[dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Akhil Goyal
akhil.goyal at nxp.com
Mon Jan 20 07:44:22 CET 2020
Hi Vladimir,
The SA lookup logic and management is purely requirement based for the application. The application may only cater to <128 SAs which can be handled based on the current logic. –single-sa option cannot handle this.
Sample applications in DPDK are there to showcase the best a hardware can deliver. IMO, we cannot allow this logic on NXP hardwares. We give performance numbers based on IPSec app to customers and we cannot allow 15% degradation.
Other vendors(Marvell, ARM, AMD) please comment?
Regards,
Akhil
From: Medvedkin, Vladimir <vladimir.medvedkin at intel.com>
Sent: Friday, January 17, 2020 10:35 PM
To: Akhil Goyal <akhil.goyal at nxp.com>; dev at dpdk.org
Cc: konstantin.ananyev at intel.com
Subject: Re: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Hi Akhil,
Indeed with our tests we also seeing ~15% perf drop for small packets (~90B) and ~3-4% drop for 1KB packets. While I am looking on a ways to minimize the drop, I think it would be hard, if possible at all to eliminate it completely.
Reason for that: current SAD implementation is completely synthetic (using plain array structure indexed by SPI value). That provides a very low overhead, but doesn't provide expected functionality and can't be used in proper implementation.
To measure plain IPsec performance without SAD user can still use '--signle-sa' option.
On 15/01/2020 15:45, Akhil Goyal wrote:
Hi Vladimir,
There is more than 10% drop with this patchset on NXP hardware with both legacy mode and the ipsec lib mode. This would need some debugging.
Didn't you see any drop on intel?
Regards,
Akhil
-----Original Message-----
From: Vladimir Medvedkin <vladimir.medvedkin at intel.com><mailto:vladimir.medvedkin at intel.com>
Sent: Tuesday, January 14, 2020 7:57 PM
To: dev at dpdk.org<mailto:dev at dpdk.org>
Cc: konstantin.ananyev at intel.com<mailto:konstantin.ananyev at intel.com>; Akhil Goyal <akhil.goyal at nxp.com><mailto:akhil.goyal at nxp.com>
Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
This series integrates SA database (SAD) capabilities from ipsec library.
The goal is to make ipsec-secgw RFC compliant regarding inbound SAD.
Also patch series removes hardcoded limitation for maximum number of SA's
and SP's.
v4:
- put tunnel SA's into SAD with SPI_ONLY type for performance reason
v3:
- parse SA and SP into sorted array instead of linked list
v2:
- get rid of maximum sp limitation
Vladimir Medvedkin (5):
ipsec: move ipsec sad name length into .h
examples/ipsec-secgw: implement inbound SAD
examples/ipsec-secgw: integrate inbound SAD
examples/ipsec-secgw: get rid of maximum sa limitation
examples/ipsec-secgw: get rid of maximum sp limitation
examples/ipsec-secgw/Makefile | 1 +
examples/ipsec-secgw/ipsec-secgw.c | 4 +-
examples/ipsec-secgw/ipsec.h | 11 +-
examples/ipsec-secgw/meson.build | 2 +-
examples/ipsec-secgw/parser.c | 4 +
examples/ipsec-secgw/parser.h | 9 ++
examples/ipsec-secgw/sa.c | 256 +++++++++++++++++++++++--------------
examples/ipsec-secgw/sad.c | 90 +++++++++++++
examples/ipsec-secgw/sad.h | 74 +++++++++++
examples/ipsec-secgw/sp4.c | 114 ++++++++++++-----
examples/ipsec-secgw/sp6.c | 112 +++++++++++-----
lib/librte_ipsec/ipsec_sad.c | 20 +--
lib/librte_ipsec/rte_ipsec_sad.h | 2 +
13 files changed, 528 insertions(+), 171 deletions(-)
create mode 100644 examples/ipsec-secgw/sad.c
create mode 100644 examples/ipsec-secgw/sad.h
--
2.7.4
--
Regards,
Vladimir
-->
More information about the dev
mailing list