Is if_ipsec/ipsec - AESNI accelerated ?
David P. Discher
dpd at dpdtech.com
Thu Aug 9 07:00:29 UTC 2018
> On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
>
> On 09.08.2018 06:57, David P. Discher wrote:
>> I’m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is this correct ?
>
> IPsec uses crypto(9) framework that works by default without any
> acceleration. You need to load aesni(4) kernel module to enable
> acceleration. Also, you need to recreate security associations after
> module loading to take effect.
Yes. I booted with AESNI loaded … via loader.conf. Transcript below. Two endpoint are identical hardware.
--
David P. Discher
https://davidpdischer.com/
408.368.3725 • dpd at dpdtech.com
[ pts/0 sjc2 util201:~ ]
[ dpd ] > kldstat
Id Refs Address Size Name
1 32 0xffffffff80200000 2081408 kernel
2 1 0xffffffff82283000 259e0 geom_mirror.ko
3 1 0xffffffff822a9000 e568 if_bridge.ko
4 2 0xffffffff822b8000 6d28 bridgestp.ko
5 1 0xffffffff822bf000 7600 if_tap.ko
6 1 0xffffffff822c7000 f988 ipmi.ko
7 2 0xffffffff822d7000 2d10 smbus.ko
8 1 0xffffffff822da000 381130 zfs.ko
9 2 0xffffffff8265c000 a380 opensolaris.ko
10 1 0xffffffff82667000 af98 aesni.ko
11 1 0xffffffff82b11000 2328 ums.ko
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo /usr/local/etc/rc.d/racoon stop
Password:
Stopping racoon.
Waiting for PIDS: 1065.
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo /usr/local/etc/rc.d/racoon start
Starting racoon.
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo setkey -f /usr/local/etc/racoon/setkey.conf
[ pts/0 sjc2 util201:~ ]
[ dpd ] > ifconfig ipsec12
ipsec12: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1350
tunnel inet 10.245.0.201 --> 10.245.0.202
inet 172.30.1.13 --> 172.30.1.14 netmask 0xfffffffc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
reqid: 12
groups: ipsec
[ pts/0 sjc2 util201:~ ]
[ dpd ] > ping 172.30.1.14
PING 172.30.1.14 (172.30.1.14): 56 data bytes
64 bytes from 172.30.1.14: icmp_seq=2 ttl=64 time=0.452 ms
64 bytes from 172.30.1.14: icmp_seq=3 ttl=64 time=0.368 ms
64 bytes from 172.30.1.14: icmp_seq=4 ttl=64 time=0.353 ms
^C
--- 172.30.1.14 ping statistics ---
5 packets transmitted, 3 packets received, 40.0% packet loss
round-trip min/avg/max/stddev = 0.353/0.391/0.452/0.044 ms
[ pts/0 sjc2 util201:~ ]
[ dpd ] > iperf3 -c 10.245.0.202 -i 8 -t 16
Connecting to host 10.245.0.202, port 5201
[ 5] local 10.245.0.201 port 55165 connected to 10.245.0.202 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-8.00 sec 887 MBytes 930 Mbits/sec 0 419 KBytes
[ 5] 8.00-16.00 sec 898 MBytes 941 Mbits/sec 0 419 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-16.00 sec 1.74 GBytes 936 Mbits/sec 0 sender
[ 5] 0.00-16.01 sec 1.74 GBytes 935 Mbits/sec receiver
iperf Done.
[ pts/0 sjc2 util201:~ ]
[ dpd ] > iperf3 -c 172.30.1.14 -i 8 -t 16
Connecting to host 172.30.1.14, port 5201
[ 5] local 172.30.1.13 port 41671 connected to 172.30.1.14 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-8.00 sec 166 MBytes 174 Mbits/sec 0 64.3 KBytes
[ 5] 8.00-16.00 sec 168 MBytes 176 Mbits/sec 0 64.3 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-16.00 sec 334 MBytes 175 Mbits/sec 0 sender
[ 5] 0.00-16.01 sec 334 MBytes 175 Mbits/sec receiver
iperf Done.
[ pts/0 sjc2 util201:~ ]
[ dpd ] > uname -a
FreeBSD util201.sjc2.ixsystems.com 11.2-STABLE FreeBSD 11.2-STABLE #3: Tue Jul 24 20:57:34 UTC 2018 root at proxima.sjc2.ixsystems.com:/usr/obj/usr/src/sys/IX amd64
[ pts/0 sjc2 util201:~ ]
[ dpd ] >
More information about the freebsd-net
mailing list