Hi Chuan, Please note that we have daily run of IPSec performance tests in CSIT with VPP running on the physical NIC with DPDK drivers. Also please note that every VPP patch is passing unit tests with IETF and NIST test encryption vectors.
Other comments inline…. > On 18 Nov 2019, at 23:48, Chuan Han via Lists.Fd.Io > <chuanhan=google....@lists.fd.io> wrote: > > Hi, vpp experts, > > I was told that vpp's native ipsec stack is stabler and more performant. We > can enable it by commenting out the vdev line in dpdk stanza. > > However, when I did so, ipsec decryption failed. > > Ex: > # commenting out this line makes decryption fail. > vdev crypto_aesni_mb0,socket_id=0 Have you validated that in your working case, packets are decrypted correctly? Can you share packet trace for both cases? > > Did anyone ever make native ipsec stack, i.e., ia32 work with dpdk/phy nic? yes, it is tested and working on the daily basis. > > The interesting thing is no matter whether I comment out the vdev line or > not, ia32 is shown as the active crypto handler for aes-gcm-256. Does this > mean ia32 is used by both cases? > > vpp# sh crypto engines > Name Prio Description > ia32 100 Intel IA32 ISA Optimized Crypto > ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec Library > 0.52.0 > openssl 50 OpenSSL > vpp# sh crypto handlers > Algo Type Active Candidates > (nil) > des-cbc encrypt openssl openssl > decrypt openssl openssl > 3des-cbc encrypt openssl openssl > decrypt openssl openssl > aes-128-cbc encrypt ia32 ia32 ipsecmb > openssl > decrypt ia32 ia32 ipsecmb > openssl > aes-192-cbc encrypt ia32 ia32 ipsecmb > openssl > decrypt ia32 ia32 ipsecmb > openssl > aes-256-cbc encrypt ia32 ia32 ipsecmb > openssl > decrypt ia32 ia32 ipsecmb > openssl > aes-128-ctr encrypt openssl openssl > decrypt openssl openssl > aes-192-ctr encrypt openssl openssl > decrypt openssl openssl > aes-256-ctr encrypt openssl openssl > decrypt openssl openssl > aes-128-gcm aead-encrypt ia32 ia32 ipsecmb > openssl > aead-decrypt ia32 ia32 ipsecmb > openssl > aes-192-gcm aead-encrypt ia32 ia32 ipsecmb > openssl > aead-decrypt ia32 ia32 ipsecmb > openssl > aes-256-gcm aead-encrypt ia32 ia32 ipsecmb > openssl > aead-decrypt ia32 ia32 ipsecmb > openssl > hmac-md5 hmac openssl openssl > hmac-sha-1 hmac ipsecmb ipsecmb openssl > hmac-sha-224 hmac ipsecmb ipsecmb openssl > hmac-sha-256 hmac ipsecmb ipsecmb openssl > hmac-sha-384 hmac ipsecmb ipsecmb openssl > hmac-sha-512 hmac ipsecmb ipsecmb openssl > vpp# “show crypto handlers” command is part of new crypto infra, and that command doesn’t have anything with dpdk ipsec implementation. If you turn on dpdk ipsec, new crypto infra is simply not used... > > I attached the two servers' startup conf files and topology diagram. > > Any input/comments are welcome. > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [dmar...@me.com] > -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14621): https://lists.fd.io/g/vpp-dev/message/14621 Mute This Topic: https://lists.fd.io/mt/60327762/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
