DPDK Summit China 2017
DPDK Summit China 2017
Accelerating the FD.IO/VPP CryptoWorkload with the DPDK CryptodevFrameworkFAN ZHANG, PH.DNETWORK PLATFORM GROUP, DATA CENTER GROUPROY.FAN.ZHANG@INTEL.COM
3LEGAL DISCLAIMER No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and noninfringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice.Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterizederrata are available on request. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by m Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright 2017, Intel Corporation. All rights reserved. Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. Theseoptimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of anyoptimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors.Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guidesfor more information regarding the specific instruction sets covered by this notice. Notice Revision #20110804 Mileage may vary Disclaimer: Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configurationwill affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information aboutperformance and benchmark results, visit www.intel.com/benchmarks Test and System Configurations: Estimates are based on internal Intel analysis using atleastData Plane Development Kit IPSec sample application on Intel(R) Xeon(R) CPU E5-2695 v4@ 2.10GHz with atleast using Intel(R) Communications Chipset(s) 8955 withIntel(R) QuickAssist Technology.Network PlatformsGroup
4Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
5Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
6Think about security at every step of the process: architecture, implementation, testing,documentation, distribution and deployment-Dr. Nicko van Someren, CTO, Linux FoundationWith VPP, a single core can do 40G, 100G or even higher throughput L2 forwardingBut what is the throughput after adding security protection?Network PlatformsGroup
7Let’s take IPSec as an example 20 years old but is still extremely popular Playing the role of security guardian inmany network applications Requires lots of computations includingcryptoWhen traffic rate is high, efficient cryptoimplementation becomes necessaryData CentercloudBranchIPsec TrafficInternet/WANIPsec RouterEnd DevicesNetwork PlatformsGroupvBranch
8FD.io / VPP IPSec Supports IPv4/IPv6 IPSec ESP, tunnel/transportmode, and SA management DPDK EthDev integrated For crypto it uses OpenSSL by default nputip4-lookupip4rewritetransmit if -txNetwork PlatformsGroupPacket Vector if -output.espencryptinterfaceoutputipsec-ifoutput
9FD.io/VPP IPSec with OpenSSL asCrypto Performance§Throughput (Gbps)VPP IPSec AES-128 CBC et Size Does Securing the Network Application have to degrade performance? Not ReallyNetwork PlatformsGroup
10Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
11DPDK Cryptodev FrameworkUser Application Crypto framework for processingsymmetric crypto workloads in DPDK.DPDK Cryptodev APIDPDK Cryptodev consists of: SW and HW Crypto PMDs A standard API supports all PMDs Multi-queues for multi-thread sharing Effortless migration (SW-HW, PHY-VIRT) Asynchronous lgorithmDefinitionSessionManagementQueue PairManagementDevice StatsOperationProvisionEnqueue/DequeueQAT* PMDAES-NI**PMDQAT* edulerPlatforms PMDSnow3GPMDZUC PMDSW accelerated by Intel Performance LibrariesLibsso.aDPAA2 SECPMD* QAT Intel(R) QuickAssist Technology** AESNI-MB and AESNI-GCM PMDs
12Supported Algorithms In CryptodevNetwork PlatformsGroup
13Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
14Enable DPDK Cryptodev in VPP IPSec EthernetInputReplaced 2 nodes: esp-encrypt dpdk-esp-encrypt esp-decrypt dpdk-esp-decryptip4-inputnochecksumAdded 3 nodes: dpdk-crypto-input dpdk-esp-encrypt-post ip4-lookupdpdk-esp-decrypt-post if -txNetwork PlatformsGroupPacket Vector.ip4-inputip4rewritetransmit if encryptinterfaceoutputipsec-ifoutput
15VPP Configuration for DPDK Cryptodev Environmental option: Sample Configuration:For software PMD:vpp use dpdk cryptodev sw yes User only needs to provide Cryptodevs instartup.conf file Allocate crypto resources on best effortapproach No special IPSec configuration is required More information can be found hereNetwork PlatformsGroupdpdk { #HW PMDsenable-cryptodevdev 0000:85:01.0dev 0000:85:01.1#SW PMDsvdev cryptodev aesni mb pmd0,socket id 1vdev cryptodev aesni mb pmd1,socket id 1}
16Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
17Performance§ from VPP IPSecAES-128 CBC HMAC-SHA145.00Throughput ENSSL10.005.000.0064512Packet Size1024*QAT Intel(R) QuickAssist Technology§ Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance andbenchmark results, visit www.intel.com/benchmarksTest and System Configurations: Estimates are based on internal Intel analysis using at least Data Plane Development Kit IPSec sample application on Intel(R) Xeon(R) CPU E5-2695 v4@ 2.10GHz with atleast using Intel(R) Communications Chipset(s) 8955 with Intel(R) QuickAssist Technology.Network PlatformsGroup
18Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
19Future Work DPDK Cryptodev Optimization Enable DPDK Cryptodev Framework in VPP IKEv2. VPP IPSec Performance Tuning Enable DPDK Cryptodev Scheduler PMD to increase crypto workloadprocessing capability per-worker thread Virtio-Crypto EnablingNetwork PlatformsGroup
20Agenda Problem Statement DPDK Cryptodev Framework Introduction Enable DPDK Cryptodev Framework in VPP Performance Future work ConclusionNetwork PlatformsGroup
21Summary Achieved VPP IPSec Performance boost by enabling DPDK CryptodevFramework QAT hardware accelerated VPP IPSec has more performance boost thanthe software alternative Seamlessly integrated into VPP, easy to enable and configure, no extraIPSec configuration is required Migration between Software and Hardware, Physical and Virtual, iseffortlessNetwork PlatformsGroup
22AcknowledgementArkadiuszx kusztal (arkadiuszx.kusztal@intel.com)Declan Doherty (declan.doherty@intel.com)Fiona Trahe (fiona.trahe@intel.com)Jain Deepak (deepak.k.jain@intel.com)John Griffin (john.griffin@intel.com)Kirill Rybalchenko (kirill.rybalchenko@intel.com)Pablo D. L. Guarch (pablo.de.lara.guarch@intel.com)Radu Nicolau (radu.nicolau@intel.com)Sergio G. M (sergio.gonzalez.monroy@intel.com)Network PlatformsGroup
23Q&AThanks!!欢迎关注DPDK开源社区Network PlatformsGroup
DPDK Cryptodev Framework Crypto framework for processing symmetric crypto workloads in DPDK. DPDK Cryptodev consists of: SW and HW Crypto PMDs A standard API supports all PMDs Multi-queues for multi-thread sharing Effortless migration (SW -HW, PHY-VIRT) Asynchronous enqueue/dequeue. User Application DPDK Cryptodev API Device Management Device .
DPDK Summit North America 2018 - Dec 3-4, 2018, San Jose, CA DPDK Integration [1/2] nDPI is packet-capture neutral (DPDK, PF_RING, netmap, pcap ) Inside nDPI/example there is an application named ndpiReader that demonstrates how to use the nDPI API when reading from pcap files and DPDK.!17 cd nDPI/example make -f Makefile.dpdk
Full Detail in Red Hat Customer Portal at https://access.redhat.com. IP STACK NETWORK DRIVER SERVER HARDWARE . container: dpdk-app vfio hardware Intel XL710 IOMMU kernel dpdk-lib dpdk-app uio_pci_generic virt machine . Technology Review Performance analysis & tuning of Red Hat Enterprise Linux Wednesday, June 24 1:20 pm - 3:20 pm .
We measured the performance of Intel DPDK on physical machine using the topology shown in figure-1. We used 3 fractus machines- compute28 , compute19 and compute20 for our project. Compute 28 had Intel DPDK installed, Compute 19 acted as the traffic generator and compute 20 ran tshark to capture the generated traffic.
Register driver configuration structure with DPDK EAL using the existing RTE_PMD_REGISTER_PCI macro. Physical devices are identified by PCI ID during the EAL PCI scan and allocated a unique device identifier. Device initiation is also along the same principles as DPDK cryptodev and ethdev. Devices are first configured
DPDK Prefilters Implement bypass functionality Divides operation into DPDK primary and secondary process Can employ various strategies to redirect flow even before Suricata tells it to Strategy can include e.g. encrypted traffic analysis or feed machine learning model with Suricata metadata
WEI Yi-min, China XU Ming-gang, China YANG Jian-chang, China ZHAO Chun-jiang, China ZHAO Ming, China Members Associate Executive Editor-in-Chief LU Wen-ru, China Michael T. Clegg, USA BAI You-lu, China BI Yang, China BIAN Xin-min, China CAI Hui-yi, China CAI Xue-peng, China CAI Zu-cong,
Complexity Simple by Design Can Become Complex Performance Moderate Very Fast Key-Value Data Type Yes (Map ) No (requires other library) Concurrency Yes (channel and go func) No (requires other tools) Memory Management Yes (Garbage Collection) No Compiled Language Yes Yes Build System Built-in Your Choice Go vs C 2017/9/26,27 DPDK Summit Userspace 2017 7. Goal Data Plane shall run fast .
Introduction to Logic Catalog Description: Introduction to evaluation of arguments. Concentration on basic principles of formal logic and application to evaluation of arguments. Explores notions of implication and proof and use of modern techniques of analysis including logical symbolism. Credit Hour(s): 3 Lecture Hour(s): 3 Lab Hour(s): 0 Other Hour(s): 0 Requisites Prerequisite and .
