REFS: a novel framework for accelerated receive encrypted flow steering

Abstract In virtual private network (VPN) tunnel mode, the entire original packet, including the header’s five-tuple information, is encrypted, which prevents traditional scheduling algorithms from evenly distributing packets to central processing unit (CPU) cores based on packet header information. To address the need for data security and encrypted packet scheduling, we propose a novel framework, named REFS (receive encrypted flow steering), for accelerated receive encrypted flow steering. This work creatively adopts a new method that allows encrypted packets to be distributed across CPU cores without decrypting them, overcoming limitations of traditional scheduling approaches. It efficiently distributes encrypted packets across CPU cores, enabling dynamic allocation of CPU resources. A key feature of REFS is its ability to perform this distribution without decrypting the packets, which enhances dynamic load balancing and improves system responsiveness. When integrated into the Linux kernel’s VPN functionality, REFS can potentially increase throughput by up to 50% compared to WireGuard, which is a benchmark for kernel-based VPN performance. Upon integration of REFS into userspace, network performance shows significant improvements: throughput doubles, while latency is reduced by 80%.