Google tau tshaj tawm qhov qhib qhov tshwj xeeb thiab kev siv los ntawm PSP (PSP Security Protocol), siv los encrypt kev khiav tsheb ntawm cov chaw zov me nyuam. Cov txheej txheem siv lub tsheb thauj khoom encapsulation architecture zoo ib yam li IPsec ESP (Encapsulating Security Payloads) dhau IP, muab kev encryption, cryptographic kev ncaj ncees tswj thiab kev lees paub qhov chaw. PSP kev siv code yog sau rau hauv C thiab faib raws li Apache 2.0 daim ntawv tso cai.
Ib qho tshwj xeeb ntawm PSP yog qhov kev ua kom zoo ntawm cov txheej txheem kom ceev cov kev suav thiab txo cov load ntawm lub hauv paus processor los ntawm kev txav encryption thiab decryption ua haujlwm rau sab ntawm daim npav network (offload). Kho vajtse acceleration yuav tsum tau tshwj xeeb PSP-tshaj network phaib. Rau cov kab ke nrog cov npav network uas tsis txhawb PSP, kev siv software ntawm SoftPSP tau thov.
UDP raws tu qauv yog siv los ua kev thauj mus los rau cov ntaub ntawv xa mus. Ib pob ntawv PSP pib nrog tus IP header, ua raws li UDP header, thiab tom qab ntawd nws tus kheej PSP header nrog encryption thiab authentication cov ntaub ntawv. Tom ntej no, cov ntsiab lus ntawm thawj pob ntawv TCP / UDP tau txuas ntxiv, xaus nrog qhov kawg PSP thaiv nrog cov ntawv txheeb xyuas kom paub meej txog kev ncaj ncees. PSP header, nrog rau cov header thiab cov ntaub ntawv ntawm lub pob ntawv encapsulated, yeej ib txwm muaj kev lees paub kom paub meej tias tus kheej ntawm pob ntawv. Cov ntaub ntawv ntawm cov pob ntawv encapsulated tuaj yeem raug encrypted, thaum nws muaj peev xwm xaiv tau siv encryption thaum tawm hauv ib feem ntawm TCP header hauv qhov tseeb (thaum tswj xyuas qhov tseeb), piv txwv li, muab lub peev xwm los tshuaj xyuas cov pob ntawv ntawm cov khoom siv thauj mus los.
PSP tsis khi rau ib qho kev sib pauv hloov pauv tshwj xeeb, muaj ntau hom ntawv xaiv thiab txhawb kev siv cov txheej txheem sib txawv cryptographic. Piv txwv li, kev txhawb nqa yog muab rau AES-GCM algorithm rau encryption thiab authentication (authentication) thiab AES-GMAC rau authentication yam tsis muaj encryption ntawm cov ntaub ntawv tiag tiag, piv txwv li thaum cov ntaub ntawv tsis muaj nuj nqis, tab sis koj yuav tsum xyuas kom meej tias nws tsis muaj. tau tampered nrog thaum lub sij hawm kis tau tus mob thiab hais tias nws yog ib qhov tseeb. uas yog Ameslikas xa.
Tsis zoo li VPN raws tu qauv, PSP siv encryption nyob rau theem ntawm ib tug neeg network kev twb kev txuas, thiab tsis tag nrho cov kev sib txuas lus channel, i.e. PSP siv cais cov yuam sij encryption rau sib txawv tunneled UDP thiab TCP kev sib txuas. Txoj hauv kev no ua rau nws muaj peev xwm ua tiav kev sib cais ntawm cov tsheb khiav los ntawm cov ntawv thov sib txawv thiab cov txheej txheem, uas yog qhov tseem ceeb thaum cov ntawv thov thiab cov kev pabcuam ntawm cov neeg siv sib txawv khiav ntawm tib lub server.
Google siv PSP raws tu qauv ob qho tib si los tiv thaiv nws tus kheej kev sib txuas lus sab hauv thiab tiv thaiv kev khiav tsheb ntawm Google Cloud cov neeg siv khoom. Cov txheej txheem pib tsim los ua haujlwm zoo hauv Google-theem infrastructures thiab yuav tsum muab kho vajtse nrawm nrawm ntawm kev nkag mus rau hauv lub xub ntiag ntawm ntau lab ntawm kev sib txuas hauv network thiab tsim ntau pua txhiab qhov kev sib txuas tshiab hauv ib ob.
Muaj ob hom kev ua haujlwm tau txais kev txhawb nqa: "xeev" thiab "tsis muaj tebchaws". Hauv hom "tsis muaj neeg nyob", cov yuam sij encryption raug xa mus rau daim npav network hauv pob ntawv piav qhia, thiab rau kev decryption lawv raug rho tawm los ntawm SPI (Security Parameter Index) teb tam sim no hauv pob ntawv siv tus yuam sij tus tswv (256-ntsis AES, khaws cia hauv lub cim xeeb ntawm daim npav network thiab hloov txhua 24 teev), uas tso cai rau koj txuag lub network card nco thiab txo cov ntaub ntawv hais txog lub xeev ntawm kev sib txuas encrypted khaws cia ntawm cov khoom siv. Hauv "xeev" hom, cov yuam sij rau txhua qhov kev sib txuas tau muab tso rau hauv daim npav network hauv lub rooj tshwj xeeb, zoo ib yam li kev siv kho vajtse acceleration hauv IPsec.
PSP muab kev sib xyaw tshwj xeeb ntawm TLS thiab IPsec / VPN raws tu qauv muaj peev xwm. TLS haum Google hais txog kev ruaj ntseg ntawm ib qho kev sib txuas, tab sis tsis tsim nyog vim nws tsis muaj kev hloov pauv rau kev kho vajtse nrawm thiab tsis muaj kev txhawb nqa UDP. IPsec muab kev ywj pheej raws tu qauv thiab txhawb kev kho vajtse nrawm nrawm, tab sis tsis txhawb nqa qhov tseem ceeb rau kev sib txuas ntawm tus kheej, tau tsim los rau qee qhov me me ntawm qhov tsim, thiab muaj teeb meem kev ntsuas kho vajtse acceleration vim khaws tag nrho encryption xeev hauv cov ntxhuav nyob hauv lub cim xeeb. ntawm daim npav network (piv txwv li, 10 GB ntawm lub cim xeeb yuav tsum tau tswj 5 lab kev sib txuas).
Nyob rau hauv cov ntaub ntawv ntawm PSP, cov ntaub ntawv hais txog lub xeev ntawm encryption (cov yawm sij, pib vectors, kab zauv, thiab lwm yam) yuav kis tau nyob rau hauv lub TX packet descriptor los yog nyob rau hauv daim ntawv ntawm ib tug pointer rau host system nco, tsis muaj nyob rau hauv lub network card nco. Raws li Google, kwv yees li 0.7% ntawm kev suav lub zog thiab ntau lub cim xeeb tau siv yav dhau los rau encrypting RPC tsheb hauv lub tuam txhab cov txheej txheem. Kev taw qhia ntawm PSP los ntawm kev siv kho vajtse acceleration ua rau nws muaj peev xwm txo tau daim duab no mus rau 0.2%.
Tau qhov twg los: opennet.ru