a new data path for achieving a high IPsec throughput performance. Starting in Junos OS Release 19.4R1, on SRX5000 Series devices with SRX5K-SPC3 card, you can use Encapsulating Security Payload (ESP) authentication-only mode in PMI mode, which provides authentication, integrity checking, and replay protection without encrypting the data packets.

Before you begin:

To configure ESP authentication-only mode:

  1. Configure IPsec proposal and policy.
  2. Confirm your configuration by entering the show security ipsec command.

    If you are done configuring the device, enter commit from configuration mode.