DPDK patches and discussions
 help / color / mirror / Atom feed
* ipsec on dpdk
@ 2024-07-28 12:51 Yaron Illouz
  2024-07-31 10:39 ` Thomas Monjalon
  0 siblings, 1 reply; 3+ messages in thread
From: Yaron Illouz @ 2024-07-28 12:51 UTC (permalink / raw)
  To: users; +Cc: dev

[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]

Hi

I am interested to do ipsec encoding and decoding in my dpdk application
From my readings, i understand ipsec can be done one time in the nic (inline ipsec) or with multiple calls (rte_cryptodev_enqueue_burst, rte_cryptodev_dequeue_burst....)


  1.  If ipsec is done by nic I only need to call rte_ipsec_pkt_process(...) without other functions?

I use  rte_eth_rx_burst to read from nic.

  1.  Where do I see list of nic that support nic inline ipsec? I believe not all dpdk nic support it.
  2.  How much does it impact performance ? is there a table of performance per nic?
  3.  My application is multi process, I can see in documentation :

“Currently, the security library does not support the case of multi-process. It will be updated in the future releases.” From https://doc.dpdk.org/guides/prog_guide/rte_security.html

So ipsec also is not supported for multi process application?

Even if done inline by the nic?

And what about non inline ipsec for multi process applications?



  1.  Is ip sec also supported in multi queue with rte flow in the inline ipsec ?

[-- Attachment #2: Type: text/html, Size: 6285 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipsec on dpdk
  2024-07-28 12:51 ipsec on dpdk Yaron Illouz
@ 2024-07-31 10:39 ` Thomas Monjalon
  2024-07-31 18:06   ` [EXTERNAL] " Akhil Goyal
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Monjalon @ 2024-07-31 10:39 UTC (permalink / raw)
  To: Yaron Illouz
  Cc: users, dev, Konstantin Ananyev, Radu Nicolau, Akhil Goyal,
	Kai Ji, Anoob Joseph

Hello,

Adding Cc some experts.

About the IPsec support, we are writing a document, it is in progress.


28/07/2024 14:51, Yaron Illouz:
> Hi
> 
> I am interested to do ipsec encoding and decoding in my dpdk application
> From my readings, i understand ipsec can be done one time in the nic (inline ipsec) or with multiple calls (rte_cryptodev_enqueue_burst, rte_cryptodev_dequeue_burst....)
> 
> 
>   1.  If ipsec is done by nic I only need to call rte_ipsec_pkt_process(...) without other functions?
> 
> I use  rte_eth_rx_burst to read from nic.
> 
>   1.  Where do I see list of nic that support nic inline ipsec? I believe not all dpdk nic support it.
>   2.  How much does it impact performance ? is there a table of performance per nic?
>   3.  My application is multi process, I can see in documentation :
> 
> “Currently, the security library does not support the case of multi-process. It will be updated in the future releases.” From https://doc.dpdk.org/guides/prog_guide/rte_security.html
> 
> So ipsec also is not supported for multi process application?
> 
> Even if done inline by the nic?
> 
> And what about non inline ipsec for multi process applications?
> 
> 
> 
>   1.  Is ip sec also supported in multi queue with rte flow in the inline ipsec ?
> 






^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [EXTERNAL] Re: ipsec on dpdk
  2024-07-31 10:39 ` Thomas Monjalon
@ 2024-07-31 18:06   ` Akhil Goyal
  0 siblings, 0 replies; 3+ messages in thread
From: Akhil Goyal @ 2024-07-31 18:06 UTC (permalink / raw)
  To: Thomas Monjalon, Yaron Illouz
  Cc: users, dev, Konstantin Ananyev, Radu Nicolau, Kai Ji, Anoob Joseph

Hi Yaron,

Please see the inline replies.

> Hello,
> 
> Adding Cc some experts.
> 
> About the IPsec support, we are writing a document, it is in progress.
> 
> 
> 28/07/2024 14:51, Yaron Illouz:
> > Hi
> >
> > I am interested to do ipsec encoding and decoding in my dpdk application
> > From my readings, i understand ipsec can be done one time in the nic (inline
> ipsec) or with multiple calls (rte_cryptodev_enqueue_burst,
> rte_cryptodev_dequeue_burst....)
> >
> >
> >   1.  If ipsec is done by nic I only need to call rte_ipsec_pkt_process(...) without
> other functions?

This API is for inline crypto mode and is not the only API to be called.
Please check the documentation and refer to examples/ipsec-secgw.
It has support for all 3 modes - inline crypto, inline protocol and lookaside protocol.
It also supports legacy lookaside crypto mode which does not use rte_security.

> >
> > I use  rte_eth_rx_burst to read from nic.
> >
> >   1.  Where do I see list of nic that support nic inline ipsec? I believe not all dpdk
> nic support it.

The NICs which support RTE_ETH_TX_OFFLOAD_SECURITY are the ones which can support inline IPSec
These are ixgbe, txgbe, cnxk, iavf and nfp.

> >   2.  How much does it impact performance ? is there a table of performance
> per nic?

Performance numbers are specific to PMDs and are not published in dpdk documentation.
You may check with individual PMD owners.

> >   3.  My application is multi process, I can see in documentation :
> >
> > “Currently, the security library does not support the case of multi-process. It will
> be updated in the future releases.” From
> https://doc.dpdk.org/guides/prog_guide/rte_security.html

With this note, it means rte_security library and the PMDs are not taking care of
Multi-process related synchronization for sessions. It will be application responsibility to handle that.

> >
> > So ipsec also is not supported for multi process application?
It can be supported.
Application need to take care of how sessions are configured for multiple processes.
Library or the PMD are not handling it.

> >
> > Even if done inline by the nic?
> >
> > And what about non inline ipsec for multi process applications?

It is not about inline or non-inline.
The security library has 3 modes - inline protocol offload, inline crypto offload and lookaside protocol offload.
The security lib is not handling multi-process scenarios so it is applicable for all the above modes.

> >   1.  Is ip sec also supported in multi queue with rte flow in the inline ipsec ?
Yes it can be configured that way.

-Akhil

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-07-31 18:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-28 12:51 ipsec on dpdk Yaron Illouz
2024-07-31 10:39 ` Thomas Monjalon
2024-07-31 18:06   ` [EXTERNAL] " Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).