kTLS overview

Olga Semme

Overview

Kernel TLS (kTLS) — implementation of the TLS protocol based on the transfer of some operations, including encryption and decryption, to the Linux kernel level, which reduces the load on the processor and improves performance.

Kafka supports kTLS starting with ADS 3.9.0.1.b1.

The following describes how a Kafka consumer and broker interact when using traditional TLS and when using kTLS.

Key concepts used to describe:

  • Transport layer security (TLS) is a cryptographic protocol that provides secure data transfer over a network when exchanging data between two applications. It is an improved version of the secure sockets layer (SSL) protocol.

  • Kernel space is a memory area reserved for the operating system kernel, its extensions, and device drivers.

  • User space is the address space of the operating system’s virtual memory intended for user programs, separated from the kernel space to ensure system security and stability.

  • TLS handshake is the interaction between a client and a server when connecting. During the handshake, the TLS version used, the ciphers used, the keys are exchanged and the signatures of the SSL certification center are verified, and session keys are generated for using symmetric encryption.

  • Network interface controller (NIC) is a hardware device for interacting with a network.

  • NIC buffer is a memory area used by the network card for temporary storage of data during reception and transmission.

  • Socket is an abstraction in Linux for exchanging data between processes or devices. In the Linux kernel, sockets are implemented as data structures that allow the system to handle network operations without directly accessing the hardware details.

  • File descriptor is a natural number (identifier) assigned to a specific input/output stream.

Kafka with TLS

Kafka and traditional TLS
Kafka and traditional TLS
Kafka and traditional TLS
Kafka and traditional TLS

When a connection is established between a client (consumer) and a Kafka broker after a TLS handshake, the user space application makes a read system call. The file descriptor, pointer to the application buffer, and other data to be read are then passed to the kernel. The data is copied through the kernel buffer to the application buffer, encrypted (in the user space), and, using the write system call, written to the network card buffer (in the kernel space) file descriptor, data buffer, and number of bytes to write, and sent to the consumer.

Disadvantages:

  • Each data packet is copied twice between the kernel and user space, causing delays due to additional operations and switches between the kernel and user space.

  • High CPU load due to encryption being performed in software mode.

Kafka and kTLS

Kafka and kTLS
Kafka and kTLS
Kafka and kTLS
Kafka and kTLS

When a connection is established between a client (consumer) and a Kafka broker, after a TLS handshake (which is still done in user space), the application makes a sendfile system call, which copies the data between two file descriptors, i.e. the data is copied directly from the kernel cache to the NIC buffer.

To perform data encryption in the kernel space, a special TLS socket file descriptor (KTLS) is created, where information about session keys, identifiers, and data encryption is extracted from the TLS library. Data is encrypted directly in the kernel before being sent to the network.

Encrypted data is decrypted in the kernel before being passed to user space, if so requested by the application.

Advantages:

  • Enforce the zero-copy principle — the sendfile system call copies data between one file descriptor and another one immediately within the kernel, instead of a combination of read and write calls that perform data transfer to and from user space. This reduces the load on the processor and improves performance and efficiency, which is especially important when transferring large amounts of data.

  • Reduced CPU load by offloading encryption/decryption operations to the kernel.

  • Improved throughput and reduced latency when transmitting data over secure channels.

  • Transparent integration with existing TLS libraries (e.g. OpenSSL) via the kernel API.

IMPORTANT

To support kTLS, you need an operating system kernel version 5.9 or higher. kTLS mode is enabled by default. However, if your kernel version is lower than required, you will be rolled back to the default mode.
Found a mistake? Seleсt text and press Ctrl+Enter to report it