[dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Medvedkin, Vladimir
vladimir.medvedkin at intel.com
Fri Jan 17 18:05:26 CET 2020
Hi Akhil,
Indeed with our tests we also seeing ~15% perf drop for small packets
(~90B) and ~3-4% drop for 1KB packets. While I am looking on a ways to
minimize the drop, I think it would be hard, if possible at all to
eliminate it completely.
Reason for that: current SAD implementation is completely synthetic
(using plain array structure indexed by SPI value). That provides a very
low overhead, but doesn't provide expected functionality and can't be
used in proper implementation.
To measure plain IPsec performance without SAD user can still use
'--signle-sa' option.
On 15/01/2020 15:45, Akhil Goyal wrote:
> Hi Vladimir,
>
> There is more than 10% drop with this patchset on NXP hardware with both legacy mode and the ipsec lib mode. This would need some debugging.
> Didn't you see any drop on intel?
>
> Regards,
> Akhil
>
>> -----Original Message-----
>> From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
>> Sent: Tuesday, January 14, 2020 7:57 PM
>> To: dev at dpdk.org
>> Cc: konstantin.ananyev at intel.com; Akhil Goyal <akhil.goyal at nxp.com>
>> Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
>>
>> This series integrates SA database (SAD) capabilities from ipsec library.
>> The goal is to make ipsec-secgw RFC compliant regarding inbound SAD.
>> Also patch series removes hardcoded limitation for maximum number of SA's
>> and SP's.
>>
>> v4:
>> - put tunnel SA's into SAD with SPI_ONLY type for performance reason
>>
>> v3:
>> - parse SA and SP into sorted array instead of linked list
>>
>> v2:
>> - get rid of maximum sp limitation
>>
>> Vladimir Medvedkin (5):
>> ipsec: move ipsec sad name length into .h
>> examples/ipsec-secgw: implement inbound SAD
>> examples/ipsec-secgw: integrate inbound SAD
>> examples/ipsec-secgw: get rid of maximum sa limitation
>> examples/ipsec-secgw: get rid of maximum sp limitation
>>
>> examples/ipsec-secgw/Makefile | 1 +
>> examples/ipsec-secgw/ipsec-secgw.c | 4 +-
>> examples/ipsec-secgw/ipsec.h | 11 +-
>> examples/ipsec-secgw/meson.build | 2 +-
>> examples/ipsec-secgw/parser.c | 4 +
>> examples/ipsec-secgw/parser.h | 9 ++
>> examples/ipsec-secgw/sa.c | 256 +++++++++++++++++++++++--------------
>> examples/ipsec-secgw/sad.c | 90 +++++++++++++
>> examples/ipsec-secgw/sad.h | 74 +++++++++++
>> examples/ipsec-secgw/sp4.c | 114 ++++++++++++-----
>> examples/ipsec-secgw/sp6.c | 112 +++++++++++-----
>> lib/librte_ipsec/ipsec_sad.c | 20 +--
>> lib/librte_ipsec/rte_ipsec_sad.h | 2 +
>> 13 files changed, 528 insertions(+), 171 deletions(-)
>> create mode 100644 examples/ipsec-secgw/sad.c
>> create mode 100644 examples/ipsec-secgw/sad.h
>>
>> --
>> 2.7.4
--
Regards,
Vladimir
More information about the dev
mailing list