subject:"\[vpp\-dev\] tls init server is too heavy"

Re: [vpp-dev] tls init server is too heavy

2018-08-13 Thread Florin Coras

Hi Ping, 

Much appreciated! Please check the comments. There are a few things that still 
need to be ironed out, but once those are handled, it should be good to be 
merged. 

Cheers, 
Florin 

> On Aug 12, 2018, at 10:01 PM, Yu, Ping  wrote:
> 
> Hi, Florin,
>  
> Based on this discuss, I have submitted a code review #14156 for this. Please 
> help review it.
>  
> The main change is:
> 1)  Add a point in ctx_id to point engine specific data, and point to a 
> openssl_tls_ctx data structure.
> 2)  Add 2 engine specific API such for start listen and stop listen.
> 3)  CPS performance has been improved around 30% after this patch.
> 4)  Main implementation in openssl, and will not break mbedtls.
>  
> Thanks
> Ping
>   <>
>  <>From: vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io> 
> [mailto:vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io>] On Behalf Of Yu, 
> Ping
> Sent: Thursday, July 26, 2018 9:26 AM
> To: Florin Coras (fcoras) mailto:fco...@cisco.com>>; 
> vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io>
> Cc: Yu, Ping mailto:ping...@intel.com>>
> Subject: Re: [vpp-dev] tls init server is too heavy
>  
> That’s great. I will implement it and submit patch for this optimization.
>  
> Ping
>  
> From: Florin Coras (fcoras) [mailto:fco...@cisco.com 
> <mailto:fco...@cisco.com>] 
> Sent: Thursday, July 26, 2018 1:01 AM
> To: Yu, Ping mailto:ping...@intel.com>>; 
> vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io>
> Subject: Re: tls init server is too heavy
>  
> Hi Ping, 
>  
> The plan you proposed sounds great, so definitely go for it! You’ll have to 
> find a place to store a pointer to the shared engine-generated context (i.e., 
> ssl_ctx) in the generic listener context. If no obvious field is available, 
> maybe you can abuse the ctx_id since we still have space there (note that 
> it’s limited to 42B).
>  
> Let me know how it goes!  
>  
> Cheers,
> Florin
>  
> From: "Yu, Ping" mailto:ping...@intel.com>>
> Date: Wednesday, July 25, 2018 at 9:13 AM
> To: "Florin Coras (fcoras)" mailto:fco...@cisco.com>>, 
> "vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io>"  <mailto:vpp-dev@lists.fd.io>>
> Cc: "Yu, Ping" mailto:ping...@intel.com>>
> Subject: tls init server is too heavy
>  
> Hello, Florin
>  
> In current TLS openssl implementation, in each accepted TLS session, 
> openssl_ctx_init_server needs to re-init ssl_ctx, and set key and 
> certificate, which actually is not necessary, and normally one-time 
> initialization is good enough. After I change this initialization to run only 
> once, I can get around 20~30% performance improvement for CPS.
> I am now considering to re-architect this initialization, and one possible 
> point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be 
> the interface, then it will call engine specific, such as openssl ssl_ctx 
> initialization afterward. How do you think?
>  
> Thanks
> Ping
>  
>  
>  
>  
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> 
> View/Reply Online (#10109): https://lists.fd.io/g/vpp-dev/message/10109 
> <https://lists.fd.io/g/vpp-dev/message/10109>
> Mute This Topic: https://lists.fd.io/mt/23814247/675152 
> <https://lists.fd.io/mt/23814247/675152>
> Group Owner: vpp-dev+ow...@lists.fd.io <mailto:vpp-dev+ow...@lists.fd.io>
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub 
> <https://lists.fd.io/g/vpp-dev/unsub>  [fcoras.li...@gmail.com 
> <mailto:fcoras.li...@gmail.com>]
> -=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#10125): https://lists.fd.io/g/vpp-dev/message/10125
Mute This Topic: https://lists.fd.io/mt/23814247/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] tls init server is too heavy

2018-08-12 Thread Yu, Ping

Hi, Florin,

Based on this discuss, I have submitted a code review #14156 for this. Please 
help review it.

The main change is:

1)  Add a point in ctx_id to point engine specific data, and point to a 
openssl_tls_ctx data structure.

2)  Add 2 engine specific API such for start listen and stop listen.

3)  CPS performance has been improved around 30% after this patch.

4)  Main implementation in openssl, and will not break mbedtls.

Thanks
Ping

From: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of Yu, Ping
Sent: Thursday, July 26, 2018 9:26 AM
To: Florin Coras (fcoras) ; vpp-dev@lists.fd.io
Cc: Yu, Ping 
Subject: Re: [vpp-dev] tls init server is too heavy

That’s great. I will implement it and submit patch for this optimization.

Ping

From: Florin Coras (fcoras) [mailto:fco...@cisco.com]
Sent: Thursday, July 26, 2018 1:01 AM
To: Yu, Ping mailto:ping...@intel.com>>; 
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: Re: tls init server is too heavy

Hi Ping,

The plan you proposed sounds great, so definitely go for it! You’ll have to 
find a place to store a pointer to the shared engine-generated context (i.e., 
ssl_ctx) in the generic listener context. If no obvious field is available, 
maybe you can abuse the ctx_id since we still have space there (note that it’s 
limited to 42B).

Let me know how it goes!

Cheers,
Florin

From: "Yu, Ping" mailto:ping...@intel.com>>
Date: Wednesday, July 25, 2018 at 9:13 AM
To: "Florin Coras (fcoras)" mailto:fco...@cisco.com>>, 
"vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
mailto:vpp-dev@lists.fd.io>>
Cc: "Yu, Ping" mailto:ping...@intel.com>>
Subject: tls init server is too heavy

Hello, Florin

In current TLS openssl implementation, in each accepted TLS session, 
openssl_ctx_init_server needs to re-init ssl_ctx, and set key and certificate, 
which actually is not necessary, and normally one-time initialization is good 
enough. After I change this initialization to run only once, I can get around 
20~30% performance improvement for CPS.
I am now considering to re-architect this initialization, and one possible 
point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be 
the interface, then it will call engine specific, such as openssl ssl_ctx 
initialization afterward. How do you think?

Thanks
Ping




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#10109): https://lists.fd.io/g/vpp-dev/message/10109
Mute This Topic: https://lists.fd.io/mt/23814247/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] tls init server is too heavy

2018-07-25 Thread Yu, Ping

That’s great. I will implement it and submit patch for this optimization.

Ping

From: Florin Coras (fcoras) [mailto:fco...@cisco.com]
Sent: Thursday, July 26, 2018 1:01 AM
To: Yu, Ping ; vpp-dev@lists.fd.io
Subject: Re: tls init server is too heavy

Hi Ping,

The plan you proposed sounds great, so definitely go for it! You’ll have to 
find a place to store a pointer to the shared engine-generated context (i.e., 
ssl_ctx) in the generic listener context. If no obvious field is available, 
maybe you can abuse the ctx_id since we still have space there (note that it’s 
limited to 42B).

Let me know how it goes!

Cheers,
Florin

From: "Yu, Ping" mailto:ping...@intel.com>>
Date: Wednesday, July 25, 2018 at 9:13 AM
To: "Florin Coras (fcoras)" mailto:fco...@cisco.com>>, 
"vpp-dev@lists.fd.io" 
mailto:vpp-dev@lists.fd.io>>
Cc: "Yu, Ping" mailto:ping...@intel.com>>
Subject: tls init server is too heavy

Hello, Florin

In current TLS openssl implementation, in each accepted TLS session, 
openssl_ctx_init_server needs to re-init ssl_ctx, and set key and certificate, 
which actually is not necessary, and normally one-time initialization is good 
enough. After I change this initialization to run only once, I can get around 
20~30% performance improvement for CPS.
I am now considering to re-architect this initialization, and one possible 
point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be 
the interface, then it will call engine specific, such as openssl ssl_ctx 
initialization afterward. How do you think?

Thanks
Ping

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#9935): https://lists.fd.io/g/vpp-dev/message/9935
Mute This Topic: https://lists.fd.io/mt/23814247/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] tls init server is too heavy

2018-07-25 Thread via Lists.Fd.Io

Hi Ping,

The plan you proposed sounds great, so definitely go for it! You’ll have to 
find a place to store a pointer to the shared engine-generated context (i.e., 
ssl_ctx) in the generic listener context. If no obvious field is available, 
maybe you can abuse the ctx_id since we still have space there (note that it’s 
limited to 42B).

Let me know how it goes!

Cheers,
Florin

From: "Yu, Ping" 
Date: Wednesday, July 25, 2018 at 9:13 AM
To: "Florin Coras (fcoras)" , "vpp-dev@lists.fd.io" 

Cc: "Yu, Ping" 
Subject: tls init server is too heavy

Hello, Florin

In current TLS openssl implementation, in each accepted TLS session, 
openssl_ctx_init_server needs to re-init ssl_ctx, and set key and certificate, 
which actually is not necessary, and normally one-time initialization is good 
enough. After I change this initialization to run only once, I can get around 
20~30% performance improvement for CPS.
I am now considering to re-architect this initialization, and one possible 
point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be 
the interface, then it will call engine specific, such as openssl ssl_ctx 
initialization afterward. How do you think?

Thanks
Ping




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#9934): https://lists.fd.io/g/vpp-dev/message/9934
Mute This Topic: https://lists.fd.io/mt/23814247/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] tls init server is too heavy

2018-07-25 Thread Yu, Ping

Hello, Florin

In current TLS openssl implementation, in each accepted TLS session, 
openssl_ctx_init_server needs to re-init ssl_ctx, and set key and certificate, 
which actually is not necessary, and normally one-time initialization is good 
enough. After I change this initialization to run only once, I can get around 
20~30% performance improvement for CPS.
I am now considering to re-architect this initialization, and one possible 
point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be 
the interface, then it will call engine specific, such as openssl ssl_ctx 
initialization afterward. How do you think?

Thanks
Ping




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#9932): https://lists.fd.io/g/vpp-dev/message/9932
Mute This Topic: https://lists.fd.io/mt/23814247/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] tls init server is too heavy

Re: [vpp-dev] tls init server is too heavy

Re: [vpp-dev] tls init server is too heavy

Re: [vpp-dev] tls init server is too heavy

[vpp-dev] tls init server is too heavy

5 matches

Site Navigation

Mail list logo

Footer information