[dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw

Medvedkin, Vladimir vladimir.medvedkin at intel.com
Fri Jan 17 18:05:26 CET 2020

Previous message: [dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Next message: [dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Akhil,

Indeed with our tests we also seeing ~15% perf drop for small packets 
(~90B) and ~3-4% drop for 1KB packets. While I am looking on a ways to 
minimize the drop, I think it would be hard, if possible at all to 
eliminate it completely.
Reason for that: current SAD implementation is completely synthetic 
(using plain array structure indexed by SPI value). That provides a very 
low overhead, but doesn't provide expected functionality and can't be 
used in proper implementation.
To measure plain IPsec performance without SAD user can still use 
'--signle-sa' option.

On 15/01/2020 15:45, Akhil Goyal wrote:
> Hi Vladimir,
>
> There is more than 10% drop with this patchset on NXP hardware with both legacy mode and the ipsec lib mode. This would need some debugging.
> Didn't you see any drop on intel?
>
> Regards,
> Akhil
>
>> -----Original Message-----
>> From: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
>> Sent: Tuesday, January 14, 2020 7:57 PM
>> To: dev at dpdk.org
>> Cc: konstantin.ananyev at intel.com; Akhil Goyal <akhil.goyal at nxp.com>
>> Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
>>
>> This series integrates SA database (SAD) capabilities from ipsec library.
>> The goal is to make ipsec-secgw RFC compliant regarding inbound SAD.
>> Also patch series removes hardcoded limitation for maximum number of SA's
>> and SP's.
>>
>> v4:
>>   - put tunnel SA's into SAD with SPI_ONLY type for performance reason
>>
>> v3:
>>   - parse SA and SP into sorted array instead of linked list
>>
>> v2:
>>   - get rid of maximum sp limitation
>>
>> Vladimir Medvedkin (5):
>>    ipsec: move ipsec sad name length into .h
>>    examples/ipsec-secgw: implement inbound SAD
>>    examples/ipsec-secgw: integrate inbound SAD
>>    examples/ipsec-secgw: get rid of maximum sa limitation
>>    examples/ipsec-secgw: get rid of maximum sp limitation
>>
>>   examples/ipsec-secgw/Makefile      |   1 +
>>   examples/ipsec-secgw/ipsec-secgw.c |   4 +-
>>   examples/ipsec-secgw/ipsec.h       |  11 +-
>>   examples/ipsec-secgw/meson.build   |   2 +-
>>   examples/ipsec-secgw/parser.c      |   4 +
>>   examples/ipsec-secgw/parser.h      |   9 ++
>>   examples/ipsec-secgw/sa.c          | 256 +++++++++++++++++++++++--------------
>>   examples/ipsec-secgw/sad.c         |  90 +++++++++++++
>>   examples/ipsec-secgw/sad.h         |  74 +++++++++++
>>   examples/ipsec-secgw/sp4.c         | 114 ++++++++++++-----
>>   examples/ipsec-secgw/sp6.c         | 112 +++++++++++-----
>>   lib/librte_ipsec/ipsec_sad.c       |  20 +--
>>   lib/librte_ipsec/rte_ipsec_sad.h   |   2 +
>>   13 files changed, 528 insertions(+), 171 deletions(-)
>>   create mode 100644 examples/ipsec-secgw/sad.c
>>   create mode 100644 examples/ipsec-secgw/sad.h
>>
>> --
>> 2.7.4

-- 
Regards,
Vladimir

Previous message: [dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Next message: [dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list