[dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw

Akhil Goyal akhil.goyal at nxp.com
Mon Jan 20 07:44:22 CET 2020


Hi Vladimir,
The SA lookup logic and management is purely requirement based for the application. The application may only cater to <128 SAs which can be handled based on the current logic. –single-sa option cannot handle this.
Sample applications in DPDK are there to showcase the best a hardware can deliver. IMO, we cannot allow this logic on NXP hardwares. We give performance numbers based on IPSec app to customers and we cannot allow 15% degradation.
Other vendors(Marvell, ARM, AMD) please comment?
Regards,
Akhil
From: Medvedkin, Vladimir <vladimir.medvedkin at intel.com>
Sent: Friday, January 17, 2020 10:35 PM
To: Akhil Goyal <akhil.goyal at nxp.com>; dev at dpdk.org
Cc: konstantin.ananyev at intel.com
Subject: Re: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw

Hi Akhil,
Indeed with our tests we also seeing ~15% perf drop for small packets (~90B) and ~3-4% drop for 1KB packets. While I am looking on a ways to minimize the drop, I think it would be hard, if possible at all to eliminate it completely.
Reason for that: current SAD implementation is completely synthetic (using plain array structure indexed by SPI value). That provides a very low overhead, but doesn't provide expected functionality and can't be used in proper implementation.
To measure plain IPsec performance without SAD user can still use '--signle-sa' option.
On 15/01/2020 15:45, Akhil Goyal wrote:

Hi Vladimir,



There is more than 10% drop with this patchset on NXP hardware with both legacy mode and the ipsec lib mode. This would need some debugging.

Didn't you see any drop on intel?



Regards,

Akhil



-----Original Message-----

From: Vladimir Medvedkin <vladimir.medvedkin at intel.com><mailto:vladimir.medvedkin at intel.com>

Sent: Tuesday, January 14, 2020 7:57 PM

To: dev at dpdk.org<mailto:dev at dpdk.org>

Cc: konstantin.ananyev at intel.com<mailto:konstantin.ananyev at intel.com>; Akhil Goyal <akhil.goyal at nxp.com><mailto:akhil.goyal at nxp.com>

Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw



This series integrates SA database (SAD) capabilities from ipsec library.

The goal is to make ipsec-secgw RFC compliant regarding inbound SAD.

Also patch series removes hardcoded limitation for maximum number of SA's

and SP's.



v4:

 - put tunnel SA's into SAD with SPI_ONLY type for performance reason



v3:

 - parse SA and SP into sorted array instead of linked list



v2:

 - get rid of maximum sp limitation



Vladimir Medvedkin (5):

  ipsec: move ipsec sad name length into .h

  examples/ipsec-secgw: implement inbound SAD

  examples/ipsec-secgw: integrate inbound SAD

  examples/ipsec-secgw: get rid of maximum sa limitation

  examples/ipsec-secgw: get rid of maximum sp limitation



 examples/ipsec-secgw/Makefile      |   1 +

 examples/ipsec-secgw/ipsec-secgw.c |   4 +-

 examples/ipsec-secgw/ipsec.h       |  11 +-

 examples/ipsec-secgw/meson.build   |   2 +-

 examples/ipsec-secgw/parser.c      |   4 +

 examples/ipsec-secgw/parser.h      |   9 ++

 examples/ipsec-secgw/sa.c          | 256 +++++++++++++++++++++++--------------

 examples/ipsec-secgw/sad.c         |  90 +++++++++++++

 examples/ipsec-secgw/sad.h         |  74 +++++++++++

 examples/ipsec-secgw/sp4.c         | 114 ++++++++++++-----

 examples/ipsec-secgw/sp6.c         | 112 +++++++++++-----

 lib/librte_ipsec/ipsec_sad.c       |  20 +--

 lib/librte_ipsec/rte_ipsec_sad.h   |   2 +

 13 files changed, 528 insertions(+), 171 deletions(-)

 create mode 100644 examples/ipsec-secgw/sad.c

 create mode 100644 examples/ipsec-secgw/sad.h



--

2.7.4



--

Regards,

Vladimir
-->


More information about the dev mailing list