Date: Wed, 6 Nov 2019 23:32:55 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Lawrence Stewart <lstewart@freebsd.org> Cc: Eugene Grosbein <eugen@grosbein.net>, Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@freebsd.org>, freebsd-net@freebsd.org, Kurt Jaeger <pi@freebsd.org> Subject: Re: 10g IPsec ? Message-ID: <20191107073255.GU8521@funkthat.com> In-Reply-To: <d2b64075-b9fe-b13d-760e-70cf0e074ea6@freebsd.org> References: <20191104194637.GA71627@home.opsec.eu> <20191105191514.GG8521@funkthat.com> <CA%2Bq%2BTcogf6uiCX=LiENB=hpz3V-hJtKY-4m_2YYbxbuy9bFVww@mail.gmail.com> <f4051158-b80c-3c54-10c8-f1b01c401f0d@freebsd.org> <261b842d-51eb-4522-6ef5-0672e5d1594e@grosbein.net> <d2b64075-b9fe-b13d-760e-70cf0e074ea6@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lawrence Stewart wrote this message on Thu, Nov 07, 2019 at 13:04 +1100:
> On 7/11/19 12:52 pm, Eugene Grosbein wrote:
> > 07.11.2019 8:36, Lawrence Stewart wrote:
> >
> >>>> AES-GCM can run at over 1GB/sec on a single core, so as long as the
> >>>> traffic can be processed by multiple threads (via multiple queues
> >>>> for example), it should be doable.
> >>>>
> >>>>
> >>> I didn't bench this setup (10Gb/s IPSec) but I believe we will have the
> >>> same problem with IPSec as with all VPN setups (like PPPoE or GRE): the
> >>> IPSec tunnel will generate one IP flow preventing load sharing between all
> >>> the NIC's RSS queues.
> >>> I'm not aware of improvement to remove this limitation.
> >>
> >> I never understood why the IPsec SPI couldn't be used to shard
> >> traffic... does anyone know if there is a technical reason why doing so
> >> would be problematic?
> >
> > Generic way do distribute load over CPUs is distinct hardware receive queues of NIC
> > using distinct interrupts to deliver packets to the host while interrupts are bound
> > to distinct CPU cores. It needs hardware capable of splitting packet stream by IPsec SPI
> > and I'm aware of only some 40Gpbs Intel NICs that can be programmed to do so.
>
> Right, a "consumers need to ask for it" issue more so than an inherently
> problematic approach. I assumed as much but wasn't sure.
Don't we have the option of doing soft re-classification? Where we
recalculate the hash, and then do a netisr defer? I mean that'd burn
a bunch of extra cpu cycles, but you gotta do what you gotta do.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191107073255.GU8521>