[v7,ipsec-next,0/3] xfrm: Support GRO decapsulation for ESP in UDP encapsulation

Message ID	cover.1696423735.git.antony.antony@secunet.com (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5DA110966 for <netdev@vger.kernel.org>; Wed, 4 Oct 2023 13:05:07 +0000 (UTC) Date: Wed, 4 Oct 2023 15:04:53 +0200 From: Antony Antony <antony.antony@secunet.com> To: Steffen Klassert <steffen.klassert@secunet.com>, Herbert Xu <herbert@gondor.apana.org.au> CC: Eyal Birger <eyal.birger@gmail.com>, <devel@linux-ipsec.org>, Eric Dumazet <edumazet@google.com>, <netdev@vger.kernel.org>, Antony Antony <antony.antony@secunet.com> Subject: [PATCH v7 ipsec-next 0/3] xfrm: Support GRO decapsulation for ESP in UDP encapsulation Message-ID: <cover.1696423735.git.antony.antony@secunet.com> Reply-To: <antony.antony@secunet.com> References: <6dfd03c5fa0afb99f255f4a35772df19e33880db.1674156645.git.antony.antony@secunet.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <6dfd03c5fa0afb99f255f4a35772df19e33880db.1674156645.git.antony.antony@secunet.com> Precedence: first-class Priority: normal Organization: secunet
Series	xfrm: Support GRO decapsulation for ESP in UDP encapsulation \| expand [v7,ipsec-next,0/3] xfrm: Support GRO decapsulation for ESP in UDP encapsulation [v7,ipsec-next,1/3] xfrm: Use the XFRM_GRO to indicate a GRO call on input [v7,ipsec-next,2/3] xfrm: Support GRO for IPv4 ESP in UDP encapsulation [v7,ipsec-next,3/3] xfrm: Support GRO for IPv6 ESP in UDP encapsulation

Message ID

cover.1696423735.git.antony.antony@secunet.com (mailing list archive)

Headers

Date: Wed, 4 Oct 2023 15:04:53 +0200
From: Antony Antony <antony.antony@secunet.com>
To: Steffen Klassert <steffen.klassert@secunet.com>, Herbert Xu
	<herbert@gondor.apana.org.au>
CC: Eyal Birger <eyal.birger@gmail.com>, <devel@linux-ipsec.org>, Eric Dumazet
	<edumazet@google.com>, <netdev@vger.kernel.org>, Antony Antony
	<antony.antony@secunet.com>
Subject: [PATCH v7 ipsec-next 0/3] xfrm: Support GRO decapsulation for ESP in
 UDP encapsulation
Message-ID: <cover.1696423735.git.antony.antony@secunet.com>
Reply-To: <antony.antony@secunet.com>
References: 
 <6dfd03c5fa0afb99f255f4a35772df19e33880db.1674156645.git.antony.antony@secunet.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: 
 <6dfd03c5fa0afb99f255f4a35772df19e33880db.1674156645.git.antony.antony@secunet.com>
Precedence: first-class
Priority: normal
Organization: secunet

Series

xfrm: Support GRO decapsulation for ESP in UDP encapsulation | expand

Message

Antony Antony Oct. 4, 2023, 1:04 p.m. UTC

Hi,

I have added how to enable this feature, and more description to the second
patch. Here is copy of that.

xfrm: Support GRO for IPv4i & IPv6 ESP in UDP encapsulation

This patchset enables the GRO codepath for ESP in UDP encapsulated
packets. Decapsulation happens at L2 and saves a full round through
the stack for each packet. This is also needed to support HW offload
for ESP in UDP encapsulation.

Enabling this would imporove performance for ESP in UDP datapath, i.e
IPsec with NAT in between. Our initial tests show 20% improvement.


By default GRP for ESP-in-UDP is disabled for UDP sockets.
To enable this feature for an ESP socket, the following two options
need to be set:
 1. enable ESP-in-UDP: (this is already set by an IKE daemon).
    int type = UDP_ENCAP_ESPINUDP;
    setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type));

 2. To enable GRO for ESP in UDP socket:
    type = true;
    setsockopt(fd, SOL_UDP, UDP_GRO, &type, sizeof(type));

Enabling ESP-in-UDP has the side effect of preventing the Linux stack from
seeing ESP packets at the L3 (when ESP OFFLOAD is disabled), as packets are
immediately decapsulated from UDP and decrypted.
This change may affect nftable rules that match on ESP packets  at L3.
Also tcpdump won't see the ESP packet.

Developers/admins are advised to review and adapt any nftable rules
accordingly before enabling this feature to prevent potential rule breakage.
Also tcpdump will not see from ESP packets from a ESP in UDP flow when this
is enabled.

---

Initial, a quick test showed performance difference of about 20%
impromvent on the receiver, when using iperf, tcp flow, over ESP in UDP.

Steffen Klassert (3):
  xfrm: Use the XFRM_GRO to indicate a GRO call on input
  xfrm: Support GRO for IPv4 ESP in UDP encapsulation
  xfrm: Support GRO for IPv6 ESP in UDP encapsulation

 include/net/gro.h        |  2 +-
 include/net/ipv6_stubs.h |  3 ++
 include/net/xfrm.h       |  4 ++
 net/ipv4/esp4_offload.c  |  6 ++-
 net/ipv4/udp.c           | 16 +++++++
 net/ipv4/xfrm4_input.c   | 94 ++++++++++++++++++++++++++++++++--------
 net/ipv6/af_inet6.c      |  1 +
 net/ipv6/esp6_offload.c  | 10 ++++-
 net/ipv6/xfrm6_input.c   | 94 ++++++++++++++++++++++++++++++++--------
 net/xfrm/xfrm_input.c    |  6 +--
 10 files changed, 192 insertions(+), 44 deletions(-)

--
2.30.2

Comments

Steffen Klassert Oct. 6, 2023, 5:49 a.m. UTC | #1

On Wed, Oct 04, 2023 at 03:04:53PM +0200, Antony Antony wrote:
> Hi,
> 
> I have added how to enable this feature, and more description to the second
> patch. Here is copy of that.
> 
> xfrm: Support GRO for IPv4i & IPv6 ESP in UDP encapsulation
> 
> This patchset enables the GRO codepath for ESP in UDP encapsulated
> packets. Decapsulation happens at L2 and saves a full round through
> the stack for each packet. This is also needed to support HW offload
> for ESP in UDP encapsulation.
> 
> Enabling this would imporove performance for ESP in UDP datapath, i.e
> IPsec with NAT in between. Our initial tests show 20% improvement.
> 
> 
> By default GRP for ESP-in-UDP is disabled for UDP sockets.
> To enable this feature for an ESP socket, the following two options
> need to be set:
>  1. enable ESP-in-UDP: (this is already set by an IKE daemon).
>     int type = UDP_ENCAP_ESPINUDP;
>     setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type));
> 
>  2. To enable GRO for ESP in UDP socket:
>     type = true;
>     setsockopt(fd, SOL_UDP, UDP_GRO, &type, sizeof(type));
> 
> Enabling ESP-in-UDP has the side effect of preventing the Linux stack from
> seeing ESP packets at the L3 (when ESP OFFLOAD is disabled), as packets are
> immediately decapsulated from UDP and decrypted.
> This change may affect nftable rules that match on ESP packets  at L3.
> Also tcpdump won't see the ESP packet.
> 
> Developers/admins are advised to review and adapt any nftable rules
> accordingly before enabling this feature to prevent potential rule breakage.
> Also tcpdump will not see from ESP packets from a ESP in UDP flow when this
> is enabled.
> 
> ---
> 
> Initial, a quick test showed performance difference of about 20%
> impromvent on the receiver, when using iperf, tcp flow, over ESP in UDP.
> 
> Steffen Klassert (3):
>   xfrm: Use the XFRM_GRO to indicate a GRO call on input
>   xfrm: Support GRO for IPv4 ESP in UDP encapsulation
>   xfrm: Support GRO for IPv6 ESP in UDP encapsulation
> 

Series applied to ipsec-next.

Thanks so much for finalizing this work Antony!