Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
Steffen Klassert <steffen.klassert@secunet.com> Fri, 21 October 2022 07:37 UTC
Return-Path: <Steffen.Klassert@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBC8C1522B4 for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 00:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYViNREaPeqq for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 00:37:20 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C49EC14F74F for <ipsec@ietf.org>; Fri, 21 Oct 2022 00:37:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id B5D6220547; Fri, 21 Oct 2022 09:37:15 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjrPOXiArqsU; Fri, 21 Oct 2022 09:37:15 +0200 (CEST)
Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 3041F20527; Fri, 21 Oct 2022 09:37:15 +0200 (CEST)
Received: from cas-essen-01.secunet.de (unknown [10.53.40.201]) by mailout1.secunet.com (Postfix) with ESMTP id 2A03C80004A; Fri, 21 Oct 2022 09:37:15 +0200 (CEST)
Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 21 Oct 2022 09:37:14 +0200
Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 21 Oct 2022 09:37:14 +0200
Received: by gauss2.secunet.de (Postfix, from userid 1000) id 357823182AD5; Fri, 21 Oct 2022 09:37:14 +0200 (CEST)
Date: Fri, 21 Oct 2022 09:37:14 +0200
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
CC: 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'IPsecME WG' <ipsec@ietf.org>
Message-ID: <20221021073714.GP3294086@gauss3.secunet.de>
References: <15eb01d8dd7e$fdf158e0$f9d40aa0$@gmail.com> <10861.1665504183@localhost> <161701d8dd8c$8d042a50$a70c7ef0$@gmail.com> <20221014101504.GI2602992@gauss3.secunet.de> <03c901d8e232$3850ef20$a8f2cd60$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <03c901d8e232$3850ef20$a8f2cd60$@gmail.com>
X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197)
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/rzTQKnLixSCmGvDGJNEhMtGFCiE>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 07:37:26 -0000
Hi Valery, On Mon, Oct 17, 2022 at 05:10:32PM +0300, Valery Smyslov wrote: > > > > > > > I could guess that the fallback SA *does* require locks. > > > > > > It also seems to me. So I see no difference if the packet > > > can be re-steered to a different CPU, in any case we'll have > > > performance penalty. > > > > The fallback SA needs locking, as it can be used from any cpu. > > But with the current approch, this is the only one that needs > > locking. > > Then my next question is - how the sending side decides > whether to one of use per-CPU SAs or the fallback SA? > My guess that the packet is handled by some kernel thread > (i.e. by some CPU), so once this CPU figures out that > it doesn't have an SA - I assume it uses the fallback SA then. > Is it right? Right. > If so, then why it cannot hand over the packet > to the CPU that for sure has the needed SA (this CPU can > be indicated in the stub SA entry)? Moving in flight packets to a different cpu is always a pain. >From an implementation point of view, that should be avoided whenever possible. Aside from the overhead it creates, we also have to care about corener cases. For example, how do you make sure that the SA on this remote cpu is still there when the packet arrives on it? Also, where would that stub SA entry be located, in a percpu or in a global SAD? If it is an a percpu SAD, then remote cpus must update all stub SA entries when a percpu SA comes up or goes down. So we would need to lock the percpu SADs. If it is in a global SAD, then why not just negotiate keymat and use it (as a fallback)? Instead of having a stub SA entry, I could think of encoding the information which cpu has a valid SA to the policy. The policy is global anyway. But then we still need to re-steer the packets, what I really dislike. Is it just that you don't like that the fallback SA MUST (or maybe SHOULD) be always up, or is it that you don't want to negotiate this additional SA at all? Another possibility would be to use the same keymat on all percpu SAs, as it was proposed at the discussion we had at our 'IPsec coffee hour' last time. In that case you have a valid SA on all cpus with a single negotiation. But hat would require a change to ESP what this proposal don't need. > In both cases some > locking is required - does the latter case require much more locking? The percpu SAs don't need locking as long as you can make sure that it is never ever accessed by a remote cpu. To guarantee this, something that does the 'dirt work' is needed. In our case that would be the fallback SA. Steffen
- [IPsec] Discussion of draft-pwouters-ipsecme-mult… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Michael Richardson
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Michael Richardson
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Ponchon (pponchon)
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Guillaume Solignac (gsoligna)
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters