10g IPsec ?
John-Mark Gurney
jmg at funkthat.com
Wed Nov 6 01:49:03 UTC 2019
Olivier Cochard-Labb wrote this message on Tue, Nov 05, 2019 at 23:45 +0100:
> On Tue, Nov 5, 2019 at 8:15 PM John-Mark Gurney <jmg at funkthat.com> wrote:
>
> > AES-GCM can run at over 1GB/sec on a single core, so as long as the
> > traffic can be processed by multiple threads (via multiple queues
> > for example), it should be doable.
> >
> >
> I didn't bench this setup (10Gb/s IPSec) but I believe we will have the
> same problem with IPSec as with all VPN setups (like PPPoE or GRE): the
> IPSec tunnel will generate one IP flow preventing load sharing between all
> the NIC's RSS queues.
> I'm not aware of improvement to remove this limitation.
Can't the async crypto sysctl be used to help offload the crypto to
other threads?
if (V_async_crypto)
crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
But yes, I think the biggest limitation will be pushing all the data
through a single queue...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-net
mailing list