Re: ipsec impact on performance
This article is old (turn of the century) but it may have numbers worth comparing to http://www.freeswan.org/freeswan_trees/CURRENT-TREE/doc/performance.html -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
On Wed, Dec 02, 2015 at 07:05:38AM -0500, Sowmini Varadhan wrote: > On (12/02/15 07:53), Steffen Klassert wrote: > > > > I'm currently working on a GRO/GSO codepath for IPsec too. The GRO part > > works already. I decapsulate/decrypt the packets on layer2 with a esp GRO > > callback function and reinject them into napi_gro_receive(). So in case > > the decapsulated packet is TCP, GRO can aggregate big packets. > > Would you be able to share your patch with me? I'd like to give that a try > just to get preliminary numbers (and I could massage it as needed > for transport mode too). I've got the final bits to work today, I can do async crypto now. I can push the patches to a public tree after some polishing. But I have to warn, it has still bugs and no usefull commit messages. I did a first test with forwaring esp in tunnel mode. The crypto algorithm I used was: pcrypt(echainiv(authenc(hmac(sha1-ssse3),cbc-aes-aesni))) Result: iperf -c 10.0.0.12 -t 60 Client connecting to 10.0.0.12, TCP port 5001 TCP window size: 45.0 KByte (default) [ 3] local 192.168.0.12 port 39380 connected with 10.0.0.12 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-60.0 sec 32.8 GBytes 4.70 Gbits/sec I provide more informatios as soon as the code is available. > > > Another thing, I thought about setting up an IPsec BoF/workshop at > > netdev1.1. My main topic is GRO/GSO for IPsec. I'll send out a mail > > to the list later this week to see if there is enough interest and > > maybe some additional topics. > > Sounds like an excellent idea. I'm certainly interested. Great, than we are at least two :) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
On (12/03/15 09:45), Steffen Klassert wrote: > pcrypt(echainiv(authenc(hmac(sha1-ssse3),cbc-aes-aesni))) > > Result: > > iperf -c 10.0.0.12 -t 60 > > Client connecting to 10.0.0.12, TCP port 5001 > TCP window size: 45.0 KByte (default) > > [ 3] local 192.168.0.12 port 39380 connected with 10.0.0.12 port 5001 > [ ID] Interval Transfer Bandwidth > [ 3] 0.0-60.0 sec 32.8 GBytes 4.70 Gbits/sec > > I provide more informatios as soon as the code is available. that's pretty good compared to the baseline. I'd like to try out our patches, when they are ready. I think you may get some more improvement if you manually pin the irq and iperf to specific cpus (at least that was my observation for transp mode) --Sowmini -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
On Thu, Dec 03, 2015 at 06:38:20AM -0500, Sowmini Varadhan wrote: > On (12/03/15 09:45), Steffen Klassert wrote: > > pcrypt(echainiv(authenc(hmac(sha1-ssse3),cbc-aes-aesni))) > > > > Result: > > > > iperf -c 10.0.0.12 -t 60 > > > > Client connecting to 10.0.0.12, TCP port 5001 > > TCP window size: 45.0 KByte (default) > > > > [ 3] local 192.168.0.12 port 39380 connected with 10.0.0.12 port 5001 > > [ ID] Interval Transfer Bandwidth > > [ 3] 0.0-60.0 sec 32.8 GBytes 4.70 Gbits/sec > > > > I provide more informatios as soon as the code is available. > > that's pretty good compared to the baseline. > I'd like to try out our patches, when they are ready. > > I think you may get some more improvement if you manually pin the irq > and iperf to specific cpus (at least that was my observation for transp > mode) I do that already. I have dedicated crypto and IO cpus, 2 cpus do networking IO and 4 cpus do crypto (parallelized with pcrypt). The bottleneck is now the cpu that does the TX path (checksumming of the GSO segments). -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Email from Mr Chan(response needed)
I am Mr Chan Yuan,we are looking for a representative in your country to assist us pick up funds from our clients in your location. If you are interested do get back me for futher details.There is no financial obligation on your part. Do also note that your are entitled to 10% of each installmental payment made out to you by our clients.If you think you can handle this position please write back to us with you full name and address,for more information on our enquiry -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Email from Mr Chan(response needed)..
I am Mr Chan Yuan,we are looking for a representative in your country to assist us pick up funds from our clients in your location. If you are interested do get back me for futher details.There is no financial obligation on your part. Do also note that your are entitled to 10% of each installmental payment made out to you by our clients.If you think you can handle this position please write back to us with you full name and address,for more information on our enquiry (null) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: fix kernel-doc warnings in crypto/aead.h
From: Randy DunlapFix 21 occurrences of this kernel-doc warning in : ..//include/crypto/aead.h:149: warning: No description found for parameter 'base' Signed-off-by: Randy Dunlap --- include/crypto/aead.h |1 + 1 file changed, 1 insertion(+) --- lnx-44-rc3.orig/include/crypto/aead.h +++ lnx-44-rc3/include/crypto/aead.h @@ -128,6 +128,7 @@ struct aead_request { * @exit: Deinitialize the cryptographic transformation object. This is a * counterpart to @init, used to remove various changes set in * @init. + * @base: Definition of a generic crypto cipher algorithm. * * All fields except @ivsize is mandatory and must be filled. */ -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
On Thu, 2015-12-03 at 14:33 -0500, David Miller wrote: > From: Sowmini Varadhan> Date: Tue, 1 Dec 2015 12:59:53 -0500 > > > I instrumented iperf with and without ipsec, just using esp-null, > > and 1 thread, to keep things simple. I'm seeing some pretty dismal > > performance numbers with ipsec, and trying to think of ways to > > improve this. Here are my findings, please share feedback. > > Doesn't skb_cow_data() contribute significantly to the ESP base cost, > especially for TCP packets? > > I mean, we're copying every TCP data frame. > > If this is the case, even with GSO/whatever offloads, I expect that > performance will be roughly halfed. This reminds me this thing I noticed is that we (un)clone all xmit GRE GSO packets because of following code in iptunnel_handle_offloads() : if (skb_is_gso(skb)) { err = skb_unclone(skb, GFP_ATOMIC); if (unlikely(err)) goto error; skb_shinfo(skb)->gso_type |= gso_type_mask; return skb; } This is certainly something we should avoid, since we have ~1500 bytes of payload in skb->head per TCP skb Ideally, part of gso_type should belong to skb, not skb_shinfo(skb) :( -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
From: Sowmini VaradhanDate: Tue, 1 Dec 2015 12:59:53 -0500 > I instrumented iperf with and without ipsec, just using esp-null, > and 1 thread, to keep things simple. I'm seeing some pretty dismal > performance numbers with ipsec, and trying to think of ways to > improve this. Here are my findings, please share feedback. Doesn't skb_cow_data() contribute significantly to the ESP base cost, especially for TCP packets? I mean, we're copying every TCP data frame. If this is the case, even with GSO/whatever offloads, I expect that performance will be roughly halfed. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipsec impact on performance
On (12/03/15 14:33), David Miller wrote: > > Doesn't skb_cow_data() contribute significantly to the ESP base cost, > especially for TCP packets? Indeed. For esp-null, it's about half of the total time spent in esp_output (for one run that I just instrumented with perf tracepoints 2.5 ms compared to 5.8 ms) It never goes into the slow path of skb_cow_data (the path with comment about mincer fragments) because whether or not you do this after GSO, TCP makes sure to fit within the MSS, so (unless you have Jumbo enabled?) you'd send it something that does not have a fraglist. Was the cow_data call just intended to handle the fraglist case? Or is there something else more generic going on here (it's hard to tell because esp_output doesnt have too many comments to explain what it thinks its doing, as it juggles different len fields around) > I mean, we're copying every TCP data frame. > > If this is the case, even with GSO/whatever offloads, I expect that > performance will be roughly halfed. The other obvious "low-hanging fruit" is to address the TODO in the comment above esp_alloc_tmp. --Sowmini -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html