Hi Damjan, Thanks for the heads-up. Never come to that. I’m still thinking it is acceptable if we are doing IPSec. Buffer copying is a significant overhead.
We are working on the code, will contribute when we think it is ready. There are so many corner cases of IPSec, hard to say we can cover all of them. Regards, Kingwel From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Damjan Marion Sent: Monday, July 02, 2018 7:43 PM To: Kingwel Xie <kingwel....@ericsson.com> Cc: Vamsi Krishna <vamsi...@gmail.com>; Jim Thompson <j...@netgate.com>; Dave Barach <dbar...@cisco.com>; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Is VPP IPSec implementation thread safe? -- Damjan On 2 Jul 2018, at 11:14, Kingwel Xie <kingwel....@ericsson.com<mailto:kingwel....@ericsson.com>> wrote: Hi Vamsi, Damjan, I’d like to contribute my two cents about IPSEC. We have been working on the improvement for quite some time. 1. Great that vPP supports IPSEC, but the code is mainly for PoC. It lacks of many features: buffer chain, AES-GCM/AES-CTR, UDP encap (seems already there in master track?) many hardcode, broken packet trace, SEQ handling, etc. 2. Performance is not good, because of wrongly usage of openssl, buffer copying. Buffer copying is needed, otherwise you have problem with cloned buffers. I.e. you still want original packet to be SPANed.... 1. We can see 100% up after fixing all these issues. 2. DPDK Ipsec has better performance but the quality of code is not good, many bugs. If you are looking for a production IPSEC, vpp is a good start but you still have a lot things to do. Contributions are welcome :)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9766): https://lists.fd.io/g/vpp-dev/message/9766 Mute This Topic: https://lists.fd.io/mt/22720913/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
