> -----Original Message----- > From: Medvedkin, Vladimir > Sent: Tuesday, August 13, 2019 4:13 PM > To: dev@dpdk.org > Cc: Ananyev, Konstantin <konstantin.anan...@intel.com>; Iremonger, Bernard > <bernard.iremon...@intel.com> > Subject: [RFC 0/5] ipsec: add inbound SAD > > According to RFC 4301 IPSec implementation needs an inbound SA database (SAD). > For each incoming inbound IPSec-protected packet (ESP or AH) it has to > perform a lookup within it’s SAD. > Lookup should be performed by: > Security Parameters Index (SPI) + destination IP (DIP) + source IP (SIP) > or SPI + DIP > or SPI only > and an implementation has to return the “longest” existing match. > These series extend DPDK IPsec library with SAD table implementation that: > - conforms to the RFC requirements above > - can scale up to millions of entries > - supports fast lookups > - supports incremental updates > > Initial series provide an API to create/destroy SAD, and to > add/delete/lookup entries within given SAD table. > Under the hood it uses three librte_hash tables each of which contains > an entries for a specific SA type (either it is addressed by SPI only > or SPI+DIP or SPI+DIP+SIP) Also this patch series introduce test-sad > application to measure performance of the library. According to our > measurements on SKX for 1M entries average lookup cost is ~80 cycles, > average add cost ~500 cycles. > > Next Steps: > - integration with ipsec-secgw
I think doc update (PG and RN) is also missing
