slow freebsd cripto-accelerating framework

VANHULLEBUS Yvan vanhu at FreeBSD.org
Mon Mar 2 07:06:28 PST 2009


Hi.

On Mon, Mar 02, 2009 at 05:57:56AM -0800, Vasile Marii wrote:
[....]
> The netperf results between the two exactly the same
> machines(with a tunnel(AES-CBC with HMAC_SHA256) between them) with
> the exactly the same driver shows a throughput of maximum
> 20Mbps(without IPSEC tunnel i can get 94,1 Mbps).  
> I've seen similar problems on some threads regarding VIA(which
> should work with 1,1 Gbps throughput). 

While doing some benchs on IPsec, the very first thing to do is to
ensure you'll have no fragmentation for ESP packets.

You can do that by updating TCPMSS on the fly (for example with Pf),
or by changing MTU on TRAFFIC interfaces (and NOT on tunnel
interfaces).

Once you did that, then you can start to have a look at performances.
And yes, it take time to do IPsec processing, so your throughput will
be much lower than non-IPsec traffic on the same hosts.


Yvan.


More information about the freebsd-hackers mailing list