[dpdk-dev] [RFC 0/5] ipsec: add inbound SAD

Ananyev, Konstantin konstantin.ananyev at intel.com
Thu Sep 12 20:34:41 CEST 2019

> -----Original Message-----
> From: Medvedkin, Vladimir
> Sent: Tuesday, August 13, 2019 4:13 PM
> To: dev at dpdk.org
> Cc: Ananyev, Konstantin <konstantin.ananyev at intel.com>; Iremonger, Bernard <bernard.iremonger at intel.com>
> Subject: [RFC 0/5] ipsec: add inbound SAD
> According to RFC 4301 IPSec implementation needs an inbound SA database (SAD).
> For each incoming inbound IPSec-protected packet (ESP or AH) it has to
> perform a lookup within it’s SAD.
> Lookup should be performed by:
> Security Parameters Index (SPI) + destination IP (DIP) + source IP (SIP)
>   or SPI + DIP
>   or SPI only
> and an implementation has to return the “longest” existing match.
> These series extend DPDK IPsec library with SAD table implementation that:
> - conforms to the RFC requirements above
> - can scale up to millions of entries
> - supports fast lookups
> - supports incremental updates
> Initial series provide an API to create/destroy SAD, and to
> add/delete/lookup entries within given SAD table.
> Under the hood it uses three librte_hash tables each of which contains
> an entries for a specific SA type (either it is addressed by SPI only
> or SPI+DIP or SPI+DIP+SIP) Also this patch series introduce test-sad
> application to measure performance of the library. According to our
> measurements on SKX for 1M entries average lookup cost is ~80 cycles,
> average add cost ~500 cycles.
> Next Steps:
> - integration with ipsec-secgw

I think doc update (PG and RN) is also missing

More information about the dev mailing list