IPsec: is it possible to encrypt transit traffic in transport mode?
Andrey V. Elsukov
bu7cher at yandex.ru
Fri Nov 30 17:13:36 UTC 2018
On 30.11.2018 18:43, Lev Serebryakov wrote:
> Hello Olivier,
>
> Friday, November 30, 2018, 3:34:50 PM, you wrote:
>
>>> I'm benchmarking different possible "native" VPN configurations and I have
>>> gif(4) and gre(4) with and without IPsec in my battery. I have tunnel mode
>>> IPsec too. Problem with gif(4) and gre(4) that hey are tremendously
>>> expensive, and could be more expensive than IPsec itself on CPUs with AES-NI.
>>> So, this configuration impossible, I understand. Nothing to benchmark :-)
>> And what about using IPSec VTI (virtual tunneling interface) mode: if_ipsec(4)
> And this one too. It gives slightly more PPS than "setkey-based" tunnel
> mode, which is surprise for me.
If your goal is increasing of PPS throughput, there are several ways to
achieve it. For example, it is possible to make direct output from IPsec
code, I mean make a route lookup and call if_output() directly from
ipsec_process_done(). This removes many checks that does ip_output() and
also extra call to pfil(9).
Another idea is implementing some ipfw_ipsec(4) module, that can take
packets and do IPsec processing. Then this module can be attached to
Ethernet pfil hook and together with first idea, I think this can give a
measurable improvement of PPS rate.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20181130/3420b59b/attachment.sig>
More information about the freebsd-net
mailing list