[strongSwan] IPsec performance figures

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu May 4 13:35:49 CEST 2017


On 04.05.2017 08:45, Martin Willi wrote:
> Hi,
>> are there any reliable performance figures for IPsec throughput on
>> x86_64 Linux machines?
> Nothing I could reference here.

I know of this: http://www.intel.ua/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf
>> Is 10 GBit/s feasable? If yes, how?
> On commodity hardware, maybe, but only if/when:
>  * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
>  * your NIC can separate traffic to multiple queues (8+), and each
>    queue has assigned a core to process its traffic
>  * you have multiple SAs and flows, so the flows can actually be
>    separated to queues (and cores) in both directions.
> If you can't effectively distribute traffic over NIC queues, you should
> consider using pcrypt. Not sure if 10Gbit/s are possible, though.

Pcrypt is actually just a bandaid and only adds marginal performance, in my experience. It isn't worth the effort.

Making XFRM faster was discussed in Netdev 1.2. The relevant slides are visible in the corresponding video at the referenced time frame[1].
The speedup is an impressive increase from 3.8 Gbps to 5.7 Gbps in a setup with one flow and an impressive 115.6 Gbps with 16 bidirectional flows
with all the patches and RSS. I think 10 GBit/s is definitively possible. Obviously even a lot more. With the patches, HW offload will also be supported generically.

[1] https://www.youtube.com/watch?v=bCVc6o3JxK8 TIme: 7:00

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170504/02bd75c6/attachment.sig>

More information about the Users mailing list