Thread (3 messages) 3 messages, 2 authors, 2009-12-29

Re: ipsec performance

From: Andreas Schuldei <hidden>
Date: 2009-12-29 23:31:10 

On Tue, Dec 29, 2009 at 11:55 PM, Abhijit Karmarkar [off-list ref] wrote:
On Tue, Dec 29, 2009 at 1:09 PM, Andreas Schuldei [off-list ref] wrote:
quoted
hi!

i experience performance issues with ipsec transport mode with debian
lenny and strongswan, on a stock debian kernel 2.6.26-2-amd64.

the goal is to set up a full mash of several hundred hosts, talking
ipsec with each other, in order to be able to skip firewalls and to be
able to let the hosts be spread out over several sites in a
transparent fashion.

regardless of the cipher (i tried aes and blowfish) the bandwidth
maxes out at about 0.5-0.25 of the expected (unencrypted) value,
without hitting obvious bottlenecks like cpu, disk, or ram.
you may want try Steffen Klassert's parallel crypto patches (nice work!):

 http://marc.info/?l=linux-kernel&m=126155699817914&w=2

the numbers are impressive. i plan to try them sometime this (or next week).

yes, on the current kernels, the ipsec throughput numbers are around
50% of the non-ipsec case. for me.
i have an 8core xeon machine 2.5GHz machine and my throughput of
39Mbyte/s correlates nicely with Steffens 325Mbit/s when i use AES.
when i switch to blowfish the throuput decreases to 27.5Mbyte/s. the
time the cpu spends in kernel code decreases, too, to ~5% (give or
take a coconut). the machine seems idle, almost. where is the
bottleneck? what needs parallelization? (i read steffens mail but i
didnt understand his explanation. could you explain it in laymens
terms?) what i find funny is that the apache process serving the data
uses between 20-95%cpu. how come?

i dont intent do have vpn gateways.  I want every machine to encrypt
its own network traffic. doubling the performance (as steffens patch
seems to do) would help (in the AES case, not for blowfish.). i would
want to actually deploy the stuff soon, though, and i will have a hard
time selling a patch and a homebuild kernel to my colleges.
quoted
how can i inspect window size, fragmentation etc? are there useful
files in /proc or /sys or enlightening ip commands?
is there a way to do this?
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help