Session

In this talk we evaluate TLS performance under different circumstances with a particular focus on the kubernetes environment.

We look at:

1) Traditional user space driven approach where both the TLS handshake and record protocols happen in user space

a) with x86 AES support turned on b) with AES support turned off

2) KTLS where the handshake protocol still happens in user space but the record protocol is in the kernel.

a) with x86 AES support turned on b) with AES support turned off

3) KTLS with hardware offload where the handshake protocol still happens in user space but the record protocol is offloaded to hardware.

a) with x86 AES support turned on b) with AES support turned off

It should be noted that, for offload, the record protocol in this case may be handled in the Kernel (similar to KTLS) under some conditions as determined by the hardware.

In our study, we looked at a variety of application traffic with varying needs for throughput and latency and varying amount of data transmitted per session. Our experiments covered all the TLS implementations mentioned earlier under three scenarios: (1) baseline, where there is no packet drop or reordering, (2) deterministic packet drop introduced by a middle box, and (3) packet re-ordering introduced by a middle box. In all cases, we measured transaction rates, throughput and transaction latency factored over CPU utilization; In our talk, we will present these results and conclude with a recommendation on what implementation to use depending on the application traffic characteristics and needs.