[strongSwan] Throughput on high BDP networks

Martin Willi martin at strongswan.org
Mon Jun 1 17:48:42 CEST 2015

> Even at these rates, the CPU did not appear to be very busy.  We had one at 85%
> occupied but that was the one running nuttcp.

On the outgoing path, the Linux kernel usually accounts ESP encryption
under the process that sends traffic using a socket send() call. So
these 85% probably include AES-GCM.

On the receiving or forwarding path, you'll have to look at the software
interrupt usage (si in top).

> We have seen these boxes pass almost 20 Gbps with single digit
> utilization so they have plenty of horsepower.

That does not have to mean much. Its all about encryption, and that is
rather expensive. If you have specialized hardware, this most likely
means it is good at shuffling data over the network, but might be
underpowered when it has to do encryption in software.

> We are also running haveged on them to prevent entropy starvation for the
> encryption.

Only the key exchange needs entropy, raw AES-GCM does not.


More information about the Users mailing list