[dpdk-dev] [EXT] [PATCH] doc: deprecate legacy code path in ipsec-secgw

Ananyev, Konstantin konstantin.ananyev at intel.com
Wed Jul 31 12:19:53 CEST 2019
Previous message: [dpdk-dev] [EXT] [PATCH] doc: deprecate legacy code path in ipsec-secgw
Next message: [dpdk-dev] [EXT] [PATCH] doc: deprecate legacy code path in ipsec-secgw
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Akhil,

> > > >
> > > > 30/07/2019 10:48, Akhil Goyal:
> > > > > > 30/07/2019 09:20, Akhil Goyal:
> > > > > > > > 30/07/2019 07:55, Akhil Goyal:
> > > > > > > > > > > > > All the functionality of the legacy code path in now available
> > > > > > > > > > > > > in the librte_ipsec library.
> > > > > > > > > > > > > It is planned to deprecate the legacy code path in the 19.11
> > > > > > > > > > > > > release and remove the legacy code path in the 20.02
> > release.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Signed-off-by: Bernard Iremonger
> > > > <bernard.iremonger at intel.com>
> > > > > > > > > > > > > Acked-by: Konstantin Ananyev
> > <konstantin.ananyev at intel.com>
> > > > > > > > > > > > > Acked-by: Fan Zhang <roy.fan.zhang at intel.com>
> > > > > > > > > > > > > Acked-by: Akhil Goyal <akhil.goyal at nxp.com>
> > > > > > > > > > > > > ---
> > > > > > > > > > > > >  doc/guides/rel_notes/deprecation.rst | 5 +++++
> > > > > > > > > > > > >  1 file changed, 5 insertions(+)
> > > > > > > > > > > > >
> > > > > > > > > > > > Acked-by: Anoob Joseph <anoobj at marvell.com>
> > > > > > > > > > >
> > > > > > > > > > > Applied to dpdk-next-crypto
> > > > > > > > > >
> > > > > > > > > > Why do we have a deprecation notice for some code path in an
> > > > example?
> > > > > > > > > > The deprecation notices are for the API.
> > > > > > > > > >
> > > > > > > > > > I think you can drop the legacy code in 19.11,
> > > > > > > > > > and I don't merge this patch in master.
> > > > > > > > >
> > > > > > > > > We are planning to remove the original code and replace it with
> > IPSec
> > > > > > > > > library APIs which are still experimental.
> > > > > > > > > With this change there won't be any example of the legacy ipsec
> > code
> > > > path.
> > > > > >
> > > > > > That's good to drop old code.
> > > > > > If someone still wants to look at it, it is in old releases.
> > > > > >
> > > > > > > > > Applications over DPDK take ipsec-secgw as an example and IPSec
> > > > > > > > > is a major use case for customers. There may also be performance
> > > > > > > > > differences in the two code paths. Atleast on NXP platforms I saw
> > > > > > > > > 5-7% drop when the patches were originally submitted.
> > > > > > > > > Not sure what is the current state.
> > > > > >
> > > > > > That's a different issue you need to solve in the library.
> > > > > >
> > > > > > > > > I feel it is worth notifying the users that the original codepath is
> > > > > > > > > getting deprecated, so that they can plan to move to new IPSec
> > APIs.
> > > > > >
> > > > > > I hope they already planned to move when they saw the new library.
> > > > > >
> > > > > > > > The deprecation notice is not the right place for a change in an
> > example.
> > > > > > > > What change is there in IPsec API? In which release?
> > > > > > >
> > > > > > > IPSec lib was introduced in 1902 release and a few enhancements
> > > > > > > are done thereafter.
> > > > > > > Previously all IPSec related stuff was done in the application,
> > > > > > > now we have IPSec Lib which perform similar work.
> > > > > > > There are changes both in datapath as well as control path.
> > > > > > > User need to adapt to the recent changes, as we may no longer
> > > > > > > support/maintain the datapath/control path which was done previously
> > > > > > > and there may be some conflict.
> > > > > >
> > > > > > So the real DPDK change is to have a new library in 19.02.
> > > > > >
> > > > > > > If deprecation notice is not the right place,
> > > > > > > then where should it be notified before actually making the change.
> > > > > >
> > > > > > It has already been notified in "New Features" of 19.02
> > > > > > that there is an IPsec library. What do you want to notify more?
> > > > > > Again, the example is not supposed to be a real application.
> > > > > > If you want to maintain an IPsec application with better quality rules,
> > > > > > I suggest to start a new git repository for it.
> > > > >
> > > > > OK got your point, but in that case, I would say, legacy code shall not be
> > > > removed
> > > > > Until we have the ipsec lib as experimental.
> > > > > User should have both the code paths as long as we have ipsec library
> > > > experimental.
> >
> > Not sure why it is needed?
> There is some performance gap.

Ok, and you think that keeping legacy code-path  till 20.02
will provide enough time to analyze the perf drop for NXP devices?

> Original Idea for ipsec lib was to have
> better performing APIs.

Not only.
Main reasons were to hide from user complexity of IPsec packet processing
and avoid necessity for each user to re-implement it. 
Also legacy code doesn't provide many important features
(replay window, ESN, multi-seg support, etc.)

> How much gain is observed using these APIs on intel?

It depends.
>From my last observations for inline case library code-path is 10-15%
faster than legacy one. Though I think reason for that in not in the library
itself, but that legacy code handles inline traffic in suboptimal way.
For lookaside - in most cases library and legacy code performance is about the same,
except the case when we have a burst of packets where each packet belongs to different SA.
In that case new code-path is 3-5% slower.
As I understand, main reason is again not the library itself,
but that in new code we try to group packets that belongs 
to the same SA both before and after crypto-dev enqueue/dequeue.
Usually that helps, but for that case it just adds extra overhead (no grouping is possible). 

> Do we have data? Atleast on NXP devices, these are not performing better.
> 
> > Why DPDK sample app can't use DPDK experimental API as it is,
> > without some alternate code-path?
> 
> Sample app can use experimental APIs as is. There is no issue with that.
> The intent is just to notify the users that it will be removed so that they
> can be ready for change in their code.

Ok, but if we don't submit deprecation notice (as Thomas suggested) 
how they'll be notified?
Would there be a separate RN when we'll remove experimental tag
and legacy code? 

> 
> >
> > > >
> > > > That's your take.
> > > > When do you plan to remove experimental status of IPsec library?
> > > >
> > > There have been addition of some functionality in this release cycle. I would
> > say we
> > > can wait for 1 release cycle for some fixes or changes which may be required.
> > > If it looks stable in next release cycle, we can make formal in DPDK 2002.
> >
> > If we'll leave legacy code in 19.11, does it mean we'll have to
> > support it for next 2 years (LTS cycle)?
> 
> The original intent of this patch was also to remove the legacy code in 2002 release and
> not in 1911. Moreover, it is the application code that we need to remove. We can get that patch
> backported to the 19.11.1 release as well. Then it would be same.
>
Previous message: [dpdk-dev] [EXT] [PATCH] doc: deprecate legacy code path in ipsec-secgw
Next message: [dpdk-dev] [EXT] [PATCH] doc: deprecate legacy code path in ipsec-secgw
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dev mailing list