Hi Dom,
First of all, tls code is not optimized and there are some scheduling
inefficiencies that we are aware of and which do affect overall performance.
Having said that, you might be able to improve throughput by increasing rx and
tx buffer sizes (any reason for keeping them that small?).
Note that tls-openssl engine (one of the 3 tls engines) does not use vpp’s
native crypto infra, i.e., the crypto handlers are independent of it. Currently
there is no way to inspect the ciphers on established connections but this
could be added to the tls connection format function.
Regards,
Florin
> On Feb 25, 2020, at 1:50 PM, dchons via Lists.Fd.Io
> <dchons=akouto....@lists.fd.io> wrote:
>
> Hello,
>
> I'm trying to get an idea of TLS throughput using openssl without hardware
> acceleration, and I'm using the vpp_echo application as follows:
> Server: taskset --cpu-list 4,6,8 ./vpp_echo socket-name /tmp/vpp-api.sock uri
> tls://10.0.0.71/9999 fifo-size 2000000 uni RX=50Gb TX=0 stats 1 sclose=Y
> rx-buf 4800 tx-buf 0 mq-size 100000
> Client: taskset --cpu-list 4,6,8 ./vpp_echo socket-name /tmp/vpp-api.sock
> client uri tls://10.0.0.71/9999 fifo-size 2000000 uni TX=50Gb RX=0 stats 1
> sclose=Y tx-buf 1400 rx-buf 0 mq-size 5000000
> I've tried to make sure that openssl is used as the crypto engine by adding
> the following to startup.conf:
> plugins {
> plugin crypto_ipsecmb_plugin.so { disable }
> plugin tlspicotls_plugin.so { disable }
> plugin crypto_native_plugin.so { disable }
> plugin tlsmbedtls_plugin.so { disable }
> }
> Using "show crypto handlers" I can confirm that "Active" and "Candidates"
> only lists openssl for all ciphers.
>
> In order to make sure that AES-GCM is used, I put a temporary hack in
> src/plugins/tlsopenssl/tls_openssl.c near line 892:
> tls_openssl_set_ciphers("AESGCM"); //was originally
> ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH
>
> With this setup, I get around 1 Gbps initially, which after some time drops
> off to 500 Mbps (over 10 Gbps NICs). When I use the exact same NICs and a
> regular TLS client/server application (after stopping VPP and returning the
> NICs to the OS) I get 5.3 Gbps.
>
> My questions are:
> 1. Any suggestions on configuration or tuning to get TLS performance at least
> close to what is possible using a generic TLS client / server using openssl ?
> 2. Is there a way to check / confirm that VPP is using AES-GCM when I run my
> test as shown above?
>
> Thank you!
> Dom
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#15533): https://lists.fd.io/g/vpp-dev/message/15533
Mute This Topic: https://lists.fd.io/mt/71542617/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
