[strongSwan] AES-CCM encryption performance !?

Jakob Curdes jc at info-systems.de
Mon Jun 17 14:15:06 CEST 2013

Am 17.06.2013 13:46, schrieb Martin Willi:
> Hi Jakob,
>> I get a bandwidth around 300 MBit/sec which is largely independent from
>> the MTU. While this is impressive, I have reports of over 600 MBit/sec
> In my tests between two virtual machines on a single i7-3770 I've got
> about the same, 300-400 MBit/sec.
> AES-GCM seems to be much faster, I could achieve rates around 900
> MBit/sec. If GCM is an option, I'd definitely give that a try.
I get around 660 MBit/s with aes128gcm8-modp1024; did you tune anything 
I have two real Xeon E3-1265L.
>> Also I observed that the encryption tasks only use some of the CPUs; I
>> have a bonded interface with two NICs in rr-fashion and I assume two
>> CPUs do the encryption for these NICs, driven by interrupts?
> Yes, by default IPsec is bound to a single core, the one that handles
> interrupts for your NIC. You may have a look at the pcrypt extension [1]
> that allows you to use more cores. I've never tried that myself, though.
Yes, I had already seen that paper; however I am not sure whether I want 
to have self-compiled kernels on these boxes....
But I could try it to see where the bottleneck is.

Thx Jakob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130617/215a4ad4/attachment.html>

More information about the Users mailing list