10g IPsec ?
Damien DEVILLE
damien.deville at stormshield.eu
Thu Nov 7 16:23:47 UTC 2019
Hi Andrey,
For the moment we are not using hardware crypto offloading devices except AESNI instruction set mainly because our product are certified by common criteria and thus have restriction on how crypto can be made. We have some plan to look at intel quick-assist, chelsio or melanox devices in the future.
Damien
--
Damien Deville
IPS Technical Leader
http://www.stormshield.eu
Stormshield
2/6 Avenue de l'Horizon, Bat. 6 - FR 59650 Villeneuve d'Ascq
----- Le 7 Nov 19, à 17:12, ae ae at FreeBSD.org a écrit :
| On 07.11.2019 12:52, Damien DEVILLE wrote:
|> At Stormshield we have various patches related to that topic that we
|> can share.
|
| Hi,
|
| that would be nice.
|
|> The goal was to optimize this code in the context of a single IPsec
|> tunnel and a single network flow in that tunnel. On one of our high
|> end hardware (Intel(R) Xeon(R) E-2176G with 6 cores / ixl network
|> cards), the previous code was running around 2.4Gbps using AES-GCM
|
| Have you thought about implementing hardware IPsec offloading on NICs?
| I saw Intel's and Mellanox's documentation about such support, I think
| Chelsio also does support it. It probably can give good performance boost.
|
|
| --
| WBR, Andrey V. Elsukov
More information about the freebsd-net
mailing list