From: lsorense@csclub.uwaterloo.ca (Lennart Sorensen)
To: Alexander Duyck <alexander.duyck@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
intel-wired-lan <intel-wired-lan@lists.osuosl.org>
Subject: Re: [Intel-wired-lan] i40e X722 RSS problem with NAT-Traversal IPsec packets
Date: Thu, 2 May 2019 11:11:40 -0400 [thread overview]
Message-ID: <20190502151140.gf5ugodqamtdd5tz@csclub.uwaterloo.ca> (raw)
In-Reply-To: <CAKgT0UczVvREiXwde6yJ8_i9RT2z7FhenEutXJKW8AmDypn_0g@mail.gmail.com>
On Wed, May 01, 2019 at 03:52:57PM -0700, Alexander Duyck wrote:
> I'm not sure how RSS will do much for you here. Basically you only
> have the source IP address as your only source of entropy when it
> comes to RSS since the destination IP should always be the same if you
> are performing a server role and terminating packets on the local
> system and as far as the ports in your example you seem to only be
> using 4500 for both the source and the destination.
I have thousands of IPsec clients connecting. Simply treating them as
normal UDP packets would work. The IP address is different, and often
the port too.
> In your testing are you only looking at a point to point connection
> between two systems, or do you have multiple systems accessing the
> system you are testing? I ask as the only way this should do any
> traffic spreading via RSS would be if the source IPs are different and
> that would require multiple client systems accessing the server.
I tried changing the client IP address and the RSS hash key. It never
changed to another queue. Something is broken.
> In the case of other encapsulation types over UDP, such as VXLAN, I
> know that a hash value is stored in the UDP source port location
> instead of the true source port number. This allows the RSS hashing to
> occur on this extra information which would allow for a greater
> diversity in hash results. Depending on how you are generating the ESP
> encapsulation you might look at seeing if it would be possible to have
> a hash on the inner data used as the UDP source port in the outgoing
> packets. This would help to resolve this sort of issue.
Well it works on every other network card except this one. Every other
intel card in the past we have used had no problem doing this right.
You want all the packets for a given ipsec tunnel to go to the same queue.
That is not a problem here. What you don't want is every ipsec packet
from everyone going to the same queue (always queue 0). So simply
treating them as UDP packets with a source and destination IP and port
would work perfectly fine. The X722 isn't doing that. It is always
assigning a hash value of 0 to these packets.
--
Len Sorensen
next prev parent reply other threads:[~2019-05-02 15:11 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-01 20:52 i40e X722 RSS problem with NAT-Traversal IPsec packets Lennart Sorensen
2019-05-01 22:52 ` [Intel-wired-lan] " Alexander Duyck
2019-05-02 15:11 ` Lennart Sorensen [this message]
2019-05-02 17:03 ` Alexander Duyck
2019-05-02 17:16 ` Lennart Sorensen
2019-05-02 17:28 ` Alexander Duyck
2019-05-02 17:55 ` Lennart Sorensen
2019-05-02 18:52 ` Lennart Sorensen
2019-05-02 20:59 ` Alexander Duyck
2019-05-03 15:14 ` Lennart Sorensen
2019-05-03 17:19 ` Alexander Duyck
2019-05-03 20:59 ` Lennart Sorensen
2019-05-13 16:55 ` Lennart Sorensen
2019-05-13 19:04 ` Alexander Duyck
2019-05-14 16:34 ` Lennart Sorensen
2019-05-16 17:10 ` Alexander Duyck
2019-05-16 18:34 ` Lennart Sorensen
2019-05-16 18:37 ` Lennart Sorensen
2019-05-16 23:32 ` Alexander Duyck
2019-05-17 16:42 ` Alexander Duyck
2019-05-17 17:23 ` Lennart Sorensen
2019-05-17 22:20 ` Alexander Duyck
2019-05-21 15:15 ` Lennart Sorensen
2019-05-21 16:51 ` Alexander Duyck
2019-05-21 17:54 ` Lennart Sorensen
2019-05-21 23:22 ` Alexander Duyck
2019-05-22 14:39 ` Lennart Sorensen
2019-06-07 14:39 ` Lennart Sorensen
2019-06-07 19:32 ` Alexander Duyck
2019-06-07 20:49 ` [E1000-devel] " Hisashi T Fujinaka
2019-06-07 22:08 ` Fujinaka, Todd
2019-06-10 19:01 ` Lennart Sorensen
2020-02-07 21:51 ` Lennart Sorensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190502151140.gf5ugodqamtdd5tz@csclub.uwaterloo.ca \
--to=lsorense@csclub.uwaterloo.ca \
--cc=alexander.duyck@gmail.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).