[strongSwan] Enabling AES-NI in strongswan

Jeff Leung jleung at v10networks.ca
Mon Jun 20 09:14:27 CEST 2016 

> Thanks for the info, couple of questions ,
> 
> 1.   However there was a bug in pre 4.1 kernels where AES-NI does not work
> right for GCM operations.

See https://wiki.strongswan.org/issues/341

and http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e31ac32d3bc

for your reference.


> kapil : can you point me to
> 
> 
> On Mon, Jun 20, 2016 at 12:31 PM, Jeff Leung <jleung at v10networks.ca>
> wrote:
> 
> 
> 	> Hi,
> 	>
> 	> i am looking for ways to improve the throughput while using the
> 	> strongswan IPSEC.
> 	>
> 	> I read that AES-GCM provides excellent throughput over default
> 	> AES-CBC-
> 	> 128 when used with AES-NI support in intel processors.
> 	>
> 	>
> 	> i want to enable AES-GCM128 cipher in my xeon E5 processor, and
> from
> 	> looking at the Intel white paper, it mentioned about using "Linux
> 	> AES-NI- GCM Crypto Plug-in" to enable this support.
> 	> It described about a patch to existing AES-NI driver file, called
> 	> aesni- intel_glue.c and aesni-intel_asm.s.
> 	As strongSwan uses XFRM stack by default on Linux and XFRM being
> a kernel level implementation, it has the capability of using AES-NI at the
> driver level. However there was a bug in pre 4.1 kernels where AES-NI does
> not work right for GCM operations.
> 
> 	>
> 	>
> 	> Paper: http://www.intel.com/content/www/us/en/intelligent-
> 	> systems/wireless-infrastructure/aes-ipsec-performance-linux-
> paper.html
> 	>
> 	>
> 	> 1. There is strongswan plugin for intel AES-NI, Can somebody
> 	> confirm/tell me a way to find if this is the same plugin as the one
> 	> mentioned in intel Doc ? To me it looks like that, but i wanted to
> 	> check with someone who might be already using this.
> 	iirc that is meant for userspace mode of operation only. XFRM stack
> still uses the kernel cryptographic drivers for encrypting and decrypting ESP
> payloads.
> 
> 	> 2.  Is there some other way to get higher throughput ?
> 	> pcrypt module is available, will it work with AES-GCM ?
> 	>
> 	>
> 	> libstrongswan plugin :
> 	>
> 	> aesni - Intel AES-NI crypto plugin (since 5.3.1
> 	> <https://wiki.strongswan.org/versions/56> )
> 	>
> 	>
> 	>
> 	>
> 	> The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and
> GCM crypto
> 	> primitives for AES-128/192/256.
> 	>
> 	> The plugin requires AES-NI and PCLMULQDQ instructions and works
> on
> 	> both
> 	> x86 and x64 architectures. It provides superior crypto performance
> in
> 	> userland without any external libraries.
> 	>
> 	>
> 	> Thanks
> 	> kapil.
> 	>
> 	>
> 	>
> 	>
> 
> 	_______________________________________________
> 	Users mailing list
> 	Users at lists.strongswan.org
> 	https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list