From: Abhijit Karmarkar <awk@google.com>
To: schuldei@spotify.com
Cc: netdev@vger.kernel.org
Subject: Re: ipsec performance
Date: Tue, 29 Dec 2009 14:55:13 -0800 [thread overview]
Message-ID: <88cc3e770912291455w240d543atadbcbdd22746c@mail.gmail.com> (raw)
In-Reply-To: <f5327b860912291309g701d6345k6517a4eb75830faf@mail.gmail.com>
On Tue, Dec 29, 2009 at 1:09 PM, Andreas Schuldei <schuldei@spotify.com> wrote:
> hi!
>
> i experience performance issues with ipsec transport mode with debian
> lenny and strongswan, on a stock debian kernel 2.6.26-2-amd64.
>
> the goal is to set up a full mash of several hundred hosts, talking
> ipsec with each other, in order to be able to skip firewalls and to be
> able to let the hosts be spread out over several sites in a
> transparent fashion.
>
> regardless of the cipher (i tried aes and blowfish) the bandwidth
> maxes out at about 0.5-0.25 of the expected (unencrypted) value,
> without hitting obvious bottlenecks like cpu, disk, or ram.
you may want try Steffen Klassert's parallel crypto patches (nice work!):
http://marc.info/?l=linux-kernel&m=126155699817914&w=2
the numbers are impressive. i plan to try them sometime this (or next week).
yes, on the current kernels, the ipsec throughput numbers are around
50% of the non-ipsec case. for me.
>
> tcpdump shows packages below the MTU (which is 1500):
>
> 20:25:03.313469 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a87), length 1332
> 20:25:03.313514 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a88), length 1476
> 20:25:03.313529 IP 78.31.14.93 > 78.31.14.86:
> ESP(spi=0xc4967810,seq=0x7bcd1), length 68
> 20:25:03.313557 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a89), length 1476
> 20:25:03.313603 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8a), length 1332
> 20:25:03.313605 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8a), length 1332
> 20:25:03.313606 IP 78.31.14.93 > 78.31.14.86:
> ESP(spi=0xc4967810,seq=0x7bcd2), length 68
> 20:25:03.313649 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8b), length 1476
>
> how can i inspect window size, fragmentation etc? are there useful
> files in /proc or /sys or enlightening ip commands?
>
> /andreas
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2009-12-29 22:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-29 21:09 ipsec performance Andreas Schuldei
2009-12-29 22:55 ` Abhijit Karmarkar [this message]
2009-12-29 23:31 ` Andreas Schuldei
-- strict thread matches above, loose matches on Subject: below --
2005-05-02 18:39 IPsec performance Miika Komu
2005-05-02 19:09 ` Miika Komu
2005-05-03 0:55 ` Patrick McHardy
2005-05-03 5:25 ` Miika Komu
2005-05-03 5:54 ` Dave Dillow
2005-05-03 6:44 ` Miika Komu
2005-05-03 14:17 ` Dave Dillow
2005-05-03 16:14 ` Miika Komu
2005-05-03 19:27 ` Dave Dillow
2005-05-03 19:27 ` David S. Miller
2005-05-04 11:34 ` jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=88cc3e770912291455w240d543atadbcbdd22746c@mail.gmail.com \
--to=awk@google.com \
--cc=netdev@vger.kernel.org \
--cc=schuldei@spotify.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).