Demystifying AMD SEV Performance Penalty for NFV Deployment

TL;DR

This paper evaluates the performance impact of AMD SEV-SNP on running unmodified network functions like Snort, revealing a roughly 20% slowdown, and discusses its implications for secure NFV deployment.

Contribution

It provides the first detailed analysis of AMD SEV-SNP's performance overhead for NFV workloads without requiring application modifications.

Findings

Approximately 20% performance penalty observed

SEV-SNP effectively encrypts VM memory without application changes

Trade-off between security and performance for NFV deployment

Abstract

Network Function Virtualization (NFV) has shifted communication networks towards more adaptable software solutions, but this transition raises new security concerns, particularly in public cloud deployments. While Intel's Software Guard Extensions (SGX) offers a potential remedy, it requires complex application adaptations. This paper investigates AMD's Secure Encrypted Virtualization (SEV) as an alternative approach for securing NFV. SEV encrypts virtual machine (VM) memory, protecting it from threats, including those at the hypervisor level, without requiring application modifications. We explore the practicality and performance implications of executing native network function (NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study focuses on running an unmodified Snort NF within SEV. Results show an average performance penalty of approximately 20% across various traffic and packet configurations, demonstrating a trade-off between security and performance that may be acceptable for many NFV deployments.