Browse Prior Art Database

Method and system to save system bus and memory bandwidth while adding L2 header on ESP tunnel packets

IP.com Disclosure Number: IPCOM000239462D
Publication Date: 2014-Nov-10
Document File: 4 page(s) / 232K

Publishing Venue

The IP.com Prior Art Database

Abstract

IPSec processing is very memory access intensive as to encrypt or decrypt required many memory read write operations. This increase in memory bandwidth and system bus utilization impacts the overall system performance. The method we are discussing in this publication is to reduce the system memory bandwidth and system bus utilization. L2 header is required to be applied to ESP packet which is going into the tunnel. The method ensures that this addition of L2 header will not result in extra system memory accesses.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 54% of the total text.

Title

Method and system to save system bus and memory bandwidth while adding L2 header on ESP tunnel packets.

Abstract

IPSec processing is very memory access intensive as to encrypt or decrypt required many memory read write operations. This increase in memory bandwidth and system bus utilization impacts the overall system performance. The method we are discussing in this publication is to reduce the system memory bandwidth and system bus utilization. L2 header is required to be applied to ESP packet which is going into the tunnel. The method ensures that this addition of L2 header will not result in extra system memory accesses.

Problem

Compound frame has two buffers associated with it

·         INPUT      – buffer contain the data to be encrypted/decrypted

·         OUTPUT – buffer to put the encrypted/decrypted data.

In case the inline SEC operation i.e. INPUT buffer is same as OUTPUT buffer, the SEC block has following limitation:

In case protocol offloads, the descriptor could output some sort of header before reading the input frame. As a result, the header could overwrite the input frame before the input frame is ready and hence corrupt the data. One easy way to avoid this is to use a nonzero offset for the input frame but have the output frame use a        smaller offset.

The reasons why compound frame are important is that it give software control over the release of the input buffers. This is useful for multi-cast and retransmission scenarios in which the original data needs to be retained for some interval even after a successful encrypt/decrypt operation.

 The point to use a nonzero offset for the input frame but have the output frame use a smaller offset is functionally valid but it has negative impact on system performance. A typical use case is IP forwarding traffic going into IPSec tunnel. The plain IP packet is received in the buffer as given below.

    •  If buffer start margin = 128, the Ethernet frame will be received at the offset 128.
    •  Since start of buffer is cache align, the Ethernet frame will start form the 3 cache line of the buffer. This cache line is stashed to the core cache.
    •  Now any usage of small offset for ESP IP packet meant that Ethernet header for the tunnel will fall in the second cache line of the buffer.
    •  This is not desirable as this cache line possibly not in core cache and accessing it has an overhead and hit the performance.
   

Ethernet frame

Cache line 1          cache line 2               cache line 3   

Solution to problem

The IP packet which is going into ESP tunnel will be received in cache line 3 and onwards. The cache line size is 64 bytes so the Ethernet header (14) + IP header (20) + TCP/UDP header (20/8) will be in the cache line 3. This cache line will be stashed to CPU core as fast-path running on...