IETF Logo Mail Archive

Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance

Valery Smyslov <smyslov.ietf@gmail.com> Fri, 28 October 2022 06:15 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A419C14CF1E for <ipsec@ietfa.amsl.com>; Thu, 27 Oct 2022 23:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnATAVjUQsu4 for <ipsec@ietfa.amsl.com>; Thu, 27 Oct 2022 23:15:20 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B079C14CE2D for <ipsec@ietf.org>; Thu, 27 Oct 2022 23:15:20 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id r14so6694757lfm.2 for <ipsec@ietf.org>; Thu, 27 Oct 2022 23:15:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=iByZXZd7PRCYJx0rzPzsZzo3JWcLnOHp3PTtndc0c90=; b=GuUEGFZduUKp6/wyu8G8MERB5pZFKqhQVOIn56OGfrOad946iBS7XSbErMw0IBNvt7 VyT8d9qxXbceUmz2Mgo3KpXXHngdJWV5kftoawaXBlS0sF6MiqJWP8P5RE6tlemleRNk AHXEsJLDgQQDp+8Q7bsqNnKcXCmkKQd62K3WCSax47uIkcgMf3kCvqBLdSvdESnKO1jd qpoNSpoVpF6P8wDNSyApHhPnywnhDVd5Cq7obdcN42aYvYCOUSRWdSP9JGmjq8eNbAos 0PSfGtBHgA//ueqKk70YqL15N3h4o4mxdDMt5S7clTcivQRfOO1X2lRvuW0VZW8T3gTR u0Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iByZXZd7PRCYJx0rzPzsZzo3JWcLnOHp3PTtndc0c90=; b=ZOIUiEHyUEFou3Rp7xHRPMQnnFWuQKl+ozdc+eZ02v6F2ZGkdP+/dzJy3/QXDa9mo6 JXyhyXukLGhdAdyChjyq25CpNjeP473IbutuJOH01uH2lf8twWWMvwp3n8B92/MAztwp kahkEe1x501dpxSvWQGkJ0VdUrUMaAgAQWVGe8Y9ne0y1624u2JWvpKV49fy3AfZ/z5e H1DUNB83SoR0mbzQF7IHld67oSCFaQXNrFh1bf9eUMHZ+fbc/7cyTZwvqlaR0DWAl3Xq uxDl+oS5AKAIG7TmHtIGCppHY7fOEtdnR9zWKDbFQj8ugzSY/xibc4UiQg28VRihwjph kuyA==
X-Gm-Message-State: ACrzQf0aWUobcScDHIsBiSAR6zcPmkYm76Cf2XVwCkQZ+9QXe7xS7KxL X6G1YUScWDxARa86eg1Xu3KOUgQeCn0=
X-Google-Smtp-Source: AMsMyM5YrHbKenrBWQoSOAQWczPP78a1W6Fmk+I4aRDnxfsH66Dntn2qgMLwzF6JWRecG6XPUPzP7g==
X-Received: by 2002:a05:6512:12c5:b0:4a2:6c32:5c5e with SMTP id p5-20020a05651212c500b004a26c325c5emr18683148lfg.464.1666937717671; Thu, 27 Oct 2022 23:15:17 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id o5-20020a198c05000000b004a05c425cb7sm434953lfd.184.2022.10.27.23.15.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Oct 2022 23:15:16 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>, 'Paul Wouters' <paul@nohats.ca>
Cc: 'Steffen Klassert' <steffen.klassert@secunet.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'IPsecME WG' <ipsec@ietf.org>
References: <20221021073714.GP3294086@gauss3.secunet.de> <F84D65B2-9A68-420D-BC55-2A6BD2542246@nohats.ca> <25433.44569.44812.537584@fireball.acr.fi>
In-Reply-To: <25433.44569.44812.537584@fireball.acr.fi>
Date: Fri, 28 Oct 2022 09:15:18 +0300
Message-ID: <0f1f01d8ea94$a7aecda0$f70c68e0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLVvgOgavp9C7z+m4rVxUb5wgPy1QICEc6XAYCQ4PSsDKF5kA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2FWUu9j5RA1zg2aytHoBLtW1aHM>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 06:15:25 -0000

HI Tero,

> In your discussion you were talking about cases where one device has
> hundreds of cpus and other have few. Only case where such
> configurations would be useful when other has lots of really low
> powered cpus and other one has few very fast ones. My understanding is
> that this is not really happening. Usually the one that has more cpus
> has cpus which are about the same speed then the one having fewer
> cpus.
>
> There is no point of one having for example 10 fast cpus sending
> traffic over 10 Child SA, when the receiving end only has two cpus
> which are about same than the other ends cpus. The receiving end will
> not be able to keep up with the traffic it is getting in, thus it will
> drop packets as it can't decrypt them fast enough.

I'm not so sure. Consider the situation when one host a single HSMs
which is optimized for high-performance crypto operations,
while the other is a general purpose server with several tens of CPUs.
In this situation the HSM beats any CPU in performance, so if the 
HSM can handle several SAs, it's beneficial to create as many SAs as 
it can handle and distribute those SAs over CPUs on the other peer.

> Talking about locking and such thing is bit distracting, as you can do
> lots of things without locking depending on the datastructures and who
> writes them and so on. This goes so low level that I am not sure it is
> that beneficial to talk about them here. 

Agree.

> Also I think it is just better to create all Child SAs at the
> beginning, i.e., no point of doing that much per CPU aquiring etc. I
> mean you have some way of distributing packets going out to CPUs
> before that and if that is round robin then you will create all per
> CPU SAs very quickly, and if that is something else (like this TCP
> stream is locked to this CPU), then you mostly keep using only that
> one CPU (in which case per cpu aquire will be useful), but all of
> these depends so much on the implementation we are not talking about
> here that I think that should be left to implementations to decide.
> 
> If we use per cpu aquiring things then other end might need to create
> Child SAs too, just in case if the one inititing the connection only
> sent out one packet and create one SA, and then the other end would
> like to have 8 SAs for its 8 cpus, but only one was created, so would
> it now create 7 missing one, or wait for the other end to create them
> etc.

I think it's OK if it the other side creates the missing 7 SAs.

Regards,
Valery.

> --
> kivinen@iki.fi

v2.23.0 | Report a Bug | By Email