RARE user and assistance email list

[mc36 <>]

hi,
did my homework again: spawned a vm with -cpu host on qemu and did 2 relevant 
tests,
then spawned the same vm at exactly the same host but without the host cpu 
flags...
as it shows, aes128 was 3x as much fast, and sha1 was 2x as much fast with 
those
fancy features! raw results below.... :)
regards,
cs










mc36@router:~$ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 79
model name      : Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
stepping        : 1
microcode       : 0xb000038
cpu MHz         : 2197.440
cache size      : 16384 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 20
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon 
rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm 
abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm 
rdseed adx smap xsaveopt arat umip md_clear arch_capabilities
vmx flags       : vnmi preemption_timer posted_intr invvpid ept_x_only ept_ad ept_1gb flexpriority apicv tsc_offset vtpr mtf vapic ept vpid unrestricted_guest vapic_reg vid 
shadow_vmcs pml
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf 
mds swapgs taa
bogomips        : 4394.88
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 79
model name      : Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
stepping        : 1
microcode       : 0xb000038
cpu MHz         : 2197.440
cache size      : 16384 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
apicid          : 1
initial apicid  : 1
fpu             : yes
fpu_exception   : yes
cpuid level     : 20
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon 
rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm 
abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm 
rdseed adx smap xsaveopt arat umip md_clear arch_capabilities
vmx flags       : vnmi preemption_timer posted_intr invvpid ept_x_only ept_ad ept_1gb flexpriority apicv tsc_offset vtpr mtf vapic ept vpid unrestricted_guest vapic_reg vid 
shadow_vmcs pml
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf 
mds swapgs taa
bogomips        : 4394.88
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

mc36@router:~$ openssl speed -evp aes-128-cbc -bytes 500 2> /dev/null
OpenSSL 1.1.1g  21 Apr 2020
built on: Tue Apr 21 19:45:21 2020 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-kZUcLs/openssl-1.1.1g=. -fstack-protector-strong -Wformat 
-Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time 
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type            500 bytes
aes-128-cbc     972382.83k
mc36@router:~$ openssl speed -evp sha1 -bytes 500 2> /dev/null
OpenSSL 1.1.1g  21 Apr 2020
built on: Tue Apr 21 19:45:21 2020 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-kZUcLs/openssl-1.1.1g=. -fstack-protector-strong -Wformat 
-Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time 
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type            500 bytes
sha1            503488.17k
mc36@router:~$








mc36@router:~$ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.5+
stepping        : 3
microcode       : 0x1
cpu MHz         : 2197.440
cache size      : 16384 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good nopl xtopology cpuid tsc_known_freq pni cx16 
x2apic hypervisor lahf_lm cpuid_fault pti
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf 
mds swapgs itlb_multihit
bogomips        : 4394.88
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.5+
stepping        : 3
microcode       : 0x1
cpu MHz         : 2197.440
cache size      : 16384 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
apicid          : 1
initial apicid  : 1
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good nopl xtopology cpuid tsc_known_freq pni cx16 
x2apic hypervisor lahf_lm cpuid_fault pti
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf 
mds swapgs itlb_multihit
bogomips        : 4394.88
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

mc36@router:~$ openssl speed -evp aes-128-cbc -bytes 500 2> /dev/null
OpenSSL 1.1.1g  21 Apr 2020
built on: Tue Apr 21 19:45:21 2020 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-kZUcLs/openssl-1.1.1g=. -fstack-protector-strong -Wformat 
-Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time 
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type            500 bytes
aes-128-cbc     318730.50k
mc36@router:~$ openssl speed -evp sha1 -bytes 500 2> /dev/null
OpenSSL 1.1.1g  21 Apr 2020
built on: Tue Apr 21 19:45:21 2020 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-kZUcLs/openssl-1.1.1g=. -fstack-protector-strong -Wformat 
-Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time 
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type            500 bytes
sha1            366210.87k
mc36@router:~$






On 9/5/20 10:32 AM, mc36 wrote:
> hi,
> going inline!
> regards,
> cs
>
>
> On 9/5/20 10:19 AM, Frédéric LOUI wrote:
> > Hi !
> >
> > This is tremendous result !
> >
> > And was just mentioning in the presentation during Jisc NGN VC that is had a 
> > "feasibility status"Â  (not RFS soon :) )
> > So don’t push too hard ... Get some rest !
> >
> > > aes256+sha1!
> >
> > Question, do you seen an improvement with/without AES-NI extension.
> > (Not sure if we can disable AES-NI … Maybe via the BIOS I don’t have sone 
> > so I can’t tell ...)
> imho we cannot disable aes-ni, maybe within qemu by eabling/disabling cpu 
> features provided to vm...
> anyway openssl is quite mature and i bet you does the best available in terms 
> of performance
> even in the case when no aes-ni is available...
>
>
> > > and every interface could have it's own receiver and transmitter core 
> > > associated in dpdk...
> > So these are DPDK cores.
> >
> > > so we can safely say that enabling crypto on adds about a five multiplied to 
> > > the load so divides the performance by five.
> >
> > Question: This is my dpdk-devbind —status
> [..]
>
> > Is _THIS CRYPTO_ device:
> > "
> > Other Crypto devices
> > ====================
> > 0000:00:1a.0 'Atom Processor Z36xxx/Z37xxx Series Trusted Execution Engine 
> > 0f18' unused=uio_pci_generic
> > «
> > And be of help andprovide hardware assisted computation ?
> imho txe is for something else: 
> https://en.wikipedia.org/wiki/Intel_Management_Engine
> in short, you can brick the board remotely with this enabled! :)
>
> > > regarding the rest of the dataplanes, nor bmv2 nor tofino have
> > > no crypto at all so until that changes, it'll be p4emu specific…
> > I’ll ask INTEL/BAREFOOT if they have plans for embedding crypto. How is 
> > doing Cisco ccs5k macsec linecard ?
> > I’ll try to have a look and see how these line cards are build… ncs seems 
> > not to use dedicated Cisco hardware...
> yesss ncs5k uses broadcom and mostly switch asics also found in nexus 7k so 
> it's quite normal that they have macsec...
> anyway ask9k also have it, but both only on their hungig ports, and only with 
> selected linecards...
> anyway asking bf about it seems good idea, at least they'll know that there 
> is user need for it,
> but imho it would not be the best place for it to appear: recall that cisco 
> initially proposed
> that macsec should be in the sfp+ and not on the linecards... finally that 
> heaven never happened,
> but for now, if bf implements crypto within their stuff itself then at least 
> we can apply that
> to different places of packet: the whole, after the vlan, after the gre, and 
> so on...
>
> > > regarding the future plans, obviously i'll go for ipsec!
> > > once that happens, we'll have an enterprise grade cpe.... :)
> > Let’s peer over IPsec once this is available ;)
> sure thing... ping me once you're ready... :)
>
>
> > Have a good week end !
> >
> > À bientôt,
> > --Â  Frederic
> >
> >
> >
> >
> > > Le 5 sept. 2020 à 07:16, mc36 <> a écrit :
> > >
> > > hi,
> > >
> > > please find attached the fresh test runs with bmv2 and dpdk.
> > > news is macsec support in p4emu (dpdk, pcap).
> > > and even better news is that on a 7 years old i7-3770 it's does gigabit on 1 
> > > cpucore with aes256+sha1!
> > >
> > > and every interface could have it's own receiver and transmitter core 
> > > associated in dpdk...
> > > in case of pcap, every interface by default have an own thread to process 
> > > packets from the interface...
> > >
> > > in the i7 case, iperfing at gigabit used 20% 1cpu then enabling macsec bumped 
> > > it to 120%. (it used p4dpdk)
> > > the opposite was a xeon, iperfing at gigabit used 70% 1cpu then enabling 
> > > macsec bumped it to 170% (it used p4pcap, this is why it have so high initial 
> > > cpu)
> > > so we can safely say that enabling crypto on adds about a five multiplied to 
> > > the load so divides the performance by five.
> > >
> > > regarding the implementation, i linked against libcrypto (from openssl) and 
> > > to maintain
> > > full locklessness, i reinitalize the thread's own crypto contexts for every 
> > > packet.
> > > (did a quick testing with common contexts and did now saw any gain in 
> > > performance,
> > > but there could be algorithms that have much more expensive init functions:)
> > >
> > > regarding the rest of the dataplanes, nor bmv2 nor tofino have
> > > no crypto at all so until that changes, it'll be p4emu specific...
> > >
> > > regarding the future plans, obviously i'll go for ipsec!
> > > once that happens, we'll have an enterprise grade cpe.... :)
> > >
> > > regards,
> > > cs
> > > <rtrp4lang-bmv2-.csv><rtrp4lang-bmv2-.html><rtrp4lang-dpdk-.csv><rtrp4lang-dpdk-.html>