Google announced On the opening of specifications and the reference implementation of the protocol psp (PSP Security Protocol) used to encrypt traffic between Dataants. The protocol uses the IPSEC ESP (Encapsulating Security Payloads) architecture of the IP traffic encapsulation, providing encryption, cryptographic integrity control and source authentication. The PSP implementation code is written in the language and spreads under the license Apache 2.0.
a feature of PSP is the optimization of the protocol to accelerate the load on the central processor through Removing encryption and decryption operations to the side of network cards (offload). For the use of hardware acceleration, the presence of special network cards compatible with PSP is required. For systems with network cards that do not support PSP, SoftpSp software is proposed.
The UDP protocol is used as transport for data transfer. The PSP package begins with the IP header, after which the UDP headline and then the PSP header with information about encryption and authentication follow. Next, the contents of the original TCP/UDP package are attached, which ends with the final PSP unit with a control sum to confirm integrity. The PSP title, as well as the heading and data of the encapsulated package, are always authenticated to confirm the authenticity of the package. Data of the encapsulated package can be encrypted, while the possibility of selective use of encryption with the abandonment of part of the TCP header is allowed (while maintaining authenticity control), for example, to provide the possibility of inspecting packages on transit network equipment.
PSP is not tied to some specific key exchange protocol, offers several options for packet format and supports the use of different crypto algorithms. For example, support for AES-GCM algorithm to encrypt and verify authenticity (authentication) and AES-GMAC to verify authenticity without encrypting direct data, for example, when data is not valuable, but it must be guaranteed that they were not replaced during the transfer and precisely those that were sent initially.