[vpp-dev] TLS configuration & throughput

Tue, 25 Feb 2020 13:50:52 -0800 

Hello,

I'm trying to get an idea of TLS throughput using openssl without hardware 
acceleration, and I'm using the vpp_echo application as follows:

* *Server :* taskset --cpu-list 4,6,8 ./vpp_echo socket-name /tmp/vpp-api.sock 
uri tls://10.0.0.71/9999 fifo-size 2000000 uni RX=50Gb TX=0 stats 1 sclose=Y 
rx-buf 4800 tx-buf 0 mq-size 100000
* *Client :* taskset --cpu-list 4,6,8 ./vpp_echo socket-name /tmp/vpp-api.sock 
client uri tls://10.0.0.71/9999 fifo-size 2000000 uni TX=50Gb RX=0 stats 1 
sclose=Y tx-buf 1400 rx-buf 0 mq-size 5000000

I've tried to make sure that openssl is used as the crypto engine by adding the 
following to startup.conf:
plugins {
plugin crypto_ipsecmb_plugin.so { disable }
plugin tlspicotls_plugin.so { disable }
plugin crypto_native_plugin.so { disable }
plugin tlsmbedtls_plugin.so { disable }
}
Using " *show crypto handlers* " I can confirm that "Active" and "Candidates" 
only lists *openssl* for all ciphers.

In order to make sure that AES-GCM is used, I put a temporary hack in 
src/plugins/tlsopenssl/tls_openssl.c near line 892:
*tls_openssl_set_ciphers("AESGCM");* //was originally 
ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH

With this setup, I get around 1 Gbps initially, which after some time drops off 
to *500 Mbps* (over 10 Gbps NICs). When I use the exact same NICs and a regular 
TLS client/server application (after stopping VPP and returning the NICs to the 
OS) I get *5.3 Gbps*.

My questions are:
1. Any suggestions on configuration or tuning to get TLS performance at least 
close to what is possible using a generic TLS client / server using openssl ?
2. Is there a way to check / confirm that VPP is using AES-GCM when I run my 
test as shown above?

Thank you!
Dom

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#15530): https://lists.fd.io/g/vpp-dev/message/15530
Mute This Topic: https://lists.fd.io/mt/71542617/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to