DPDK IPSec performance benchmark ~ Georgii Tkachuk
-
Upload
intel -
Category
Technology
-
view
71 -
download
4
Transcript of DPDK IPSec performance benchmark ~ Georgii Tkachuk
![Page 1: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/1.jpg)
Dpdk IPSec security gateway applicationIntel NPG PMA, 3/2/2017
![Page 2: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/2.jpg)
Legal Notices and Disclaimers
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer.No computer system can be absolutely secure. Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance. Intel, the Intel logo and others are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. © 2017 Intel Corporation.
![Page 3: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/3.jpg)
3
overview• Example application providing guidelines for using the Cryptography
Device Library framework. • Showcase DPDK cryptodev framework performance with a real world
use case scenario.
• http://dpdk.org/doc/guides-16.04/sample_app_ug/ipsec_secgw.html (Google DPDK IPSec sample application)
![Page 4: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/4.jpg)
4
Overview cont.
IPSec Security Gateway IPSec tunnel
Outbound Traffic
Inbound Traffic
![Page 5: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/5.jpg)
5
Application FlowOutbound
• Check destination• Encrypt, Encapsulate• Route
Inbound
• Classify• Decrypt, Decapsulate• Check SP• Route
RXSecurit
yPolicy (SP)
Security Associatio
n(SA)
Encapsulation (ESP, Outer
IP)Encrypt Route TX
RXClassify(IP/ESP)
Security Associatio
nDecrypt Decapsulatio
n Route TXCheck SP
![Page 6: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/6.jpg)
6
security policyRX
Security
Policy (SP)
Security Associatio
n(SA)
Encapsulation (ESP, Outer
IP)Encrypt Route TX
RXClassify(IP/ESP)
Security Associatio
nDecrypt Decapsulatio
n Route TXCheck SP
Src Dst proto SA idxAny 192.168.115.0/24 Any 5Any 192.168.116.0/24 Any 6Any 192.168.117.0/24 Any BYPASS
![Page 7: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/7.jpg)
7
security associationRX
Security
Policy (SP)
Security Associatio
n(SA)
Encapsulation (ESP, Outer
IP)Encrypt Route TX
RXClassify(IP/ESP)
Security Associatio
nDecrypt Decapsulatio
n Route TXCheck SP
SPI Cipher Auth Tunnel src Tunnel dst5 AES-CBC HMAC-SHA1 172.16.1.5 172.16.2.56 AES-CBC HMAC-SHA1 172.16.1.6 172.16.2.69 NULL NULL 172.16.1.5 172.16.2.5
![Page 8: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/8.jpg)
8
cryptographyRX
Security
Policy (SP)
Security Associatio
n(SA)
Encapsulation (ESP, Outer
IP)Encrypt Route TX
RXClassify(IP/ESP)
Security Associatio
nDecrypt Decapsulatio
n Route TXCheck SP
DPDK cryptodevQAT/AESNI
![Page 9: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/9.jpg)
9
DPDK cryptodev• Crypto PMD framework – similar to DPDK NIC drivers• Same generic API for HW and SW crypto devices • No change to code to switch between QAT and AESNI libraries • Supports • Symmetric Crypto• Authentication • Chained crypto/authentication• Asymmetric Crypto
http://dpdk.org/doc/guides-16.04/prog_guide/cryptodev_lib.html (Google DPDK cryptodev libraries)
![Page 10: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/10.jpg)
10
Flow Traffic Configuration
* Other names and brands may be claimed as the property of others.
*
![Page 11: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/11.jpg)
11
running the application• Pass number of cores• -l 1,2-5
• Pass NICs• -w 02:00.0 …
• Pass encryption device • -w b3:00.0 … or --vdev=‘crypto_aesni_mb’
• Allocate ports and cores • --config=(port,queue,core)
• Provide IPSec config• EP0 or EP1
![Page 12: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/12.jpg)
12
performance considerations
![Page 13: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/13.jpg)
13
system resources• Cores• Run to completion• Packets/Sec/Core varies• Memory• Large amount of data traveling through memory (2x memory accesses vs L3fwd)• Beware of NUMA • Cryptodev• QAT has a limit based on packet size• NIC line rate• Encapsulated packet is larger than original
![Page 14: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/14.jpg)
14
Understanding IPSEC performance numbers
![Page 15: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/15.jpg)
15
Understanding IPSEC performance numbers
Cryptodev Performance cap
![Page 16: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/16.jpg)
16
Understanding IPSEC performance numbers
Core bound packets/second
![Page 17: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/17.jpg)
17
Backup
![Page 18: DPDK IPSec performance benchmark ~ Georgii Tkachuk](https://reader036.fdocuments.in/reader036/viewer/2022062223/58ed2ad71a28ab99628b45d5/html5/thumbnails/18.jpg)
IPSec Packet Format