[strongSwan] AES-CCM encryption performance !?
Martin Willi
martin at strongswan.org
Mon Jun 17 13:46:07 CEST 2013
Hi Jakob,
> I get a bandwidth around 300 MBit/sec which is largely independent from
> the MTU. While this is impressive, I have reports of over 600 MBit/sec
In my tests between two virtual machines on a single i7-3770 I've got
about the same, 300-400 MBit/sec.
AES-GCM seems to be much faster, I could achieve rates around 900
MBit/sec. If GCM is an option, I'd definitely give that a try.
> Also I observed that the encryption tasks only use some of the CPUs; I
> have a bonded interface with two NICs in rr-fashion and I assume two
> CPUs do the encryption for these NICs, driven by interrupts?
Yes, by default IPsec is bound to a single core, the one that handles
interrupts for your NIC. You may have a look at the pcrypt extension [1]
that allows you to use more cores. I've never tried that myself, though.
Regards
Martin
[1]http://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
More information about the Users
mailing list