�� �� �� ��

Vita is a high-performance IPsec VPN gateway designed with medium and largenetwork operators in mind. It is written in a high-level language (Lua) andachieves high performance via networking in userspace, i.e. bypassing thekernel network stack.

Project goals

• Provide a low-cost, open source solution to network traffic encryption atscale

• Support stand-alone operation as well as SAs established by third-partysoftware such as StrongSwan

• Be as fast as possible on generic x86 CPUs, handle 10 Gbps line rate at 60byte packets and more

• Avoid vendor lock-in and mandatory, complex dependencies while embracingnetwork operator standards such as NETCONF/YANG

• Keep it all simple, maintainable, and modular

• Use strong, modern cryptographic primitives and protocols

WARNING:

Vita is in its early “tech-demo” stage of development and not ready forproduction yet!

Features

• ~3 Mpps (or ~5 Gbps of IMIX traffic) per CPU core on modern commodity x86hardware

• Scales linearly with CPU cores using RSS and VMDQ

• Implements IPsec for IPv4 and IPv6, specificallyIP Encapsulating Security Payload (ESP) in tunnel mode

• Uses optimized AES-GCM 128-bit encryption based on a referenceimplementation by Intel for their AVX2 (generation-4) processors

• Automated key exchange (AKE) and rotation, with perfect forward secrecy (PFS)and seamless, packet loss-free rekeying

• Simple, minimal, and modern AKE protocol based onNoise (audit welcome, seeREADME.exchange)

• Can act also as a pure data-plane and consume SAs established by other means

• Configuration and runtime state modelled by a native YANG schema. Supports,dynamic reconfiguration via NETCONF RPCs (update routes while running)

• Strong observability (access relevant statistics of a running Vita node viaNETCONF get-state RPCs) and full ICMP visibility (tunnel appears as two hopsin traceroute, PMTUD support, all inbound ICMP messages are logged)

• Written in Lua—a simple, high-level programming language—and x86 assembly

Documentation

• Usage— manual page for Vita’s command line interface
• Configuration— detailed description of Vita’s configuration schema
• Connecting a Multi-Regional Kubernetes Cluster with Vita on AWS EC2— demo of deploying Vita in EC2 as a inter-region VPN for Kubernetes

Articles

• Announcing Vita: a high-performance IPsec VPN endpoint that runs on commodity hardware
• Notes on implementing IPsec ESP for Snabb
• Ephemeral Key Exchange in Vita, part one,part two
• A Glimpse into the Timeline: a Probabilistic Event Log for Snabb(this is about profiler tooling used in Vita)
• Implementing Poptrie in Lua and DynASM(about the Poptrie implementation used for route lookups in Vita)

Presentations

• Vita: high-speed traffic encryption on x86_64 with Snabbat FOSDEM 2020, Brussels
• High-Performance Traffic Encryption on x86_64at RIPE78, Reykjavík

Podcasts

• High-Speed IPsec with Snabbon Software Gone Wild

Getting started

Vita runs on any modern Linux/x86-64 distribution. You will need a compatiblex86 CPU with support forAES-NI andAVX-2.For network interfaces you have the following supported options:

• Intel chipsets i210, i350, and 82599
• Intel AVF capable VFs e.g. from a X710 and XL710
• Linux XDP capable interfaces

Important note: Snabb needs Linux to be booted with iommu=off for its nativedevice drivers to function.

$ git clone https://github.com/inters/vita
$ cd vita
$ RECIPE=Makefile.vita make -j
$ sudo src/vita --help

Setting RECIPE=Makefile.vita causes a release build to be built (as opposedto a test build.)

The vita binary is stand-alone, includes useful auxiliary applications (likesnabb top andsnabb pci_bind),and can be copied between machines.

For example, to install Vita and the Snabb monitoring tool on the localmachine:

$ sudo cp src/vita /usr/local/bin/vita
$ sudo ln -s vita /usr/local/bin/snabb-top

Benchmarking

End-to-end benchmarking procedures are documented invita-loadtest.md.

Deployment

Vita is a high-performance L3 VPN gateway you can use to interconnect yournetworks. Vita acts as a tunnel between your local, private network and anynumber of remote Vita gateways. With it, nodes spread across your outposts cancommunicate with each other with confidentiality and authenticity ensured atthe network layer.

Vita is probably more efficient at encapsulating traffic than your applicationservers. You can free cycles for your application by offloading your packetencryption and authentication workload to Vita.

A Vita network can be as small as two nodes with a single route, and as largeas you like. For each pair of Vita gateways, a separate secure tunnel (route)can be established—“can be” because a Vita network does not need to be a fullmesh, instead arbitrary hierarchies are supported on a route-by-route basis.Each route uses a pre-shared super key that is installed on both ends of theroute. These keys need to be configured only once, and only need renewal whencompromised, in which case the breach will affect only the route in question.The actual keys used to encrypt the traffic are ephemeral, and negotiated byVita automatically, with no manual intervention required.

Deploying Vita is easy, and not invasive to your existing infrastructure. Itcan be as simple as adding an entry to the IP routing table of your defaultgateway, to ensure that packets to destinations within your private network arerouted over an extra hop: the Vita gateway. Whether Vita forwards theencapsulated packets back to your default gateway, or directly to your modemdepends on your setup, and is freely configurable.

To configure a Vita route, you need to specify the address prefix of thedestination subnetwork, and the public IP address of the target Vita gateway(in addition to the pre-shared key). At the other end, you specify the sourceprefix and gateway address in symmetry. You can even add and remove routeswhile Vita is running, without affecting unrelated routes.

Powered by

Snabb is a simple and fast packetnetworking toolkit with a wonderful community.

Sponsored by

NLnet funded Vita development in 2018/2019 with theirgenerous donation. ��‍♂️