Age | Commit message (Collapse) | Author | Files | Lines |
|
Adding flow cache support to improve outbound IPv4/IPSec SPD lookup
performance. Details about flow cache:
Mechanism:
1. First packet of a flow will undergo linear search in SPD
table. Once a policy match is found, a new entry will be added
into the flow cache. From 2nd packet onwards, the policy lookup
will happen in flow cache.
2. The flow cache is implemented using bihash without collision
handling. This will avoid the logic to age out or recycle the old
flows in flow cache. Whenever a collision occurs, old entry will
be overwritten by the new entry. Worst case is when all the 256
packets in a batch result in collision and fall back to linear
search. Average and best case will be O(1).
3. The size of flow cache is fixed and decided based on the number
of flows to be supported. The default is set to 1 million flows.
This can be made as a configurable option as a next step.
4. Whenever a SPD rule is added/deleted by the control plane, the
flow cache entries will be completely deleted (reset) in the
control plane. The assumption here is that SPD rule add/del is not
a frequent operation from control plane. Flow cache reset is done,
by putting the data plane in fall back mode, to bypass flow cache
and do linear search till the SPD rule add/delete operation is
complete. Once the rule is successfully added/deleted, the data
plane will be allowed to make use of the flow cache. The flow
cache will be reset only after flushing out the inflight packets
from all the worker cores using
vlib_worker_wait_one_loop().
Details about bihash usage:
1. A new bihash template (16_8) is added to support IPv4 5 tuple.
BIHASH_KVP_PER_PAGE and BIHASH_KVP_AT_BUCKET_LEVEL are set
to 1 in the new template. It means only one KVP is supported
per bucket.
2. Collision handling is avoided by calling
BV (clib_bihash_add_or_overwrite_stale) function.
Through the stale callback function pointer, the KVP entry
will be overwritten during collision.
3. Flow cache reset is done using
BV (clib_bihash_foreach_key_value_pair) function.
Through the callback function pointer, the KVP value is reset
to ~0ULL.
MRR performance numbers with 1 core, 1 ESP Tunnel, null-encrypt,
64B for different SPD policy matching indices:
SPD Policy index : 1 10 100 1000
Throughput : MPPS/MPPS MPPS/MPPS MPPS/MPPS KPPS/MPPS
(Baseline/Optimized)
ARM Neoverse N1 : 5.2/4.84 4.55/4.84 2.11/4.84 329.5/4.84
ARM TX2 : 2.81/2.6 2.51/2.6 1.27/2.6 176.62/2.6
INTEL SKX : 4.93/4.48 4.29/4.46 2.05/4.48 336.79/4.47
Next Steps:
Following can be made as a configurable option through startup
conf at IPSec level:
1. Enable/Disable Flow cache.
2. Bihash configuration like number of buckets and memory size.
3. Dual/Quad loop unroll can be applied around bihash to further
improve the performance.
4. The same flow cache logic can be applied for IPv6 as well as in
IPSec inbound direction. A deeper and wider flow cache using
bihash_40_8 can replace existing bihash_16_8, to make it
common for both IPv4 and IPv6 in both outbound and
inbound directions.
Following changes are made based on the review comments:
1. ON/OFF flow cache through startup conf. Default: OFF
2. Flow cache stale entry detection using epoch counter.
3. Avoid host order endianness conversion during flow cache
lookup.
4. Move IPSec startup conf to a common file.
5. Added SPD flow cache unit test case
6. Replaced bihash with vectors to implement flow cache.
7. ipsec_add_del_policy API is not mpsafe. Cleaned up
inflight packets check in control plane.
Type: improvement
Signed-off-by: mgovind <govindarajan.Mohandoss@arm.com>
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Tested-by: Jieqiang Wang <jieqiang.wang@arm.com>
Change-Id: I62b4d6625fbc6caf292427a5d2046aa5672b2006
|
|
Type: improvement
Change-Id: Iec585880085b12b08594a0640822cd831455d594
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
If logging is on, it will try to print the address nh. Make sure it is
not NULL.
Type: fix
Change-Id: I81c0295865901406d86e0d822a103b4d5adffe47
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
Gaps in the sequence numbers received on an SA indicate packets that were lost.
Gaps are identified using the anti-replay window that records the sequences seen.
Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
|
|
The ipsec startup.conf config currently exists in ipsec_tun.c. This is
because currently the only ipsec{...} options are tunnel related.
This patch moves the ipsec config to a common file (ipsec.c) for future
extensibility/addition of non-tunnel related config options.
Type: refactor
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: I1569dd7948334fd2cc28523ccc6791a22dea8d32
|
|
Type: refactor
Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
These file are no longer needed
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I34f8e0b7e17d9e8c06dcd6c5ffe51aa273cdec07
|
|
Type: docs
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ica576e13953a3c720a7c093af649d1dd380cc2c0
|
|
Type: improvement
There's no need for the user to set the TUNNEL_V6 flag, it can be
derived from the tunnel's address type.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I073073dc970b8a3f2b2645bc697fc00db1adbb47
|
|
Type: fix
two problems;
1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
- fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
...
if (post_decrypt)
{
if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
* packet is the same as the last-sequnence number of the SA.
* that means this packet did not cause a wrap.
* this packet is thus out of window and should be dropped */
return 1;
else
/* The packet decrypted with a different high sequence number
* to the SA, that means it is the wrap packet and should be
* accepted */
return 0;
}
- fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.
other consequences:
- An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
- there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
- test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
|
|
ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.
This fix increments the counters for inbound BYPASS and DISCARD actions.
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
|
|
Type: improvement
the rationale being that the del only requires the SA's ID, so it's a
bit mean to require the client to fill out all the other information as
well.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0db7343e907524af5adb2f4771b45712927d5833
|
|
Length check must also take current_data into account.
Type: fix
Change-Id: I7a1b1752868892d40f59490d05452ef24565cca6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iec69d8624b15766ed65e7d09777819d2242dee17
|
|
Type: fix
If an async crypto frame is allocated during ESP encrypt/decrypt but
a buffer/op is not subsequently added to the frame, the frame leaks. It
is not submitted if the count of async ops is zero nor is it
returned to the frame pool. This happens frequently if >= 2 worker
threads are configured and a vector of buffers all have to be handed
off to other threads.
Wait until it is almost certain that the buffer will be added to the
frame before allocating the frame to make it more unlikely that an
allocated frame will not have any operations added to it.
For encrypt this is sufficient to ressolve the leak. For decrypt there
is still a chance that the buffer will fail to be added to the frame, so
remove the counter of async ops and ensure that all frames that were
allocated get either submitted or freed at the end.
Change-Id: I4778c3265359b192d8a88ab9f8c53519d46285a2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When both chained and non-chained buffers are processed in the same
vector, make sure the non-chained buffers are processed as non-chained
crypto ops.
Type: fix
Change-Id: I19fc02c25a0d5e2e8a1342e2b88bbae3fe92862f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
The same value is used for other tunnel types.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6593001918993d65f127cc9f716c95e932239842
|
|
Mechanical change for patch following this one...
Type: improvement
Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: I433fe3799975fe3ba00fa30226f6e8dae34e88fc
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
Some tests i.e. ipsec see performance regression when offload flags
are moved to 2nd cacheline. This patch moves them back to 1st cacheline.
Change-Id: I6ead45ff6d2c467b0d248f409e27c2ba31758741
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
We don't use libssl anymore... At least not directly.
Type: improvement
Change-Id: I9a0fab6e3c576d945498ce46f030bd26c1a14d15
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The crypto op flags must be reset to frame flags minus invalid values
depending of the operation, instead of forcing them to specific values.
Type: fix
Change-Id: Ib02c2a738bbca6962394b3c03088d516d0da56a0
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
This module implement Python access to the VPP statistics segment. It
accesses the data structures directly in shared memory.
VPP uses optimistic locking, so data structures may change underneath
us while we are reading. Data is copied out and it's important to
spend as little time as possible "holding the lock".
Counters are stored in VPP as a two dimensional array.
Index by thread and index (typically sw_if_index).
Simple counters count only packets, Combined counters count packets
and octets.
Counters can be accessed in either dimension.
stat['/if/rx'] - returns 2D lists
stat['/if/rx'][0] - returns counters for all interfaces for thread 0
stat['/if/rx'][0][1] - returns counter for interface 1 on thread 0
stat['/if/rx'][0][1]['packets'] - returns the packet counter
for interface 1 on thread 0
stat['/if/rx'][:, 1] - returns the counters for interface 1 on all threads
stat['/if/rx'][:, 1].packets() - returns the packet counters for
interface 1 on all threads
stat['/if/rx'][:, 1].sum_packets() - returns the sum of packet counters for
interface 1 on all threads
stat['/if/rx-miss'][:, 1].sum() - returns the sum of packet counters for
interface 1 on all threads for simple counters
Type: refactor
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I1fe7f7c7d11378d06be8276db5e1900ecdb8f515
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: Ia304488900bd9236ab4e7cc6f17ae029ee6f2c00
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Change-Id: I20e48a5ac8068eccb8d998346d35227c4802bb68
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Type: feature
|
|
Type: feature
This feautre only applies to ESP not AH SAs.
As well as the gobal switch for ayncs mode, allow individual SAs to be
async.
If global async is on, all SAs are async. If global async mode is off,
then if then an SA can be individually set to async. This preserves the
global switch behaviour.
the stratergy in the esp encrypt.decrypt nodes is to separate the frame
into, 1) sync buffers, 2) async buffers and 3) no-op buffers.
Sync buffer will undergo a cyrpto/ath operation, no-op will not, they
are dropped or handed-off.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791
|
|
Type: improvement
In the current scheme an async frame is submitted each time the crypto
op changes. thus happens each time a different SA is used and thus
potentially many times per-node. thi can lead to the submision of many
partially filled frames.
change the scheme to construct as many full frames as possible in the
node and submit them all at the end. the frame owner ship is passed to
the user so that there can be more than one open frame per-op at any
given time.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic2305581d7b5aa26133f52115e0cd28ba956ed55
|
|
Type: refactor
this allows the ipsec_sa_get funtion to be moved from ipsec.h to
ipsec_sa.h where it belongs.
Also use ipsec_sa_get throughout the code base.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
|
|
Type: test
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iabc8f2b09ee10a82aacebd36acfe8648cf69b7d7
|
|
Type: refactor
- remove the extern declaration of the nodes. keep the use of them to
the files that declare them
- remove duplicate declaration of ipsec_set_async_mode
- remove unsued ipsec_add_feature
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6ce7bb4517b508a8f02b11f3bc819e1c5d539c02
|
|
Make the ipsec[46]-tun-input nodes siblings of device-input so that
input features can be enabled on them. Register ipsec-tun for feature
updates. When a feature is enabled on the device-input arc and the
ifindex is an IPSec tunnel, change the end node of the arc for that
ifindex to be the appropriate ESP decrypt node. Set a flag on the
tunnel to indicate that the feature arc should be started for packets
input on the tunnel.
Test input policing on ESP IPSec tunnels.
Type: improvement
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
|
|
Type: refactor
This patch refactors the offload flags in vlib_buffer_t.
There are two main reasons behind this refactoring.
First, offload flags are insufficient to represent outer
and inner headers offloads. Second, room for these flags
in first cacheline of vlib_buffer_t is also limited.
This patch introduces a generic offload flag in first
cacheline. And detailed offload flags in 2nd cacheline
of the structure for performance optimization.
Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: improvement
negates the need to load the SA in the handoff node.
don't prefetch the packet data, it's not needed.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I340472dc437f050cc1c3c11dfeb47ab09c609624
|
|
support
Type: feature
attmpet 2. this includes changes in ah_encrypt that don't use
uninitialised memory when doing tunnel mode fixups.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
|
|
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f.
Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged.
Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
support
Type: feature
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
|
|
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2325d311a6fd7343c7041dc516777f4db0029823
|
|
Type: feature
The added functionality is to support copying TTL and flow label from
inner to outer. The .api was extened to support expressing this and also
adding a common tunnel endpoint type. i find it best to make API changes
in one patch so there are less versions of the API.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I755c1e3f4c475058792af39c1abeda92129efb76
|
|
Change-Id: I59f55db7209549ad43a1205470a2f5ea9ea8a1c7
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Type: feature
|
|
Type: feature
Change-Id: I9f7742cb12ce30592b0b022c314b71c81fa7223a
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
AN SA is uni-drectional therefore it can be used only for encrypt or
decrypt, not both. So it only needs one thread ID. free up some space on
the 1st cacheline.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I21cb7cff70a763cbe2bffead860b574bc80b3136
|
|
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ib08fe356e4dc710dd60a96736c48b27129f06786
|
|
Type: fix
this means we 1) don't decrement TTL and (for v6) can fragment.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I0f718da7dcaba834ad495ae9242a9a58c9e7c184
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
|
|
Type: fix
it's been 2 releases since it was marked deprecated.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
|
|
Type: fix
I should have done this wehn i marked the request as deprecated. The
reply also needs to be marked deprecated so the API compliance script
can remove it along with the request.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I8391257944b6cff7b32a01a479dd1dcab30cd33b
|
|
Type: fix
Signed-off-by: yedonggang <yedg@wangsu.com>
Change-Id: Icc3681b591e6deb93c3ff1fda5f9471fa3c96cc6
|
|
Type: fix
This change makes esp_move_icv() update pd->current_length if the first
buffer's length is updated.
In case that ICV is split over two buffers, esp_move_icv() copies ICV
to last buffer, it also updates the before_last buffer's current_length.
However, in esp_decrypt_post_crypto(), pd->current_lenght is used to update
first buffer lenght, but pd is not updated in esp_move_icv()
and the total pkt lenght ends up incorrect.
This only happens in tunnel mode when ICV is split between 1st and 2nd buffers.
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic39d87454ec0d022c050775acb64c5c25ccf7f13
|