Demystifying AMD SEV Performance Penalty for NFV Deployment

Network Function Virtualization (NFV) has shifted communication networks towards more adaptable software solutions, but this transition raises new security concerns, particularly in public cloud deployments. While Intel’s Software Guard Extensions (SGX) offers a potential remedy, it requires complex application adaptations. This paper investigates AMD’s Secure Encrypted Virtualization (SEV) as an alternative approach for securing NFV. SEV encrypts virtual machine (VM) memory, protecting it from threats, including those at the hypervisor level, without requiring application modifications. We explore the practicality and performance implications of executing native Network Function (NF) implementations in AMD SEV-SNP, the latest iteration of SEV at the time of writing this paper. Our study focuses on running an unmodified Snort NF within SEV. Results show an average performance penalty of approximately 20% across various traffic and packet configurations, showing a trade-off between security and performance that may or may not be acceptable for different NFV deployments.