Thanks a lot, I think I got a better understanding cause of your help. As you said, the outer udp checksum is optional and often left as 0, is there any issue if I use VXLAN-GPE and send packet to ip4-input-nochecksum node which will skip the inner ip checksum verification?
Regards, Yuwei From: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of John Lo (loj) via Lists.Fd.Io Sent: Monday, October 22, 2018 11:56 PM To: Zhang, Yuwei1 <yuwei1.zh...@intel.com>; vpp-dev@lists.fd.io Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] one question IP checksum Hi Yuwei, I did not suggest one can create VXLAN tunnel and send the dcap packet directly to ip4-input or ip4-input-nochecksum. It will not work because the VXLAN payload still have a MAC header before the IP header after decap. That's why it only works if it is sent to ethernet-input. You are getting checksum error, because ip4-input node is treating the MAC header as if it is an IP header. I was suggesting you may be able to create VXLAN-GPE tunnel (with a different CLI to that of the VXLAN one) which is different to VXLAN tunnel. With VXLAN-GPE, you can potentially send just IP packet without ethernet header, with the appropriate protocol field in the VXLAN-GPE header set accordingly. Then it is feasible to send the packet directly to ip4-input or ip4-input-nochecksum. I am not sure how complete VXLAN-GPE handling is implemented in VPP so you may need to improve the code to handle it. Note that big portion of performance gain you observed is because ethernet-input node is bypassed, in addition to saving from not calculating IP checksum. As I described before, VXLAN is supposed to be used for L2 to carry ethernet packets. If it is used for L3, it is not standard usage and will not interoperate properly with other devices. For L3, VXLAN-GPE should ideally be used as it is designed to handle encap/decap of various packet types, as GPE mean "generic protocol extension", including L2 and L3 protocols. Regards, John From: Zhang, Yuwei1 <yuwei1.zh...@intel.com<mailto:yuwei1.zh...@intel.com>> Sent: Monday, October 22, 2018 4:50 AM To: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: RE: [vpp-dev] one question IP checksum Hi John, thanks for your instructions, I tried to use your method with below steps: 1) Create tunnel: vppctl create vxlan tunnel src 10.0.0.1 dst 10.0.0.2 vni 24 encap-vrf-id 0 decap-next node ip4-input-no-checksum; 2) Send vxlan traffic without inner ip header; I can see obvious performance gain. But if I set the decap-next node ipv4-input, the vpp will drop the packet after decapsulation cause of the wrong inner ip header checksum. But when I set the decap-next node Ethernet-input, the packet will not be dropped. I'm a little confuse about this. BTW, could you give me some explanation about which scenario should use vxlan over l2 and which scenario should use vxlan over l3? Thanks for your kindly help again! Regards, Yuwei From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> [mailto:vpp-dev@lists.fd.io] On Behalf Of John Lo (loj) via Lists.Fd.Io Sent: Saturday, October 20, 2018 11:06 PM To: Zhang, Yuwei1 <yuwei1.zh...@intel.com<mailto:yuwei1.zh...@intel.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] one question IP checksum Hi Yuwei, I see that you are using VXLAN to carry L3 packets which seems to still have ethernet header. This is not standard usage of VXLAN so I am not aware of a way to achieve what you desired via some kind of configuration of VPP. A more optimal (also not standard) way may be to just send IP payload in VXLLAN tunnel without Ethernet header. Then on decap, you can send the packet directly to ip-input-nochecksum node instead of (ethernet-input node). The proper way to do this would be to use VXLAN-GPE which include a protocol header to specify payload type. BTW, your claim of UDP checksum on the outer packet would've already cover the inner payload including its IP header is not necessarily correct. For IPv4, the UDP checksum is optional and often left as 0 so not calculated. VPP VXLAN encap would leave UDP checksum as 0 to save clocks, if the underlay is IPv4. If underlay is IPv6, then UDP checksum would be required and VPP would set it on VXLAN encap. Regards, John From: Zhang, Yuwei1 <yuwei1.zh...@intel.com<mailto:yuwei1.zh...@intel.com>> Sent: Saturday, October 20, 2018 9:58 AM To: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: Yang, Zhiyong <zhiyong.y...@intel.com<mailto:zhiyong.y...@intel.com>> Subject: RE: [vpp-dev] one question IP checksum Thanks a lot for your detail reply, John. My scenario is vxlan over l3 network, which means after decapsulation, vpp will use ip header to execute the forward function. I use this command to create the tunnel: "vppctl create vxlan tunnel src 10.0.0.1 dst 10.0.0.2 vni 24 encap-vrf-id 0 decap-next node ethernet-input". I found that vpp will calculate the inner ip header checksum and verify it. So I wonder if it is possible to skip the inner ip header calculation because the outer udp checksum can cover the inner packet. Expecting your reply, thanks a lot. Regards, Yuwei From: John Lo (loj) [mailto:l...@cisco.com] Sent: Friday, October 19, 2018 11:04 PM To: Zhang, Yuwei1 <yuwei1.zh...@intel.com<mailto:yuwei1.zh...@intel.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: RE: [vpp-dev] one question IP checksum The IP path after receiving a VXLAN packet is processing the outer IP header and not the inner one. The payload of VXLAN packet is expected to be an ethernet packet. After VXLAN decap, the payload ethernet packet will be processed in L2 forwarding path where no IP processing is involved. If you want to speed up VXLAN decap processing, there is a vxlan-bypass feature you can enable on the underlay interface which will look for VXLAN packet and bypass IP lookup to speed up processing: vpp# set interface ip vxlan-bypass ? set interface ip vxlan-bypass set interface ip vxlan-bypass <interface> [del] Enabling this feature on IP forwarding would add slight overhead for non-VXLAN IP packets but speed up VXLAN decap performance as IP lookup is not done. Regards, John From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Zhang Yuwei Sent: Thursday, October 18, 2018 11:26 PM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] one question IP checksum Hi Guys and VPP maintainers, When I run VPP in vxlan scenario, I found that when VPP receive a vxlan packets, after decapsulation, the packet will go into ip-input node instead of ip-input-nochecksum which means vpp will re-calculate the checksum and verify it. I think the outer UDP checksum has already include the inner packet as payload, so can we skip the ip header checksum calculation for inner ip header? This part is done by software which will cause some CPU cycles consumption and I tried if skip the checksum calculation it will have a obvious performance gain. Can anybody give me some instructions? Thanks a lot for your kindly help. Regards, Yuwei
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10909): https://lists.fd.io/g/vpp-dev/message/10909 Mute This Topic: https://lists.fd.io/mt/27412224/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
