Google yakazivisa kuvhurwa kwezvakatemwa uye nereferensi yekumisikidzwa kwePSP (PSP Security Protocol), inoshandiswa encrypt traffic pakati penzvimbo dzedata. Iyo protocol inoshandisa traffic encapsulation architecture pamusoro peIP yakafanana neIPsec ESP (Encapsulating Chengetedzo Payloads), ichipa encryption, cryptographic kutendeseka kutonga, uye sosi yechokwadi. Iyo PSP yekushandisa kodhi yakanyorwa muC uye yakagoverwa pasi peiyo Apache 2.0 rezinesi.
Chinhu chePSP ndiko kukwidziridzwa kweprotocol kuti ikurumidze kuverenga uye kuderedza mutoro pane yepakati processor nekufambisa encryption uye decryption mashandiro kudivi retiweki makadhi (offload). Hardware acceleration inoda yakakosha PSP-compatible network makadhi. Kune masisitimu ane makadhi etiweki asingatsigire PSP, software yekumisikidza yeSoftPSP inokurudzirwa.
Iyo UDP protocol inoshandiswa seyekufambisa yekufambisa data. A PSP packet inotanga ne IP musoro, inoteverwa neUDP musoro, uye ipapo musoro wayo wePSP une encryption uye ruzivo rwechokwadi. Tevere, zviri mukati meiyo yekutanga TCP / UDP packet zvinowedzerwa, zvichiguma nekupedzisira PSP block ine cheki yekusimbisa kuvimbika. Musoro wePSP, pamwe chete nemusoro uye data yepaketi yakavharidzirwa, inogara ichitenderwa kusimbisa kuzivikanwa kwepaketi. Iyo data yepakiti yakavharidzirwa inogona kuvharirwa, nepo zvichikwanisika kusarudza kuisa encryption uchisiya chikamu cheTCP musoro mujekerere (uchiri kuchengetedza kutonga kwechokwadi), semuenzaniso, kupa kugona kuongorora mapaketi pane inofambisa network michina.
PSP haina kusungirirwa kune chero chaiyo kiyi yekutsinhana protocol, inopa akati wandei packet fomati sarudzo uye inotsigira kushandiswa kweakasiyana cryptographic algorithms. Semuenzaniso, kutsigirwa kunopihwa iyo AES-GCM algorithm ye encryption uye authentication (authentication) uye AES-GMAC yekusimbisa pasina encryption yeiyo chaiyo data, semuenzaniso kana iyo data isiri yakakosha, asi iwe unofanirwa kuve nechokwadi kuti haina. yakakanganiswa panguva yekutumira uye kuti ndiyo chaiyo iyo yakatumirwa pakutanga.
Kusiyana neyakajairwa VPN maprotocol, PSP inoshandisa encryption pamwero weumwe neumwe network yekubatanidza, uye kwete iyo yese nzira yekutaurirana, i.e. PSP inoshandisa akasiyana encryption kiyi kune akasiyana tunneled UDP uye TCP yekubatanidza. Iyi nzira inoita kuti zvikwanise kuzadzisa kuomesesa kuparadzaniswa kwetraffic kubva kune akasiyana maapplication uye processors, izvo zvakakosha kana maapplication uye masevhisi evashandisi vakasiyana ari kushanda pane imwechete server.
Google inoshandisa iyo PSP protocol kuchengetedza yayo yemukati kutaurirana uye kuchengetedza traffic yeGoogle Cloud vatengi. Iyo protocol yakatanga kugadzirwa kuti ishande zvine hungwaru muGoogle-level zvivakwa uye inofanirwa kupa Hardware kukwidziridza encryption pamberi pemamiriyoni eanoshanda network yekubatanidza uye nekugadzwa kwemazana ezviuru ezvekubatanidza pasekondi.
Nzira mbiri dzekushanda dzinotsigirwa: "stateful" uye "stateless". Mu "stateless" modhi, makiyi e encryption anoendeswa kunetiweki kadhi mune rondedzero yepakiti, uye kuti decryption inotorwa kubva kuSPI (Security Parameter Index) munda uripo mupacket uchishandisa master key (256-bit AES. , yakachengetwa mundangariro yekadhi yetiweki uye yakatsiviwa maawa makumi maviri nemana ega ega), iyo inokutendera iwe kuchengetedza network kadhi ndangariro uye kuderedza ruzivo nezve iyo yakavharidzirwa yekubatanidza yakachengetwa padivi remidziyo. Mu "stateful" modhi, makiyi ega ega ekubatanidza anochengetwa panetiweki kadhi mune yakakosha tafura, yakafanana nemabatirwo anoitwa hardware muIPsec.
PSP inopa yakasarudzika musanganiswa weTLS uye IPsec/VPN protocol kugona. TLS yaienderana neGoogle maererano ne-per-connection chengetedzo, asi yanga isina kukodzera nekuda kwekushaikwa kwayo kwekuchinja kwehardware kukurumidza uye kushomeka kwerutsigiro rweUDP. IPsec yakapa rusununguko rweprotocol uye yakatsigira kukwidziridzwa kwehardware zvakanaka, asi haina kutsigira kiyi inosunga kune yega kubatana, yakagadzirirwa chete nhamba diki yematani akagadzirwa, uye yaive nematambudziko ekuyera hardware kukwidziridzwa nekuda kwekuchengetedza iyo yakazara encryption mamiriro mumatafura ari mundangariro. yetiweki kadhi (semuenzaniso, 10 GB yekuyeuka inodiwa kubata mamirioni gumi ekubatanidza).
Panyaya yePSP, ruzivo rwemamiriro ekunyorera (makiyi, mavheti ekutanga, nhamba dzekutevedzana, nezvimwewo) anogona kufambiswa muTX packet descriptor kana muchimiro che pointer yekugamuchira system memory, pasina kugara network kadhi memory. Sekureva kweGoogle, ingangoita 0.7% yesimba rekombuta uye huwandu hukuru hwekurangarira zvakamboshandiswa pakuvhara RPC traffic muzvivakwa zvekambani. Kuunzwa kwePSP kuburikidza nekushandiswa kwehardware acceleration kwakaita kuti zvikwanise kudzikisa iyi nhamba kusvika 0.2%.
Source: opennet.ru