IETF Logo Mail Archive

Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance

Tero Kivinen <kivinen@iki.fi> Fri, 28 October 2022 14:22 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4708CC14CF08 for <ipsec@ietfa.amsl.com>; Fri, 28 Oct 2022 07:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2REEvZx80OWn for <ipsec@ietfa.amsl.com>; Fri, 28 Oct 2022 07:22:35 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C1E0C14CF0B for <ipsec@ietf.org>; Fri, 28 Oct 2022 07:22:34 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id AA7BE1B001A3; Fri, 28 Oct 2022 17:22:29 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1666966949; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kLjzs3gUJJcGvz6nCd1im8IkCpL4ckCDNL//v3C4lbk=; b=N6A3iqomto5db6SMZI72ry+8h2lbqach42s0VrYG7uk/adY7005VceXAtDEu8tfQS2FED7 Q0UVXWl61x8L9XQCtlm8marlvxfDOYCG8zR2PMaVNM1BPErZwU8ViTVTW9ll9v9TDnWw7N qXU4ATy0BL0oWthA8Y20Dal46do6KNQvK5B9jeo8IpjoGeCyZG22D2Kf8sorL5yZPmaISP amzHpsnx67BtuD1t5VBzMSmfipFJs0BkpHQocNUZLfJlZmtOJzrUm5fNqhIuwd4BK6WHSi Sl3mciqqCpRlDdXUFnldPt9TmblKauhvBFNdlVhs4uyHQ9c+aguH1UcNhXlVBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1666966949; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kLjzs3gUJJcGvz6nCd1im8IkCpL4ckCDNL//v3C4lbk=; b=Yv8nhsAd9u4ii7/AZZbU/47GicCfvPSsSnEyE+jpScgd/3vWMKZVzc37YVKmMcN7eJ9Pe2 gEZLrIUCo4c4eEpRFX0G1U3CuqNTHdX72TqLpa/lbFQfonMs41GAaT6LhD3yPsxtol8icr 0M8PpzBfzEekalOeNQgx40bTvUtt8kW8f1KG/QS4NztyYaqXb2uBUKmbhVz1e+uCzRhLA+ gmnfsg27QmG8xLXNyJhhbvpa10PfWlx5OHEgF+nKbxQtVTVAulEtPfEzmJRvUxGm8zO8Y2 Ee7nt0PTCgBAQtwm4s2kevkWd20jEkpCMpfYmzywu0kD0nGnFXrYCATg8p/vOw==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1666966949; a=rsa-sha256; cv=none; b=JqC+l80PLILVT3Ms9S5mKadCh/EZKyGJ0MJdBZg84ePgcNN8dEfzkxkLcDVXIFLK2xeiJQ 6p++jGMaT1qjBaYKpwozqbFBrxN3dnEcz7Hfqy/WmWnEsc2CWROyeQhMXrSPWIsp5M1gOe p11/17SGwdxM5qbWpnSaUuwkaIFaYLwmoI5y5KBBToctxEI9wSDOZf1RQRoiP4F/YSG2Br hOZxRWlirfMQ0+Yft7UK6izEypNJNFfu3O5DEX8jRhLyePV2ij6LpdQ2k9Zt/TtCNnS+hP xi2ndIEElDyz1VTIVneFUFBCGyntCHIfdVuZ/m8NgLhiPdESzcK28GkwODMD0Q==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 3A2B025C12F3; Fri, 28 Oct 2022 17:22:29 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25435.58789.173613.113922@fireball.acr.fi>
Date: Fri, 28 Oct 2022 17:22:29 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Paul Wouters' <paul@nohats.ca>, 'Steffen Klassert' <steffen.klassert@secunet.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'IPsecME WG' <ipsec@ietf.org>
In-Reply-To: <0f1f01d8ea94$a7aecda0$f70c68e0$@gmail.com>
References: <20221021073714.GP3294086@gauss3.secunet.de> <F84D65B2-9A68-420D-BC55-2A6BD2542246@nohats.ca> <25433.44569.44812.537584@fireball.acr.fi> <0f1f01d8ea94$a7aecda0$f70c68e0$@gmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 6 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/P73O4FoGp3eo6UwtokBwXfM18YI>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 14:22:40 -0000

Valery Smyslov writes:
> > There is no point of one having for example 10 fast cpus sending
> > traffic over 10 Child SA, when the receiving end only has two cpus
> > which are about same than the other ends cpus. The receiving end will
> > not be able to keep up with the traffic it is getting in, thus it will
> > drop packets as it can't decrypt them fast enough.
> 
> I'm not so sure. Consider the situation when one host a single HSMs
> which is optimized for high-performance crypto operations,
> while the other is a general purpose server with several tens of CPUs.
> In this situation the HSM beats any CPU in performance, so if the 
> HSM can handle several SAs, it's beneficial to create as many SAs as 
> it can handle and distribute those SAs over CPUs on the other peer.

Whether HSM is faster than CPU depends on so many matters, and I have
seen so many cases where when new CPU architecture came out, then it
was again faster to do crypto on the CPU than offload it to HSM as the
interaction between the CPU and HSM was too slow. And then HSM was
upgraded and it was again faster etc.

I think they were always within order of magnitude of each other,
i.e., HSM was maximally only 10 times faster than CPU. There usually
was no need to do them faster than that as the line speeds used
limited the speeds needed anyways.

But my experience of them is more than 10 years old, so this might
have changed lately.

Question is how many CPUs do you need to saturate 100 Gbit/s network
link compared to how many HSM CPUs you need? is there more than 10
times bigger number between them.

Do you have any real world values for those? I.e., how fast can one
modern cpu do crypto (just plain crypto, no ipsec etc), and how fast
can some modern crypto hardware do the same?
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email