DPDK patches and discussions
 help / color / Atom feed
From: Akhil Goyal <akhil.goyal@nxp.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
	"dev@dpdk.org" <dev@dpdk.org>,
	dpdk-techboard <techboard@dpdk.org>,
	Thomas Monjalon <thomas@monjalon.net>
Cc: "Medvedkin, Vladimir" <vladimir.medvedkin@intel.com>,
	Anoob Joseph <anoobj@marvell.com>,
	Ravi Kumar <ravi1.kumar@amd.com>,
	Ruifeng Wang <ruifeng.wang@arm.com>
Subject: Re: [dpdk-dev] [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
Date: Thu, 23 Jan 2020 12:56:53 +0000
Message-ID: <VE1PR04MB663920482DFF85E3DA564C27E60F0@VE1PR04MB6639.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <SN6PR11MB25587F743337C38DC1F30FEA9A0F0@SN6PR11MB2558.namprd11.prod.outlook.com>

Hi Konstantin,
> 
> Hi Akhil,
> 
> > > > > Hi Vladimir,
> > > > > The SA lookup logic and management is purely requirement based for the
> > > > application.
> > > > >The application may only cater to <128 SAs which can
> > > > > be handled based on the current logic.
> > > >
> > > > Not always, current implementation can handle < 128 SA,
> > > > whose SPI%128 never match (let say it cant't handle SPI=1 and SPI=129).
> > > > Yes, what we have right now has nearly zero overhead,
> > > > and might be ok for some really simple show-cases.
> > > > But for majority of production IPsec implementations,
> > > > I believe that definitely wouldn't be enough.
> > > >
> > > > > –single-sa option cannot handle this.
> > > > > Sample applications in DPDK are there to showcase the best a hardware
> can
> > > > deliver.
> > > >
> > > > My thought was - that's the reason we have single-sa option -
> > > > demonstrate best possible HW perf without minimal SW intervention.
> > > > For something more serious than that, we use generic SAD implementation.
> > > >
> > > > > IMO, we cannot allow this logic on NXP hardwares. We
> > > > > give performance numbers based on IPSec app to customers and we
> cannot
> > > > allow 15% degradation.
> > > >
> > > > As Vladimir said, we are looking how to improve current SAD numbers
> > > > and minimize the drop.
> > > > But with same equals - plain array will always be faster than hash table,
> > > > so not sure we will be able to match existing performance.
> > > > So two questions:
> > > > 1. What exact case you use for perf testing
> > > >     (total number of SAs, packets per burst belong to the same/different SAs)?
> > > >     Might be there is a way to speedup it.
> > > >     Again if 10-15% is not an affordable drop, which one is: zero or ...?
> > >
> > > We should add features judiciously, we cannot drop the performance of a
> > > benchmarking
> > > Application in lieu of adding functionality. We should only add features which
> > > are not
> > > Impacting the performance significantly.
> > > Every vendor may have different cases. We cannot tune for everybody.
> > > However, I see drop in 64 outbound 64 inbound SAs all with different SPI and
> IPs.
> > > Packets per burst = 32 all with different SAs.
> > >
> >
> > We can have two modes of lookup similar to l3fwd - EM and LPM.
> > LPM is O(1) while EM is more realistic. Similar logic can be added here as well.
> > With L3fwd also we showcase performance for best case(lpm) and the worst
> case(em)
> > What Say?
> 
> We discussed it off-line with Vladimir and came up with similar idea:
> Have a proper/generic SAD implementation and add limited size plain-array
> on top of it as 1xway associative cache.
> So for the case when all active SAs fit into the cache and no SPI collisions,
> we should have same performance as now (with plain array).
> From other side, we'll still have generic/scalable/rfc compliant implementation.
> Sort of best sides from two words.
> Plans are to submit v4 with such approach in next few days.

OK lets check the v4 before moving the discussion to techboard. 
@Thomas: Do you have more thoughts on this? Should we get it added in the agenda
Or wait for the v4?

> 
> >
> > As discussed in the DPDK-status meeting today, this patchset need to be
> discussed in
> > Techboard meeting. Please include this topic in the upcoming meeting on 29th
> Jan.
> 
> As I said above, I think we found a way to deal with it without any perf drop
> for existing cases.
> Though sure, if you feel some extra discussion is needed, let's request to
> put it into agenda.
> 
> Konstantin
> 
> >
> > -Akhil
> >
> > > > 2. I think there are 2 different directions for ipsec-secgw:
> > > >    From one-side there is a desire to use it as a show-case for best-possible
> HW
> > > > IPsec performance
> > > >   (which is understandable).
> > > >    From other side - attempt to make it as close as real-world generic ipsec
> > > > processing app as possible
> > > >    (support for ESN, replay window, fragmented packets, generic proper
> SAD,
> > > > etc).
> > > >    Obviously these goals contradict and it makes really hard for the same
> app to
> > > > fulfill both.
> > > >    Any thoughts how to deal with that?
> > > >    One obvious would be to split the app, anything else?
> > >
> > > We can have a fallback mechanism back to original functionality for
> whatever
> > > feature
> > > which has some perf drop.
> > > Splitting an app can be thought of but that would be similar to a full fledged
> > > IPSec stack
> > > like VPP-IPSec.
> > >
> > > >
> > > > Konstantin
> > > >
> > > > > Other vendors(Marvell, ARM, AMD) please comment?
> > > > > Regards,
> > > > > Akhil
> > > > > From: Medvedkin, Vladimir <mailto:vladimir.medvedkin@intel.com>
> > > > > Sent: Friday, January 17, 2020 10:35 PM
> > > > > To: Akhil Goyal <mailto:akhil.goyal@nxp.com>; mailto:dev@dpdk.org
> > > > > Cc: mailto:konstantin.ananyev@intel.com
> > > > > Subject: Re: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
> > > > >
> > > > > Hi Akhil,
> > > > > Indeed with our tests we also seeing ~15% perf drop for small packets
> (~90B)
> > > > and ~3-4% drop for 1KB packets. While I am looking on a ways
> > > > > to minimize the drop, I think it would be hard, if possible at all to
> eliminate it
> > > > completely.
> > > > > Reason for that: current SAD implementation is completely synthetic
> (using
> > > > plain array structure indexed by SPI value). That provides a very
> > > > > low overhead, but doesn't provide expected functionality and can't be
> used
> > > in
> > > > proper implementation.
> > > > > To measure plain IPsec performance without SAD user can still use '--
> signle-
> > > sa'
> > > > option.
> > > > > On 15/01/2020 15:45, Akhil Goyal wrote:
> > > > > Hi Vladimir,
> > > > >
> > > > > There is more than 10% drop with this patchset on NXP hardware with
> both
> > > > legacy mode and the ipsec lib mode. This would need some
> > > > > debugging.
> > > > > Didn't you see any drop on intel?
> > > > >
> > > > > Regards,
> > > > > Akhil
> > > > >
> > > > > -----Original Message-----
> > > > > From: Vladimir Medvedkin mailto:vladimir.medvedkin@intel.com
> > > > > Sent: Tuesday, January 14, 2020 7:57 PM
> > > > > To: mailto:dev@dpdk.org
> > > > > Cc: mailto:konstantin.ananyev@intel.com; Akhil Goyal
> > > > mailto:akhil.goyal@nxp.com
> > > > > Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw
> > > > >
> > > > > This series integrates SA database (SAD) capabilities from ipsec library.
> > > > > The goal is to make ipsec-secgw RFC compliant regarding inbound SAD.
> > > > > Also patch series removes hardcoded limitation for maximum number of
> SA's
> > > > > and SP's.
> > > > >
> > > > > v4:
> > > > >  - put tunnel SA's into SAD with SPI_ONLY type for performance reason
> > > > >
> > > > > v3:
> > > > >  - parse SA and SP into sorted array instead of linked list
> > > > >
> > > > > v2:
> > > > >  - get rid of maximum sp limitation
> > > > >
> > > > > Vladimir Medvedkin (5):
> > > > >   ipsec: move ipsec sad name length into .h
> > > > >   examples/ipsec-secgw: implement inbound SAD
> > > > >   examples/ipsec-secgw: integrate inbound SAD
> > > > >   examples/ipsec-secgw: get rid of maximum sa limitation
> > > > >   examples/ipsec-secgw: get rid of maximum sp limitation
> > > > >
> > > > >  examples/ipsec-secgw/Makefile      |   1 +
> > > > >  examples/ipsec-secgw/ipsec-secgw.c |   4 +-
> > > > >  examples/ipsec-secgw/ipsec.h       |  11 +-
> > > > >  examples/ipsec-secgw/meson.build   |   2 +-
> > > > >  examples/ipsec-secgw/parser.c      |   4 +
> > > > >  examples/ipsec-secgw/parser.h      |   9 ++
> > > > >  examples/ipsec-secgw/sa.c          | 256 +++++++++++++++++++++++------
> -----
> > > --
> > > > -
> > > > >  examples/ipsec-secgw/sad.c         |  90 +++++++++++++
> > > > >  examples/ipsec-secgw/sad.h         |  74 +++++++++++
> > > > >  examples/ipsec-secgw/sp4.c         | 114 ++++++++++++-----
> > > > >  examples/ipsec-secgw/sp6.c         | 112 +++++++++++-----
> > > > >  lib/librte_ipsec/ipsec_sad.c       |  20 +--
> > > > >  lib/librte_ipsec/rte_ipsec_sad.h   |   2 +
> > > > >  13 files changed, 528 insertions(+), 171 deletions(-)
> > > > >  create mode 100644 examples/ipsec-secgw/sad.c
> > > > >  create mode 100644 examples/ipsec-secgw/sad.h
> > > > >
> > > > > --
> > > > > 2.7.4
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Vladimir
> > > > > -->

  reply index

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-11 16:45 [dpdk-dev] [PATCH 0/4] " Vladimir Medvedkin
2019-12-11 16:45 ` [dpdk-dev] [PATCH 1/4] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2019-12-11 16:45 ` [dpdk-dev] [PATCH 2/4] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2019-12-11 16:45 ` [dpdk-dev] [PATCH 3/4] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2019-12-11 16:45 ` [dpdk-dev] [PATCH 4/4] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 0/5] integrate librte_ipsec SAD into ipsec-secgw Vladimir Medvedkin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 " Vladimir Medvedkin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 " Vladimir Medvedkin
2020-01-15 15:45       ` Akhil Goyal
2020-01-17 12:26         ` Akhil Goyal
2020-01-17 17:05         ` Medvedkin, Vladimir
2020-01-20  6:44           ` Akhil Goyal
2020-01-20 12:44             ` Anoob Joseph
     [not found]             ` <SN6PR11MB25581C7C8F969AA18EE8C1949A320@SN6PR11MB2558.namprd11.prod.outlook.com>
     [not found]               ` <SN6PR11MB25588E3DD326CFC90DD1E3989A320@SN6PR11MB2558.namprd11.prod.outlook.com>
2020-01-20 14:45                 ` [dpdk-dev] FW: " Ananyev, Konstantin
2020-01-21 14:47                   ` [dpdk-dev] " Akhil Goyal
2020-01-23 11:11                     ` Akhil Goyal
2020-01-23 12:52                       ` Ananyev, Konstantin
2020-01-23 12:56                         ` Akhil Goyal [this message]
2020-01-23 13:33                           ` Thomas Monjalon
2020-01-23 15:46                             ` Ananyev, Konstantin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 0/6] " Vladimir Medvedkin
2020-01-31 12:53         ` Akhil Goyal
2020-02-04  4:11           ` Anoob Joseph
2020-02-04 15:22             ` Akhil Goyal
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 0/8] " Vladimir Medvedkin
2020-02-04 15:25           ` Akhil Goyal
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 1/8] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 2/8] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 3/8] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 4/8] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 5/8] examples/ipsec-secgw: get rid of maximum sp limitation Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 6/8] examples/ipsec-secgw: add SAD cache Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 7/8] examples/ipsec-secgw: set/use mbuf ptype Vladimir Medvedkin
2020-01-31 17:39         ` [dpdk-dev] [PATCH v6 8/8] doc: update ipsec-secgw guide Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 1/6] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 2/6] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 3/6] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 4/6] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 5/6] examples/ipsec-secgw: get rid of maximum sp limitation Vladimir Medvedkin
2020-01-29 14:06       ` [dpdk-dev] [PATCH v5 6/6] examples/ipsec-secgw: add SAD cache Vladimir Medvedkin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 1/5] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2020-01-14 15:51       ` Ananyev, Konstantin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 2/5] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2020-01-14 15:53       ` Ananyev, Konstantin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 3/5] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2020-01-14 15:54       ` Ananyev, Konstantin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 4/5] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2020-01-14 15:56       ` Ananyev, Konstantin
2020-01-14 14:27     ` [dpdk-dev] [PATCH v4 5/5] examples/ipsec-secgw: get rid of maximum sp limitation Vladimir Medvedkin
2020-01-14 15:57       ` Ananyev, Konstantin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 1/5] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 2/5] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 3/5] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 4/5] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2020-01-13 12:55   ` [dpdk-dev] [PATCH v3 5/5] examples/ipsec-secgw: get rid of maximum sp limitation Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 1/5] ipsec: move ipsec sad name length into .h Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 2/5] examples/ipsec-secgw: implement inbound SAD Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 3/5] examples/ipsec-secgw: integrate " Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 4/5] examples/ipsec-secgw: get rid of maximum sa limitation Vladimir Medvedkin
2019-12-18 16:00 ` [dpdk-dev] [PATCH v2 5/5] examples/ipsec-secgw: get rid of maximum sp limitation Vladimir Medvedkin

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=VE1PR04MB663920482DFF85E3DA564C27E60F0@VE1PR04MB6639.eurprd04.prod.outlook.com \
    --to=akhil.goyal@nxp.com \
    --cc=anoobj@marvell.com \
    --cc=dev@dpdk.org \
    --cc=konstantin.ananyev@intel.com \
    --cc=ravi1.kumar@amd.com \
    --cc=ruifeng.wang@arm.com \
    --cc=techboard@dpdk.org \
    --cc=thomas@monjalon.net \
    --cc=vladimir.medvedkin@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ http://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox