IPSec Performance under Xen
Sydney Meyer
meyer.sydney at googlemail.com
Fri Apr 24 00:06:00 UTC 2015
Hello Andrey,
first off, thank you for your explanation.
As for your Hint, i am not a C Programmer but i think i have a better understanding of the issue now.
I believe this is a know issue and the reason why IPSEC isn't in GENERIC, afaik from this discussion (https://lists.freebsd.org/pipermail/freebsd-hackers/2009-April/028364.html).
I have compiled the patched kernel and am installing on the vm's now.. will get back to you.
S.
> On Apr 24, 2015, at 01:26, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
>
> On 24.04.2015 01:00, Sydney Meyer wrote:
>> Hello,
>>
>> I have set up 2 VM's under Xen running each one IPSec-Endpoint.
>> Everything seems to work fine, but (measured with benchmarks/iperf)
>> the performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200
>> Mb/s with IPSec compiled in, regardless of whether actually using
>> IPSec or not.
>
> Can you test this patch to see the difference? It isn't a fix. It is
> just to see how will help avoiding of PCB check.
>
> --- ip_output.c (revision 281867)
> +++ ip_output.c (working copy)
> @@ -482,7 +482,7 @@ again:
>
> sendit:
> #ifdef IPSEC
> - switch(ip_ipsec_output(&m, inp, &flags, &error)) {
> + switch(ip_ipsec_output(&m, NULL, &flags, &error)) {
> case 1:
> goto bad;
> case -1:
>
>
> --
> WBR, Andrey V. Elsukov
More information about the freebsd-net
mailing list