[strongSwan] IPSEC hardware acceleration
SunilVasanta
v.sunil at sawridgesystems.com
Thu Jan 9 10:03:22 CET 2014
Hi Martin,
Thanks for your input...
-Sunil
On 09-01-2014 14:19, Martin Willi wrote:
> Hi,
>
>> I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI
>> IPsec hardware acceleration cards.
>>
>> Please suggest plugin card compatible with strong swan.
> strongSwan usually does not process raw ESP packets, that's handled in
> the kernel. So to increase IPsec throughput, you'll need an accelerator
> for the kernel.
>
> Linux with its native IPsec stack uses the Linux Crypto API. So you
> should check that your accelerator provides a driver for this API. A
> growing set of drivers comes with vanilla Linux.
>
> Accelerating userland is different. Usually it is not that important, as
> there are not that much IKE packets to encrypt. You can use the af-alg
> plugin, though, allowing you to delegate encryption to the Linux crypto
> API. Specific hardware drivers are possible as well, the padlock plugin
> is an example.
>
> Delegating DH or RSA to crypto hardware might help to increase tunnel
> setup performance. If you use our openssl plugin, you might take
> advantage of an engine to accelerate crypto in userspace. The pkcs11
> plugin can be used as well to delegate some operations if your driver
> has a PKCS#11 interface.
>
> Regards
> Martin
>
>
>
--
Sunil Vasanta
Sawridgesystems
More information about the Users
mailing list