XFRM pCPU RSS: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Receiver Side Scaling (RSS) support = | = Receiver Side Scaling (RSS) support for IPsec/ESP = | ||
Receive Side Scaling (RSS)[https://www.kernel.org/doc/Documentation/networking/scaling.txt RSS] would steer flow to different ques. The receiver NIC should be able steer different flows, based on SPI, into separate queues to prevent the receiver from getting overwhelmed. We used Mellanex CX4 to test. Some cards initially tested did not seems to support RSS for ESP flows, instead only TCP and UDP. While figuring out RSS for these cards we tried a bit different approch. ESP in UDP encapsulation, along with ESP in UDP GRO patches we could see the flows getting distributed on the receiver. And later on in Nov 2019 kernel version 5.5 ML5 drivers seems to support ESP. [https://community.mellanox.com/s/article/Bluefield-IP-Forwarding-and-IPSEC-SPI-RSS Mellonox RSS]. | Receive Side Scaling (RSS)[https://www.kernel.org/doc/Documentation/networking/scaling.txt RSS] would steer flow to different ques. The receiver NIC should be able steer different flows, based on SPI, into separate queues to prevent the receiver from getting overwhelmed. We used Mellanex CX4 to test. Some cards initially tested did not seems to support RSS for ESP flows, instead only TCP and UDP. While figuring out RSS for these cards we tried a bit different approch. ESP in UDP encapsulation, along with ESP in UDP GRO patches we could see the flows getting distributed on the receiver. And later on in Nov 2019 kernel version 5.5 ML5 drivers seems to support ESP. [https://community.mellanox.com/s/article/Bluefield-IP-Forwarding-and-IPSEC-SPI-RSS Mellonox RSS]. | ||
=== | === config-ntuple Commands === | ||
Enable GRO. ideally you should be able to run the following, | Enable GRO. ideally you should be able to run the following, | ||
<pre> ethtool -N <nic> rx-flow-hash esp4 </pre> | <pre> ethtool -N <nic> rx-flow-hash esp4 </pre> | ||
| Line 10: | Line 10: | ||
<pre> ethtool -N eno2 rx-flow-hash udp4 sdfn </pre> | <pre> ethtool -N eno2 rx-flow-hash udp4 sdfn </pre> | ||
==== Mellanox support ( | RSS should suppr ESP4, ESP6, ESP in UDP for both IPv4 and IPv6. | ||
=== Marvel Octeon2 support === | |||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b9b7421a01d82c474227fce04f0468f1c70be306 Octeon2 commit Linux 5.12] | |||
==== Mellanox support (maybe) ==== | |||
could be configured steer the flow to a specific Q | could be configured steer the flow to a specific Q | ||
<pre> | <pre> | ||
ethtool --config-ntuple enp3s0f0 flow-type esp4 src-ip 192.168.1.1 dst-ip 192.168.1.2 spi 0xffffffff action 4 | ethtool --config-ntuple enp3s0f0 flow-type esp4 src-ip 192.168.1.1 dst-ip 192.168.1.2 spi 0xffffffff action 4 | ||
</pre> | |||
ntuple filtering of a UDP flow | |||
<pre> | |||
ethtool --config-ntuple <interface name> flow-type udp4 src-ip 192.168.1.1 dst-ip 192.168.10.2 src-port 2000 dst-port 2001 action 2 loc 33 | |||
</pre> | </pre> | ||
| Line 23: | Line 34: | ||
</pre> | </pre> | ||
==== Intel X710 ( | ==== Intel X710 (ice driver) yes ==== | ||
* [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=586006f996346e8a5a1ea80637ec949ceeea4ecbc ice: enable parsing IPSEC SPI headers for RSS] since V51.17. You may need /lib/firmware DDP support added in | |||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c90ed40cefe187a20fc565650b119aa696abc2ed ice: Enable writing hardware filtering tables] and right firmware loaded. | |||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=527691bf0682d7ddcca77fc17dabd2fa090572ff intel VF driver support ESP4] | |||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/i40e/i40e_ethtool.c i40e_ethtool.c ESP_V4_FLOW] | [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/i40e/i40e_ethtool.c i40e_ethtool.c ESP_V4_FLOW] | ||
| Line 53: | Line 71: | ||
</pre> | </pre> | ||
==== VMWare RSS ESP | ==== VMWare RSS ESP : yes ==== | ||
[https://docs.vmware.com/en/vSphere/6.7/solutions/vSphere-6.7.2cd6d2a77980cc623caa6062f3c89362/GUID-C500585C0560D28B71180A40A4767C57.html vmxnet ] | [https://docs.vmware.com/en/vSphere/6.7/solutions/vSphere-6.7.2cd6d2a77980cc623caa6062f3c89362/GUID-C500585C0560D28B71180A40A4767C57.html vmxnet] | ||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d3a8a9e5c3b334d443e97daa59bb95c0b69f4794 vmxnet3 version 4 commit] | |||
The vSphere 6.7 release includes vmxnet3 version 4, which supports some new features. | The vSphere 6.7 release includes vmxnet3 version 4, which supports some new features. | ||
"RSS for ESP – RSS for encapsulating security payloads (ESP) is now available in the vmxnet3 v4 driver. Performance testing of this feature showed a 146% improvement in receive packets per second during a test that used IPSEC and four receive queues." | "RSS for ESP – RSS for encapsulating security payloads (ESP) is now available in the vmxnet3 v4 driver. Performance testing of this feature showed a 146% improvement in receive packets per second during a test that used IPSEC and four receive queues." | ||
==== Marvell octeontx2-af RSS ESP : yes ===== | |||
https://lore.kernel.org/r/1611378552-13288-1-git-send-email-sundeep.lkml@gmail.com | |||
https://lore.kernel.org/netdev/1611378552-13288-1-git-send-email-sundeep.lkml@gmail.com/ | |||
<pre> | |||
ethtool -U eth0 rx-flow-hash esp4 sdfn | |||
ethtool -U eth0 rx-flow-hash ah4 sdfn | |||
ethtool -U eth0 rx-flow-hash esp6 sdfn | |||
</pre> | |||
==== Broadcom : no? ===== | |||
It seems would hash IP address of the ESP flow. | |||
== More Linux related information about RSS/XDP .. == | |||
* [https://github.com/xdp-project/xdp-cpumap-tc#assign-cpus-to-rx-queues XDP cpump] General information XDP CPU Redirect. | |||
* [https://lpc.events/event/11/contributions/939/attachments/771/1551/xdp-multi-buff.pdf XDP multibuf Jumbo/GRO/TSO support Netdev 0x14, 2021] | |||
* [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=169e77764adc041b1dacba84ea90516a895d43b2 XDP multi-buffer support 5.18]After this initial patch set in Linux 5.18 specific driver support with Jumbo and GRO are added : virtio, ice40, MLX5, and more. | |||
* [https://github.com/antonyantony/xdp-tools/tree/xfrm-pcpu-v3-antony-20231108 xdb-tools with spi based XDP_CPUREDIRECT support] 2023 October | |||
* [https://developers.redhat.com/blog/2021/05/13/receive-side-scaling-rss-with-ebpf-and-cpumap Receive Side Scaling (RSS) with eBPF and CPUMAP, Lorenzo Bianconi, May 13, 2021] | |||
== Future research/ideas == | == Future research/ideas == | ||
* Test with SR IOV and virtualisation(KVM): need systems with NIC that support SR IOV and RSS for ESP or at least UDP. | * Test with SR IOV and virtualisation(KVM): need systems with NIC that support SR IOV and RSS for ESP or at least UDP. | ||
* | * Can IKE daemon use other flow distribution methods based on SPI??? DPDK??? | ||
* another way of flow control??? https://doc.dpdk.org/dts/test_plans/link_flowctrl_test_plan.html | * another way of flow control??? https://doc.dpdk.org/dts/test_plans/link_flowctrl_test_plan.html | ||
* [https://garycplin.blogspot.com/2017/06/linux-network-scaling-receives-packets.html RSS/RPS/RFS] | * [https://garycplin.blogspot.com/2017/06/linux-network-scaling-receives-packets.html RSS/RPS/RFS] | ||
* DPDK RSS support | |||
Latest revision as of 23:36, 21 November 2023
Receiver Side Scaling (RSS) support for IPsec/ESP
Receive Side Scaling (RSS)RSS would steer flow to different ques. The receiver NIC should be able steer different flows, based on SPI, into separate queues to prevent the receiver from getting overwhelmed. We used Mellanex CX4 to test. Some cards initially tested did not seems to support RSS for ESP flows, instead only TCP and UDP. While figuring out RSS for these cards we tried a bit different approch. ESP in UDP encapsulation, along with ESP in UDP GRO patches we could see the flows getting distributed on the receiver. And later on in Nov 2019 kernel version 5.5 ML5 drivers seems to support ESP. Mellonox RSS.
config-ntuple Commands
Enable GRO. ideally you should be able to run the following,
ethtool -N <nic> rx-flow-hash esp4
Another argument is if the NIC agnostic the 16 bits of SPI, of ESP packet, is aligned with UDP port number and should provide enough entropy.
ethtool -N eno2 rx-flow-hash udp4 sdfn
RSS should suppr ESP4, ESP6, ESP in UDP for both IPv4 and IPv6.
Marvel Octeon2 support
Mellanox support (maybe)
could be configured steer the flow to a specific Q
ethtool --config-ntuple enp3s0f0 flow-type esp4 src-ip 192.168.1.1 dst-ip 192.168.1.2 spi 0xffffffff action 4
ntuple filtering of a UDP flow
ethtool --config-ntuple <interface name> flow-type udp4 src-ip 192.168.1.1 dst-ip 192.168.10.2 src-port 2000 dst-port 2001 action 2 loc 33
case ESP_V4_FLOW: return MLX5E_TT_IPV4_IPSEC_ESP;
Intel X710 (ice driver) yes
- ice: enable parsing IPSEC SPI headers for RSS since V51.17. You may need /lib/firmware DDP support added in
ice: Enable writing hardware filtering tables and right firmware loaded.
i40e_ethtool.c case ESP_V4_FLOW: case ESP_V6_FLOW: /* Default is src/dest for IP, no matter the L4 hashing */ cmd->data |= RXH_IP_SRC | RXH_IP_DST; break
AWS ENA (not yet)
case ESP_V4_FLOW: case ESP_V6_FLOW: return -EOPNOTSUPP;
ENA driver mention support CPU indirection may be we can use it as udp.
The default hashing is currently Toeplitz. Starting from ena driver v2.2.1 the driver supports changing the hash key and hash function as well as the indirection table itself. The support is only for instance types that end with "n", for example C5n instances. Please note that changing the indirection table is supported on all instance types.
VMWare RSS ESP : yes
The vSphere 6.7 release includes vmxnet3 version 4, which supports some new features. "RSS for ESP – RSS for encapsulating security payloads (ESP) is now available in the vmxnet3 v4 driver. Performance testing of this feature showed a 146% improvement in receive packets per second during a test that used IPSEC and four receive queues."
Marvell octeontx2-af RSS ESP : yes =
https://lore.kernel.org/r/1611378552-13288-1-git-send-email-sundeep.lkml@gmail.com
https://lore.kernel.org/netdev/1611378552-13288-1-git-send-email-sundeep.lkml@gmail.com/
ethtool -U eth0 rx-flow-hash esp4 sdfn ethtool -U eth0 rx-flow-hash ah4 sdfn ethtool -U eth0 rx-flow-hash esp6 sdfn
Broadcom : no? =
It seems would hash IP address of the ESP flow.
- XDP cpump General information XDP CPU Redirect.
- XDP multibuf Jumbo/GRO/TSO support Netdev 0x14, 2021
- XDP multi-buffer support 5.18After this initial patch set in Linux 5.18 specific driver support with Jumbo and GRO are added : virtio, ice40, MLX5, and more.
- xdb-tools with spi based XDP_CPUREDIRECT support 2023 October
- Receive Side Scaling (RSS) with eBPF and CPUMAP, Lorenzo Bianconi, May 13, 2021
Future research/ideas
- Test with SR IOV and virtualisation(KVM): need systems with NIC that support SR IOV and RSS for ESP or at least UDP.
- Can IKE daemon use other flow distribution methods based on SPI??? DPDK???
- another way of flow control??? https://doc.dpdk.org/dts/test_plans/link_flowctrl_test_plan.html
- RSS/RPS/RFS
- DPDK RSS support