Google has published as open source an encryption scheme it created to protect traffic travelling between its data centres.
PSP, which the company explains is a recursive acronym that stands for PSP Security Protocol, was created to relieve Google’s processors of the growing burden of software-based encryption.
The company is touting PSP as a success in its own environment, and said it is "making PSP open source to encourage broader adoption by the community and hardware implementation by additional NIC [network interface card] vendors."
PSP offloads encryption to NICs, something already possible with existing encryption schemes, but according to Google, not at the scale or with the traffic coverage the cloud giant needed.
“At Google’s scale,” the company wrote when announcing its decision, “the cryptographic offload must support millions of live transmission control protocol (TCP) connections and sustain 100,000 new connections per second at peak.”
Existing security protocols had their own shortcomings, according to Google Cloud’s Amin Vahdat and Soheil Hassas Yeganeh.
“While TLS meets our security requirements, it is not an offload-friendly solution because of the tight coupling between the connection state in the kernel and the offload state in hardware. TLS also does not support non-TCP transport protocols, such as UDP”, they explained.
The IPSec protocol, on the other hand, can be offloaded to hardware, but not at the required scale.
“IPSec … cannot economically support our scale partly because they store the full encryption state in an associative hardware table with modest update rates,” the post explained.
Google explained that PSP is “TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly”.
PSP is also a stateless protocol, “avoiding hardware state explosion compared to typical stateful encryption technologies maintaining large on-device tables”.
To create PSP, Google added a custom header and trailer to standard User Datagram Protocol (UDP) encapsulation.
There are currently three implementations of PSP: one for Google’s Andromeda Linux virtualisation kernel; one for its Snap networking system; and an application-layer version, SoftPSP, created so Google Cloud customers could use PSP on computers with conventional NICs.
