Hi Vladimir, Akhil, Marvell is also observing 10-15% drop with the SAD change. I agree with Akhil's opinion and we are not in favor of making this change.
Thanks, Anoob From: Akhil Goyal <akhil.go...@nxp.com> Sent: Monday, January 20, 2020 12:14 PM To: Medvedkin, Vladimir <vladimir.medved...@intel.com>; dev@dpdk.org Cc: konstantin.anan...@intel.com; Anoob Joseph <ano...@marvell.com>; Thomas Monjalon <tho...@monjalon.net>; Ravi Kumar <ravi1.ku...@amd.com>; Ruifeng Wang <ruifeng.w...@arm.com> Subject: [EXT] RE: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw External Email ________________________________________ Hi Vladimir, The SA lookup logic and management is purely requirement based for the application. The application may only cater to <128 SAs which can be handled based on the current logic. –single-sa option cannot handle this. Sample applications in DPDK are there to showcase the best a hardware can deliver. IMO, we cannot allow this logic on NXP hardwares. We give performance numbers based on IPSec app to customers and we cannot allow 15% degradation. Other vendors(Marvell, ARM, AMD) please comment? Regards, Akhil From: Medvedkin, Vladimir <mailto:vladimir.medved...@intel.com> Sent: Friday, January 17, 2020 10:35 PM To: Akhil Goyal <mailto:akhil.go...@nxp.com>; mailto:dev@dpdk.org Cc: mailto:konstantin.anan...@intel.com Subject: Re: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw Hi Akhil, Indeed with our tests we also seeing ~15% perf drop for small packets (~90B) and ~3-4% drop for 1KB packets. While I am looking on a ways to minimize the drop, I think it would be hard, if possible at all to eliminate it completely. Reason for that: current SAD implementation is completely synthetic (using plain array structure indexed by SPI value). That provides a very low overhead, but doesn't provide expected functionality and can't be used in proper implementation. To measure plain IPsec performance without SAD user can still use '--signle-sa' option. On 15/01/2020 15:45, Akhil Goyal wrote: Hi Vladimir, There is more than 10% drop with this patchset on NXP hardware with both legacy mode and the ipsec lib mode. This would need some debugging. Didn't you see any drop on intel? Regards, Akhil -----Original Message----- From: Vladimir Medvedkin mailto:vladimir.medved...@intel.com Sent: Tuesday, January 14, 2020 7:57 PM To: mailto:dev@dpdk.org Cc: mailto:konstantin.anan...@intel.com; Akhil Goyal mailto:akhil.go...@nxp.com Subject: [PATCH v4 0/5] integrate librte_ipsec SAD into ipsec-secgw This series integrates SA database (SAD) capabilities from ipsec library. The goal is to make ipsec-secgw RFC compliant regarding inbound SAD. Also patch series removes hardcoded limitation for maximum number of SA's and SP's. v4: - put tunnel SA's into SAD with SPI_ONLY type for performance reason v3: - parse SA and SP into sorted array instead of linked list v2: - get rid of maximum sp limitation Vladimir Medvedkin (5): ipsec: move ipsec sad name length into .h examples/ipsec-secgw: implement inbound SAD examples/ipsec-secgw: integrate inbound SAD examples/ipsec-secgw: get rid of maximum sa limitation examples/ipsec-secgw: get rid of maximum sp limitation examples/ipsec-secgw/Makefile | 1 + examples/ipsec-secgw/ipsec-secgw.c | 4 +- examples/ipsec-secgw/ipsec.h | 11 +- examples/ipsec-secgw/meson.build | 2 +- examples/ipsec-secgw/parser.c | 4 + examples/ipsec-secgw/parser.h | 9 ++ examples/ipsec-secgw/sa.c | 256 +++++++++++++++++++++++-------------- examples/ipsec-secgw/sad.c | 90 +++++++++++++ examples/ipsec-secgw/sad.h | 74 +++++++++++ examples/ipsec-secgw/sp4.c | 114 ++++++++++++----- examples/ipsec-secgw/sp6.c | 112 +++++++++++----- lib/librte_ipsec/ipsec_sad.c | 20 +-- lib/librte_ipsec/rte_ipsec_sad.h | 2 + 13 files changed, 528 insertions(+), 171 deletions(-) create mode 100644 examples/ipsec-secgw/sad.c create mode 100644 examples/ipsec-secgw/sad.h -- 2.7.4 -- Regards, Vladimir -->
