[strongSwan] Enabling AES-NI in strongswan

Kapil Adhikesavalu kapil20084 at gmail.com
Mon Jun 20 09:12:20 CEST 2016 

Hi Jeff,

Thanks for the info, couple of questions ,

1.   However there was a bug in pre 4.1 kernels where AES-NI does not work
right for GCM operations.
kapil : can you point me to


On Mon, Jun 20, 2016 at 12:31 PM, Jeff Leung <jleung at v10networks.ca> wrote:

> > Hi,
> >
> > i am looking for ways to improve the throughput while using the
> > strongswan IPSEC.
> >
> > I read that AES-GCM provides excellent throughput over default
> > AES-CBC-
> > 128 when used with AES-NI support in intel processors.
> >
> >
> > i want to enable AES-GCM128 cipher in my xeon E5 processor, and from
> > looking at the Intel white paper, it mentioned about using "Linux
> > AES-NI- GCM Crypto Plug-in" to enable this support.
> > It described about a patch to existing AES-NI driver file, called
> > aesni- intel_glue.c and aesni-intel_asm.s.
> As strongSwan uses XFRM stack by default on Linux and XFRM being a kernel
> level implementation, it has the capability of using AES-NI at the driver
> level. However there was a bug in pre 4.1 kernels where AES-NI does not
> work right for GCM operations.
>
> >
> >
> > Paper: http://www.intel.com/content/www/us/en/intelligent-
> > systems/wireless-infrastructure/aes-ipsec-performance-linux-paper.html
> >
> >
> > 1. There is strongswan plugin for intel AES-NI, Can somebody
> > confirm/tell me a way to find if this is the same plugin as the one
> > mentioned in intel Doc ? To me it looks like that, but i wanted to
> > check with someone who might be already using this.
> iirc that is meant for userspace mode of operation only. XFRM stack still
> uses the kernel cryptographic drivers for encrypting and decrypting ESP
> payloads.
>
> > 2.  Is there some other way to get higher throughput ?
> > pcrypt module is available, will it work with AES-GCM ?
> >
> >
> > libstrongswan plugin :
> >
> > aesni - Intel AES-NI crypto plugin (since 5.3.1
> > <https://wiki.strongswan.org/versions/56> )
> >
> >
> >
> >
> > The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
> > primitives for AES-128/192/256.
> >
> > The plugin requires AES-NI and PCLMULQDQ instructions and works on
> > both
> > x86 and x64 architectures. It provides superior crypto performance in
> > userland without any external libraries.
> >
> >
> > Thanks
> > kapil.
> >
> >
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160620/ff0db4c7/attachment.html>

More information about the Users mailing list