In this talk Balakrishna Bhamidipati and Vijay Ram Inavolu describe total offload of TLS from the host onto a DPU. They run a reverse-proxy on the NIC to handle MCP traffic. This moves TLS termination, OAuth2/JWT validation, and session-aware L7 routing off the host and onto the NIC. The authors will describe the packet path, kTLS activation and fallback, session lifecycle, backend affinity, and SSE relay, showing how the design can be reproduced on commodity DPUs without any kernel modifications.
https://netdevconf.info/0x1A/sessions/talk/macsec-protected-rdma-on-dpus-fro...
In the second talk Alkama Hasan and Vijay Ram Inavolu describe how they resolve the hard problem of security for zero-copy mechanisms like RDMA. In such approaches, the payload bypasses the network stack altogether leaving the app outside the security fence that typically protects ordinary host networking.
Large-scale AI and HPC jobs depend on RDMA to move data between nodes. MACsec is a natural fit to resolve this security challenge at layer 2. So what does such a DPU approach offer above the NICs that support MACsec offload today? Well, merely offloading MACsec lacks the ability to interact with a multi-tenant cluster orchestrator which a DPU-based approach can. IOW, an orchestrator (Kubernetes in this case) has no visibility into which nodes actually offer MACsec-protected RDMA egress, so a workload can't request placement on such a node. The authors illustrate this making MACsec become a schedulable property exposed in the node ResourceSlice via DRANet-Sec allowing workloads land on the right nodes automatically.
https://netdevconf.info/0x1A/sessions/talk/macsec-protected-rdma-on-dpus-fro...
cheers, jamal
-
Jamal Hadi Salim