10g IPsec ?
Eugene Grosbein
eugen at grosbein.net
Wed Nov 6 02:12:56 UTC 2019
06.11.2019 5:45, Olivier Cochard-Labbé wrote:
> On Tue, Nov 5, 2019 at 8:15 PM John-Mark Gurney <jmg at funkthat.com> wrote:
>
>> AES-GCM can run at over 1GB/sec on a single core, so as long as the
>> traffic can be processed by multiple threads (via multiple queues
>> for example), it should be doable.
>>
>>
> I didn't bench this setup (10Gb/s IPSec) but I believe we will have the
> same problem with IPSec as with all VPN setups (like PPPoE or GRE): the
> IPSec tunnel will generate one IP flow preventing load sharing between all
> the NIC's RSS queues.
> I'm not aware of improvement to remove this limitation.
Some speedup may be achieved switching from direct NETISR mode to deferred mode,
so interrupt processing merely places traffic to the ISR queue.
Several (net.isr.numthreads) other kernel threads will process incoming traffic later
including bpf, IPSEC, filtering, routing lookups, NETGRAPH etc.
More information about the freebsd-net
mailing list