Well, there is a vector named recycle to remember all old buffers, which consequently means a lot of mem resize, mem_cpy when vector rate is 256 or so. Counting all of these overhead, I’d say, I see around 7~10% impact, after fixing openssl usage issue.
BTW, openssl issue means we should always fully initialized the cipher and hmac context once, instead of doing it every time handling one packet. Taking AES-CBC as an example, when encrypting packet: EVP_CipherInit_ex (ctx, NULL, NULL, NULL, iv, -1); // only do it with iv, iv is changed per every packet EVP_CipherUpdate (ctx, in, &out_len, in, in_len); On the other hand, we do full initialization when creating contexts. Note keys should be specified here, but not IV. HMAC_Init_ex (sa->context[thread_id].hmac_ctx, sa->integ_key, sa->integ_key_len, md, NULL); EVP_CipherInit_ex (sa->context[thread_id].cipher_ctx, cipher, NULL, sa->crypto_key, NULL, is_outbound > 0 ? 1 : 0); Initialization with keys would take quite a long time because openssl do a lot of math. It is not necessary, as we know, keys are kept unchanged in most cases for a SA. Regards, Kingwel From: Damjan Marion <dmar...@me.com> Sent: Tuesday, July 03, 2018 5:14 PM To: Kingwel Xie <kingwel....@ericsson.com> Cc: Vamsi Krishna <vamsi...@gmail.com>; Jim Thompson <j...@netgate.com>; Dave Barach <dbar...@cisco.com>; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Is VPP IPSec implementation thread safe? On 3 Jul 2018, at 02:36, Kingwel Xie <kingwel....@ericsson.com<mailto:kingwel....@ericsson.com>> wrote: Hi Damjan, Thanks for the heads-up. Never come to that. I’m still thinking it is acceptable if we are doing IPSec. Buffer copying is a significant overhead. What i wanted to say by copying is writing encrypted data into new buffer instead of overwriting the payload of existing buffer. I will not call that a significant overhead. We are working on the code, will contribute when we think it is ready. There are so many corner cases of IPSec, hard to say we can cover all of them. I know that another people are also working on the code, so will be good that we are all in sync to avoid throwaway work....
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9786): https://lists.fd.io/g/vpp-dev/message/9786 Mute This Topic: https://lists.fd.io/mt/22720913/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
