 To je tady s drojí určitě. Ne, tady už je vegráčka. Tak to neskáne fungu. Máme vegráčka nastavených drojí. A, tady to nevidíš. Nechci zaplnout ten pučíteč velký? No, mám cuná... No, mám cuná... Pustě nysna z toto. No, s kde máš? FN, tohle? No. Vy jsi na to nezobrazí na pučtiči. Tak nemá výstuk. Musí tam i duplikať si. Vyskají, vyskají ven. No, můžeme vytloubec. Můžeme použiat takhle velký pučíteč, že bychom si na něj dál. Můžete, jo. Tak to není to velký. Jako věrejtně to jde. Musí z nich vělouzit výstuk. Tak já to zkusím. To je... To je... To je... mohl dnes. Něč. Zoznedané plečka. To ní to teda online, když to možná na Google. Možná se. To je velký. To bylo to něčešté funguje dneska. Zvídové. Já jsem pěná smací na... Pěknutky. Jel to platí pro všechny močiný ena loga na Sahra. Já si vidím, že kvádky je. Cha. No to chlebe kutro. skeleton. Heorial impokorni that has lecture about TLS and DTLS in Linux kernel. Welcome to my presentation about AFK TLS. We will discuss basically other family kernel transport layer security and we will discuss basically a Linux kernel that implements part of TLS and DTLS protocols right inside the kernel. So before we start let's discuss about TLS and DTLS in an actual. TLS stands for Transport Layer Security. The DTLS means Datagram Transport Layer Security. You are probably familiar with the term SSL that is historical naming. Now the proper way to call this protocol is TLS. We have currently version 1.2. There's a draft that describes version 1.3 And it introduces a lot of cool stuff such as zero round trip times, so you're basically sending data with the handshake. You'll probably know libraries such as DTLS and OpenSSL. These are open source implementations of these protocols. You are probably familiar with other libraries such as Libre SSL, but most of them were basically forked from OpenSSL to some vulnerabilities. If we look at TLS and DTLS protocols, basically we can see that we have a control layer and the record layer. And basically the control layer is used to control TLS and DTLS protocol. So you can see messages like hey, I want to establish connections, so I want to establish keys, or hey, I want to do rekeying when there's some problem with the session and we might be compromised. And then there's record layer. Basically the record layer is used for transferring your data. So if you transfer your data, it's in the record layer. The main difference between TLS and DTLS is that TLS requires the underlying protocol to be reliable. That means that you have to use protocols such as TCP. On the other hand, DTLS protocol does not have such a requirement, so you can use it on top of UDP. On the implementation level, that means also that if you are implementing DTLS, you have to deal with things such additional information so you don't receive some records twice and you are basically dealing with reply attacks. If you are using VET, you probably are familiar with TLS. Basically, HTTP protocol is used quite widely with TLS, so called HTTPS, the S stands for Secured. TLS is also used for e-mail and probably note that known projects are high availability proxy. That is basically a load balancer on top of TLS. And also we have SSL-based VPNs. SSL here is a term that is quite tightly bound to this expression, but it can be also TLS-based VPN. Such VPNs are open connect that is open source implementation. It's open source implementation, but there is also any connect that is implementation by Cisco. Basically, open connect is alternative to any connect and it's also compatible with any connect. If we look at very basic scenario, we have a client that communicates with some device that is located on local area network and we are communicating through pounds so we want to take care that our communication is encrypted and no one sees what's going on and what we are basically sending. What client needs to do to basically send data, there needs to be established connection, but once we are done with the connection establishment, we basically do encryption and we add some additional information such as header to our message, so it's TLS specific. Then when we are done with encryption and the encapsulation, we basically write the record to the kernel and kernel does all the things for us. It basically sends the record on the wire or any other media you use for transferring your records. Once your record is on the server, server listens on some particular port and once your record is ready, you basically open connect server basically issues read or receive operation and it decrypts our records so basically there's reverse operation to the client. Once we decrypt, we check integrity and once we are done with it, we have raw data that was transferred and once we have raw data, open connect server basically issues write and our record is routed through the kernel to desired device on local area network. If we look at this scenario, we can see that on the server we are basically reading from the kernel and writing and we are reading just to do decryption in user space. If we try to identify this thing and basically move the decryption to the kernel, we basically do optimization and if we take a look at it, we basically saved two context switches so we are no longer required to do read write and to user space and what we achieved, we also achieved that data that were transferred are no longer copied from kernel space to user space for the decryption and from user space to kernel space for sending and basically this was the idea behind AFK TLS so address family kernel transport layer security it's a module, it's a Linux kernel module that sits right inside your kernel and it basically introduces a new socket type AFK TLS it implements part of TLS and DTLS protocols there's only implemented the record layer so if you want to use AFK TLS you have to do handshake in the user space with your libraries such as OpenSSL or GNU TLS and once you establish the connection you basically ask these libraries for key material and you instantiate AFK TLS and then you pass all this key material to the kernel and you can do read write operation on a socket just like raw socket and you are basically accessing raw data from the socket currently there's implemented only ASJCN cipher but AFK TLS can be extended with other cifers as well very nice candidate is Chechapoli that is used on mobile devices AFK TLS supports all socket operations so you can do socket to instantiate AFK TLS you can do bind send receive or write and read you can also do some advanced stuff like send file or supplies and the only socket operation that is not supported is Konect basically when I was designing API it didn't make much sense to implement Konect there was no semantics for it so if you look at the optimizations we wanted to save context switches basically this is not possible now with Linux kernel because there is no such Cisco that would do something like hey, this is my socket and read everything from this socket and write to another socket there are Cisco such as send file and supplies basically send file is used for sending files and it's implemented on top of supply syscall and supplies system call is designed to basically do things like ok, I have a socket or file descriptor and I need a structure that basically points to the kernel space and points to memory that is allocated in user space so I'm no longer required to copy from user space to kernel space such structure is called pipe and you can use FKTLS mostly with send file and supplies so you reduce copies and this optimization was quite successful we are no longer required to copy data from kernel space to user space only for decryption or encryption when we were implementing FKTLS there were issues such as issue with padding when you do optimization you have to take care about a lot of things such thing is padding if we look at TLS record you can see that there are basically 5 bytes and everything that follows is shifted so we are not aligned and we are accessing memory that is not aligned the same applies for DTLS record as you can see there is a second number that is carried to construct a sliding window here are some results and basically as you can see the send file using FKTLS is the fastest way how to transfer data over TLS or DTLS it is faster by 5-10% like 7% in average here is user send that means it is sending data through TLS or OpenSSL send so you are doing basically encryption and decryption in user space and the last bar represents when you map the whole file into memory and basically you do send using user space library so you do encryption and decryption in user space so AFKTLS has various UCG basically it was designed for OpenConnect and high availability proxy but as it showed it is not possible to use it so there is lack of tune device support for supply system call but AFKTLS could be used for example with KCM that is a kernel multiplexer where you have a socket and you can do multiplexing with various threads in the user space you can also AFKTLS you can also access raw data right in the kernel this gives you power to use Berkeley socket filtering or Linux socket filtering you can also use BCC that is a nice tool where you basically say hey every time there is called this function in the kernel I want to run my code so BCC allows you and probably the most useful thing for AFKTLS is CPU offloading where you basically have a specialized hardware which does encryption and encryption for you and this allows you to offload CPU so you can do something else on CPU basically two companies contacted me and both of them were using AFKTLS for CPU offloading so the question was if Linux Crypto helps in this way so with AFKTLS we are using Linux Crypto it was needed to batch it because there were some issues with implementation of AFKTLS it was needed to batch it because there were some issues with implementation of ASJCM basically Facebook batched it and TLS in the kernel is not novel there were implementation in Solaris Solaris implemented all TLS protocol into the kernel and it active like a proxy so you had one port to another and it was basically forwarded Netflix experimented with something similar to AFKTLS they adopted BSD kernel this implementation is not open source they published a few articles and they were basically adapting adapting OpenSSL we experimented with AFKTLS RedHead and also cooperated with Facebook and a few patches you can find AFKTLS on the feedhub and that's it, so any questions? yeah? do you have a merged merged for upstream? not, so the question was if we merge this to the upstream not yet, there are still open issues that we need to deal with so basically it will be merged someday, hopefully do you know where the performance improved and comes from? so if I understood it correctly what was basically the key in the optimization so the key in the optimization was that we reuse number of copies so we are no longer required to copy from kernel space to user space so is it going to be used in HAProxy? HAProxy uses tune device to communicate and tune device doesn't have support for splice so it's not possible to basically use it with HAProxy right now once splice support will be in the device how do you use a synchronous TLS which is happening on the wire? how do you handle a synchronous TLS that happens on the wire in the downstream? so the question was how do we do synchronous TLS on the wire? so even if you have your TLS connection already set up how do you send that to user space? so basically when you use FKTLS any error, we basically check only if it is data and if it is not data report we immediately return error to user space and we notify hey this is not data and all the key material has to be best again to user space libraries and basically user space libraries so you can't use libraries anymore for dealing with state TLS you can't use a normal socket like we used to do Linux that you pipe or give the pipes basically you have two file descriptors one is the file descriptor that is used for entry to communication and then there is another one where you access the grid data so you are basically playing when you want to use the encrypted socket you have to pass all the key material from general space to user space because there is also a data how do you deal with asynchronous errors from the TCP layer and while keeping and checking the politics rule so what basically do you file descriptors the lowest file descriptor number so the question was like how do we deal with errors on TCP as a data basically any error that is on during communication we notify the user space and use the user space to deal with it but somehow you use those file descriptors somehow you have to close the file descriptors or do you keep them tightly the only thing you would have to synchronize is the state any other question does this work with NSF? sorry does it work with the NSF except because it can't share the key material basically if it allows us