DPDK Cryptodev
DPDK CryptodevDeepak Kumar JainTechnical Project Manager, Intel
LEGAL DISCLAIMER No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and noninfringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact yourIntel representative to obtain the latest forecast, schedule, specifications and roadmaps.The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errataare available on request.Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by mIntel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.*Other names and brands may be claimed as the property of others.Copyright 2017, Intel Corporation. All rights reserved.Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. Theseoptimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of anyoptimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certainoptimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for moreinformation regarding the specific instruction sets covered by this notice. Notice Revision #20110804Mileage may vary Disclaimer: Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, orconfiguration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For morecomplete information about performance and benchmark results, visit www.intel.com/benchmarks Test and System Configurations: Estimates arebased on internal Intel analysis using at least Data Plane Development Kit IpSec sample application on Intel(R) Xeon(R) CPU E5-2658 v4@ 2.30GHz withatleast using Intel(R) Communications Chipset(s) 8955 with Intel(R) QuickAssist Technology.
Agenda DPDK CRYPTODEV INTRODUCTION FEATURES SUPPORTED ALGORITHMS CRYPTODEV PACKET PROCESSINGFLOW EFFORTLESS MIGRATION SCHEDULER PMD VPP DPDK CRYPTODEV FRAMEWORK PERFORMANCE FUTURE WORKS SUMMARY
Agenda DPDK CRYPTODEV INTRODUCTION FEATURES SUPPORTED ALGORITHMS CRYPTODEV PACKET PROCESSINGFLOW EFFORTLESS MIGRATION SCHEDULER PMD VPP DPDK CRYPTODEV FRAMEWORK PERFORMANCE FUTURE WORKS SUMMARY
DPDK CRYPTODEV INTRODUCTIONUser Application Crypto framework for processingsymmetric crypto workloads inDPDK.DPDK CRYPTODEV API COMPONENTS DPDK Cryptodev consists of: Crypto Poll Mode Drivers for hardwareaccelerated lookaside (Intel QuickAssistTechnology) and software based cryptoprimitivesA standard API supports all PMDs Allowing effortless migration of workbetween hardware and software,even between physical to mentDeviceCapabilitiesSymmetric AlgorithmsDefinitionsSymmetric SessionManagementQueue gOperation GPMDIntel performance librariesZUCPMDOPENSSLPMDSCHEDULER PMDARMV8PMDlibsso.a* QAT Intel(R) QuickAssist Technology5** AESNI-MB and AESNI-GCM PMDs
Cryptodev PMDsQATPMD for hardwareaccelerationAESNI MBSNOW 3GAESNI GCMKASUMIARMv8ZUCPMDs for optimizedsoftware accelerationlibrariesPMDs for optimizedsoftware accelerationlibraries for wirelessalgorithmsFuture work includes: Extending the API to support asymmetric crypto. More advanced Scheduler capabilities.OpenSSLSchedulerNULLPMD for nonoptimized softwareimplementationPMD to distributepackets acrossmultiple acceleratorsPMD for test purposes66
Agenda DPDK CRYPTODEV INTRODUCTION FEATURES SUPPORTED ALGORITHMS CRYPTODEV PACKET PROCESSINGFLOW EFFORTLESS MIGRATION SCHEDULER PMD VPP DPDK CRYPTODEV FRAMEWORK PERFORMANCE FUTURE WORKS SUMMARY
SUPPORTED ALGORITHMS IN CRYPTODEVCipher Algorithms AES CBC/CTR 128/192/256bit Snow3G (UEA2) KASUMI F8, ZUC EEA3 AES CFBHash Algorithms MD5 HMAC* SHA1/224*/256/384*/512, AES XCBC, Snow3G UIA2, KASUMI F9, ZUC EIA3, NULLAEAD Algorithms AES GCM 128/192**/256 bit* QAT Intel(R) QuickAssist Technology8** AESNI-MB and AESNI-GCM PMDs
CRYPTODEV PACKET PROCESSINGFLOWDPDK ApplicationApplication CodePlaintext packet flow(encryption)DPDK APIETHDEV APII40E PMDCRYPTODEV APII40E PMDSW CryptoPMDQAT PMDEncrypted packet flow(encryption)HW/SW BoundaryPFNICVFPFVFIntel QuickAssistTechnology Accelerator* QAT Intel(R) QuickAssist Technology** AESNI-MB and AESNI-GCM PMDs9
Effortless Migration (HW & SW) ./l2fwd-crypto -l 11 -n 4 --socket-mem 0,2048 -w 88:01.0 -w 88:01.1 -w 84:00.0 -- -p 0x1 --chainCIPHER HASH --cipher op ENCRYPT --cipher algo AES CBC --cipher key00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth op GENERATE --auth algo SHA1 HMAC -auth key :21:22:23 ./l2fwd-crypto -l 11 -n 4 --socket-mem 0,2048 -w 88:01.0 -w 88:01.1 --vdev "crypto aesni mb" -- -p0x1 --chain CIPHER HASH --cipher op ENCRYPT --cipher algo AES CBC --cipher key00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth op GENERATE --auth algo SHA1 HMAC -auth key :21:22:23Same application can be used on both SW PMD and QAT PMD,simply address the device in the EAL commandline option10
Scheduler PMD Distributing crypto ops to multiple cryptoPMDs (slaves) Supports multiple distribution modes:User Application Round-robin mode to balance workloadacross multiple slaves. (DPDK 17.02) Packet Size based mode (DPDK 17.05 RC1) More modes are planned for future releases Provides API to manage slaves, setmodes, and enable/disable ordering Provided API for user to use his owncrafted modeCryptodev SchedulerCrypto Op Distribution MechanismCrypto Op OrderingCryptodevCryptodevCryptodev11
Agenda DPDK CRYPTODEV INTRODUCTIONFEATURES– SUPPORTED ALGORITHMS– CRYPTODEV PACKET PROCESSING FLOW– EFFORTLESS MIGRATION– SCHEDULER PMDVPP DPDK CRYPTODEV FRAMEWORKPERFORMANCEFUTURE WORKSUMMARY12
FD.io/VPP Open-source Linux FoundationProject. Highly performant data planeplatform. VPP is a packet processing engineusing DPDK as the network I/O. Run-to-completion mode of VPP13
FD.io/VPP DPDK CRYPTODEVFRAMEWORK FD.io/VPP supports IPv4/IPv6 IPsec ESP,tunnel/transport mode, and SAmanagement. It has DPDK EthDev integrated, but didn'thave DPDK Cryptodev enabled. We integrated DPDK CryptodevFramework into VPP, to accelerate VPPIPsec with Intel Performance Libraryand/or Intel QuickAssist Technology.14
ENABLE DPDK CRYPTODEVIN VPP IPSEC Replace VPP esp-encrypt and espdecrypt nodes with dpdk-esp-encryptand dpdk-esp-decrypt Added 3 nodes: dpdk-crypto-input: polling inputnode, dequeuing from cryptoPMDs dpdk-esp-encrypt-post and dpdkesp-decrypt-post: encapsulate tovalid packet vectors fromdequeued packets15
VPP CONFIGURATION FOR DPDKCRYPTODEV Environmental option: vpp use dpdk cryptodev yes No special IPsec configuration is required Allocate crypto resources on best effort approach: hardware first,then software. If there is not enough crypto resource for everyworker, drop all packets. User only needs to provide Cryptodevs in startup.conf file.16
Agenda DPDK CRYPTODEV INTRODUCTIONFEATURES– SUPPORTED ALGORITHMS– DPDK CRYPTODEV WORKFLOW– EFFORTLESS MIGRATION– SCHEDULER PMDVPP DPDK CRYPTODEV FRAMEWORKPERFORMANCEFUTURE WORKSUMMARY17
Performance from DPDK IPSecsample 64128256512768102412801420Packet Size (Bytes)AESNIQAT*QAT Intel(R) QuickAssist Technology§ Mileage may vary Disclaimer: Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. Formore complete information about performance and benchmark results, visit www.intel.com/benchmarksTest and System Configurations: Estimates are based on internal Intel analysis using at least Data Plane Development Kit IPSec sample application on Intel(R) Xeon(R) CPU E5-2658 v4@ 2.30GHz with atleast using Intel(R) Communications Chipset(s) 8955 with Intel(R) QuickAssist Technology.18
Agenda DPDK CRYPTODEV INTRODUCTIONFEATURES– SUPPORTED ALGORITHMS– DPDK CRYPTODEV WORKFLOW– EFFORTLESS MIGRATION– SCHEDULER PMDPERFORMANCEFUTURE WORKSUMMARY19
PLANNED FEATURES IN FUTURERELEASESPerformanceQAT* PMDoptimizationsSW PMDoptimizationsRefactoring & CleanupAlgorithmsupportQAT* PMDDESZUCAES-CFB64/ECBSW PMDDESAES-CFB64/ECBSchedulerPacket-size basedscheduling modeVPP IPsecintegrationPerformanceOptimizationEnable DPDKcryptodev in VPPIKEv2Multi-corescheduling modeEnable DPDKCryptodevscheduler PMD*QAT Intel(R) QuickAssistTechnology20
Summary Cryptodev currently provides support for symmetric algorithms. Provides both Software(SW) and Hardware (Intel QuickAssist Technology)implementations. Healthy pipeline of features planned for future release. HW provides provides major boost in performance over SW implementation.21
QUESTIONS?Deepak Kumar Jaindeepak.k.jain@intel.com22
BACKUP23
VPP IPsec with DPDK Cryptodev:How it works Assign available Cryptodev resourcesto each workerQAT 1Worker 1QAT 2Worker 224
VPP IPsec with DPDK Cryptodev:How it works Assign available Cryptodev resourcesto each worker When adding an SA, create sessionsfor each worker/crypto resourcebased on the specified algorithmsand store them along with queuepair info with same index of SA.QAT 1Worker 1QAT 2Worker 2SACipherAuthenticationDirectionQueue pair info& session25
VPP IPsec with DPDK Cryptodev:How it works Assign available Cryptodev resources toevery worker. When adding an SA, create sessions foreach worker/crypto resource based onthe specified algorithms and store themalong with queue pair info with sameindex of SA. For each packet, retrieve SA, and henceget session for this worker.Packet Vector.SAWorker X26
VPP IPsec with DPDK Cryptodev:How it works Create crypto op for each packet, attachkey, pass data and digest pointer, etc. Attach session to each crypto op Enqueue the burst of crypto ops to thedestination crypto device / queuePacket Vector.Crypto opQAT XPaddingkeyWorker Xivdata27
VPP IPsec with DPDK Cryptodev:How it works Dequeue the burst of processed cryptoops from the same device/queue indpdk-crypto-input nodedpdk-cryptoinput .The asynchronous enqueue/dequeue action helps amortize thecost of crypto operations over multiple packets and also greatlymaximize the performance when offloading to hardware lookaside.28
VPP IPsec with DPDK Cryptodev:How it works Dequeue the burst of processed cryptoops from the same device/queue indpdk-crypto-input node Encapsulate the crypto ops to a validIPsec packet vector in dpdkencrypt/decrypt-post node, and pass tonext graph node.dpdk-cryptoinput.dpdk-espencrypt-postPacket Vector.29
DPDK CRYPTODEV API COMPONENTS Symmetric Session Management Operation Processing Enqueue/Dequeue Device Capabilities Operation Provisioning Device Statistics Symmetric Algorithms Definitions Device Management Queue Pair Management User Application. QAT* PMD. QAT* Hardware. AESNI** ZUC PMDs. KASUMI PMD. SNOW3G PMD. OPENSSL PMD.
DPDK Cryptodev Framework Crypto framework for processing symmetric crypto workloads in DPDK. DPDK Cryptodev consists of: SW and HW Crypto PMDs A standard API supports all PMDs Multi-queues for multi-thread sharing Effortless migration (SW -HW, PHY-VIRT) Asynchronous enqueue/dequeue. User Application DPDK Cryptodev API Device Management Device .
DPDK Summit North America 2018 - Dec 3-4, 2018, San Jose, CA DPDK Integration [1/2] nDPI is packet-capture neutral (DPDK, PF_RING, netmap, pcap ) Inside nDPI/example there is an application named ndpiReader that demonstrates how to use the nDPI API when reading from pcap files and DPDK.!17 cd nDPI/example make -f Makefile.dpdk
Register driver configuration structure with DPDK EAL using the existing RTE_PMD_REGISTER_PCI macro. Physical devices are identified by PCI ID during the EAL PCI scan and allocated a unique device identifier. Device initiation is also along the same principles as DPDK cryptodev and ethdev. Devices are first configured
Cryptodev Roadmap 2.2 16.04 16.07 16.11 17.02 Future? Cryptodev API introduced. PMD for Intel QuickAssist Technology. PMD for Intel AES-NI Multi-Buffer software lib. Added Intel AES-NI GCM PMD Support for SNOW 3G algorithm. Discovery mechanism. NULL PMD. SNOW 3G software PMD support for bit-level operations.
Overview Framework for processing symmetric crypto workloads in DPDK. Defines a standard API which supports both hardware accelerated lookaside and software based crypto processing. Underlying method of crypto operation processing is transparent to user application, allowing migration of work from hardware to software dynamically. Poll mode driver infrastructure for crypto devices.
DPDK's use of SIMD instructions has grown over time, expanding to include PMDs supporting Intel's 40 - and 100-Gigabit Ethernet . (ACL) libraries. A recent example is DPDK adding Cryptodev support for Intel's new Vector AES ( VAES) instruction set extension supported on 3rd Generation Intel Xeon Scalable processors, which is offering .
Full Detail in Red Hat Customer Portal at https://access.redhat.com. IP STACK NETWORK DRIVER SERVER HARDWARE . container: dpdk-app vfio hardware Intel XL710 IOMMU kernel dpdk-lib dpdk-app uio_pci_generic virt machine . Technology Review Performance analysis & tuning of Red Hat Enterprise Linux Wednesday, June 24 1:20 pm - 3:20 pm .
Conditional Random Fields: An Introduction Hanna M. Wallach February 24, 2004 1 Labeling Sequential Data The task of assigning label sequences to a set of observation sequences arises in many fields, including bioinformatics, computational linguistics and speech recognition [6, 9, 12]. For example, consider the natural language processing
