Executive Summary

The Protocol: AF_VSOCK (Virtual Sockets) is a zero-configuration point-to-point channel between Parent and Enclave.
The Speed: 42µs idle latency (vs 280µs for TCP/IP). It bypasses routing, firewalls, and packet assembly.

Secure Enclaves (like AWS Nitro Enclaves) require a communication channel with their parent instance. This report analyzes why AF_VSOCK is the superior protocol compared to standard TCP/IP.

Latency (Round Trip)

~42 µs

Using Vsock (Direct)

Latency (TCP)

~280 µs

Standard Stack Overhead

Throughput Gain

2.5x

Vsock vs TCP (Large Payloads)

Architectural Path Analysis

Explore the structural difference between a standard TCP packet flow and a Vsock stream. Trace the path a message takes from the Parent Instance to the Enclave.

Parent Instance (Host)

Application

TCP/IP Stack (Kernel)

Routing, Firewall, Assembly

Vsock Driver (Kernel)

Direct Bus Access

HYPERVISOR / VIRTIO

Secure Enclave (Guest)

Enclave App

TCP/IP Stack (Kernel)

Virtio Vsock Device

Vsock Path: Direct. Data moves from the App directly to the Virtio driver, which copies it to shared memory. No network headers, no routing.

1. Zero Routing

Vsock uses a simple CID (Context ID) and Port. The hypervisor knows exactly where the guest memory is. No routing tables or ARP lookups.

2. No Packet Assembly

TCP breaks data into MTU-sized packets, adding headers to each. Vsock writes data streams directly into the Virtio ring buffer in shared memory.

Latency Benchmarks

Comparing Round-Trip Time (Latency) and max Throughput. Lower latency is critical for request-response patterns typical in enclave signing operations.

Anatomy of 42µs

How does Vsock achieve such low latency? By eliminating the "Network Tax." Standard TCP/IP involves packet segmentation, checksums, routing table lookups, and firewall rules—even for local traffic. Vsock strips this down to raw memory copies.

TCP Stack Overhead~280µs Total

Syscall

Protocols

Routing

Driver

IRQ

Vsock Stack Efficiency~42µs Total

Sys

Copy

IRQ

← 85% Overhead Removed

Executive Summary

The Protocol: AF_VSOCK (Virtual Sockets) is a zero-configuration point-to-point channel between Parent and Enclave.
The Speed: 42µs idle latency (vs 280µs for TCP/IP). It bypasses routing, firewalls, and packet assembly.

Secure Enclaves (like AWS Nitro Enclaves) require a communication channel with their parent instance. This report analyzes why AF_VSOCK is the superior protocol compared to standard TCP/IP.

Latency (Round Trip)

~42 µs

Using Vsock (Direct)

Latency (TCP)

~280 µs

Standard Stack Overhead

Throughput Gain

2.5x

Vsock vs TCP (Large Payloads)

Architectural Path Analysis

Explore the structural difference between a standard TCP packet flow and a Vsock stream. Trace the path a message takes from the Parent Instance to the Enclave.

Parent Instance (Host)

Application

TCP/IP Stack (Kernel)

Routing, Firewall, Assembly

Vsock Driver (Kernel)

Direct Bus Access

HYPERVISOR / VIRTIO

Secure Enclave (Guest)

Enclave App

TCP/IP Stack (Kernel)

Virtio Vsock Device

Vsock Path: Direct. Data moves from the App directly to the Virtio driver, which copies it to shared memory. No network headers, no routing.

1. Zero Routing

Vsock uses a simple CID (Context ID) and Port. The hypervisor knows exactly where the guest memory is. No routing tables or ARP lookups.

2. No Packet Assembly

TCP breaks data into MTU-sized packets, adding headers to each. Vsock writes data streams directly into the Virtio ring buffer in shared memory.

Latency Benchmarks

Comparing Round-Trip Time (Latency) and max Throughput. Lower latency is critical for request-response patterns typical in enclave signing operations.

Anatomy of 42µs

TCP Stack Overhead~280µs Total

Syscall

Protocols

Routing

Driver

IRQ

Vsock Stack Efficiency~42µs Total

Sys

Copy

IRQ

← 85% Overhead Removed