From: Akhil Goyal <gakhil@marvell.com>
To: Thomas Monjalon <thomas@monjalon.net>, Yaron Illouz <yaroni@radcom.com>
Cc: "users@dpdk.org" <users@dpdk.org>, "dev@dpdk.org" <dev@dpdk.org>,
Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>,
Radu Nicolau <radu.nicolau@intel.com>, Kai Ji <kai.ji@intel.com>,
Anoob Joseph <anoobj@marvell.com>
Subject: RE: [EXTERNAL] Re: ipsec on dpdk
Date: Wed, 31 Jul 2024 18:06:04 +0000 [thread overview]
Message-ID: <CO6PR18MB4484A3F5A5EA0B5DFCF0AFADD8B12@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <3105959.ktpJ11cQ8Q@thomas>
Hi Yaron,
Please see the inline replies.
> Hello,
>
> Adding Cc some experts.
>
> About the IPsec support, we are writing a document, it is in progress.
>
>
> 28/07/2024 14:51, Yaron Illouz:
> > Hi
> >
> > I am interested to do ipsec encoding and decoding in my dpdk application
> > From my readings, i understand ipsec can be done one time in the nic (inline
> ipsec) or with multiple calls (rte_cryptodev_enqueue_burst,
> rte_cryptodev_dequeue_burst....)
> >
> >
> > 1. If ipsec is done by nic I only need to call rte_ipsec_pkt_process(...) without
> other functions?
This API is for inline crypto mode and is not the only API to be called.
Please check the documentation and refer to examples/ipsec-secgw.
It has support for all 3 modes - inline crypto, inline protocol and lookaside protocol.
It also supports legacy lookaside crypto mode which does not use rte_security.
> >
> > I use rte_eth_rx_burst to read from nic.
> >
> > 1. Where do I see list of nic that support nic inline ipsec? I believe not all dpdk
> nic support it.
The NICs which support RTE_ETH_TX_OFFLOAD_SECURITY are the ones which can support inline IPSec
These are ixgbe, txgbe, cnxk, iavf and nfp.
> > 2. How much does it impact performance ? is there a table of performance
> per nic?
Performance numbers are specific to PMDs and are not published in dpdk documentation.
You may check with individual PMD owners.
> > 3. My application is multi process, I can see in documentation :
> >
> > “Currently, the security library does not support the case of multi-process. It will
> be updated in the future releases.” From
> https://doc.dpdk.org/guides/prog_guide/rte_security.html
With this note, it means rte_security library and the PMDs are not taking care of
Multi-process related synchronization for sessions. It will be application responsibility to handle that.
> >
> > So ipsec also is not supported for multi process application?
It can be supported.
Application need to take care of how sessions are configured for multiple processes.
Library or the PMD are not handling it.
> >
> > Even if done inline by the nic?
> >
> > And what about non inline ipsec for multi process applications?
It is not about inline or non-inline.
The security library has 3 modes - inline protocol offload, inline crypto offload and lookaside protocol offload.
The security lib is not handling multi-process scenarios so it is applicable for all the above modes.
> > 1. Is ip sec also supported in multi queue with rte flow in the inline ipsec ?
Yes it can be configured that way.
-Akhil
prev parent reply other threads:[~2024-07-31 18:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 12:51 Yaron Illouz
2024-07-31 10:39 ` Thomas Monjalon
2024-07-31 18:06 ` Akhil Goyal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO6PR18MB4484A3F5A5EA0B5DFCF0AFADD8B12@CO6PR18MB4484.namprd18.prod.outlook.com \
--to=gakhil@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=kai.ji@intel.com \
--cc=konstantin.v.ananyev@yandex.ru \
--cc=radu.nicolau@intel.com \
--cc=thomas@monjalon.net \
--cc=users@dpdk.org \
--cc=yaroni@radcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).