> > According to RFC 4301 IPSec implementation needs an inbound SA database > (SAD). > For each incoming inbound IPSec-protected packet (ESP or AH) it has to > perform a lookup within it’s SAD. > Lookup should be performed by: > Security Parameters Index (SPI) + destination IP (DIP) + source IP (SIP) > or SPI + DIP > or SPI only > and an implementation has to return the “longest” existing match. > These series extend DPDK IPsec library with SAD table implementation that: > - conforms to the RFC requirements above > - can scale up to millions of entries > - supports fast lookups > - supports incremental updates > > Initial series provide an API to create/destroy SAD, and to > add/delete/lookup entries within given SAD table. > Under the hood it uses three librte_hash tables each of which contains > an entries for a specific SA type (either it is addressed by SPI only > or SPI+DIP or SPI+DIP+SIP) Also this patch series introduce test-sad > application to measure performance of the library. According to our > measurements on SKX for 1M entries average lookup cost is ~80 cycles, > average add cost ~500 cycles.
Following issues were fixed. - map file additions were not in alphabetical order. - duplicate includes in test-sad app - changed patch description for some of the patches. - release notes updated for test-sad application. Series Applied to dpdk-next-crypto Thanks. > > v7: > - split documentation across library patches > - fix spelling > - add maintainership > > v6: > - fix rte_ipsec_sad_lookup() comments regarding return value > - added parallel lookup feature to test-sad app > - added read/write concurrency support flag to test-sad app > - added programmer's guide > - updated release notes > > v5: > - small fix in rte_ipsec_sad_create() > - add comments in rte_ipsec_sad.h > > v4: > - fixes in test-sad app > - small fixes in rte_ipsec_sad_create() > - fixes in test_find_existing() from unittests > > v3: > - fixes in rte_ipsec_sad_create() and rte_ipsec_sad_find_existing() > - fix typos > - updated commit messages > - added test_find_existing() in unittests > > v2: > - various bugs fixed > - rte_ipsec_sad_free renamed to rte_ipsec_sad_destroy > - added const qualifier to rte_ipsec_sad_key *key for add/delete > - added more comments into the code > - added ipv6 support into the testsad app > - added <DEL> measurement into the testsad app > - random SPI values are generated without dups > - added support for configurable burst size in testsad app > - added verbose mode into the testsad app > > Vladimir Medvedkin (5): > ipsec: add inbound SAD API > ipsec: add SAD create/destroy implementation > ipsec: add SAD add/delete/lookup implementation > test/ipsec: add ipsec SAD autotests > app: add test-sad application > > MAINTAINERS | 3 + > app/Makefile | 1 + > app/meson.build | 3 +- > app/test-sad/Makefile | 18 + > app/test-sad/main.c | 668 +++++++++++++++++++++++++ > app/test-sad/meson.build | 6 + > app/test/Makefile | 1 + > app/test/autotest_data.py | 6 + > app/test/meson.build | 1 + > app/test/test_ipsec_sad.c | 887 > +++++++++++++++++++++++++++++++++ > doc/guides/prog_guide/ipsec_lib.rst | 152 ++++++ > doc/guides/rel_notes/release_19_11.rst | 3 + > lib/librte_ipsec/Makefile | 4 +- > lib/librte_ipsec/ipsec_sad.c | 515 +++++++++++++++++++ > lib/librte_ipsec/meson.build | 6 +- > lib/librte_ipsec/rte_ipsec_sad.h | 176 +++++++ > lib/librte_ipsec/rte_ipsec_version.map | 7 + > 17 files changed, 2452 insertions(+), 5 deletions(-) > create mode 100644 app/test-sad/Makefile > create mode 100644 app/test-sad/main.c > create mode 100644 app/test-sad/meson.build > create mode 100644 app/test/test_ipsec_sad.c > create mode 100644 lib/librte_ipsec/ipsec_sad.c > create mode 100644 lib/librte_ipsec/rte_ipsec_sad.h > > -- > 2.7.4
