lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <88cc3e770912291455w240d543atadbcbdd22746c@mail.gmail.com>
Date:	Tue, 29 Dec 2009 14:55:13 -0800
From:	Abhijit Karmarkar <awk@...gle.com>
To:	schuldei@...tify.com
Cc:	netdev@...r.kernel.org
Subject: Re: ipsec performance

On Tue, Dec 29, 2009 at 1:09 PM, Andreas Schuldei <schuldei@...tify.com> wrote:
> hi!
>
> i experience performance issues with ipsec transport mode with debian
> lenny and strongswan, on a stock debian kernel 2.6.26-2-amd64.
>
> the goal is to set up a full mash of several hundred hosts, talking
> ipsec with each other, in order to be able to skip firewalls and to be
> able to let the hosts be spread out over several sites in a
> transparent fashion.
>
> regardless of the cipher (i tried aes and blowfish) the bandwidth
> maxes out at about 0.5-0.25 of the expected (unencrypted) value,
> without hitting obvious bottlenecks like cpu, disk, or ram.

you may want try Steffen Klassert's parallel crypto patches (nice work!):

  http://marc.info/?l=linux-kernel&m=126155699817914&w=2

the numbers are impressive. i plan to try them sometime this (or next week).

yes, on the current kernels, the ipsec throughput numbers are around
50% of the non-ipsec case. for me.


>
> tcpdump shows packages below the MTU (which is 1500):
>
> 20:25:03.313469 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a87), length 1332
> 20:25:03.313514 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a88), length 1476
> 20:25:03.313529 IP 78.31.14.93 > 78.31.14.86:
> ESP(spi=0xc4967810,seq=0x7bcd1), length 68
> 20:25:03.313557 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a89), length 1476
> 20:25:03.313603 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8a), length 1332
> 20:25:03.313605 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8a), length 1332
> 20:25:03.313606 IP 78.31.14.93 > 78.31.14.86:
> ESP(spi=0xc4967810,seq=0x7bcd2), length 68
> 20:25:03.313649 IP 78.31.14.86 > 78.31.14.93:
> ESP(spi=0xc929dbe8,seq=0x100a8b), length 1476
>
> how can i inspect window size, fragmentation etc? are there useful
> files in /proc or /sys or enlightening ip commands?
>
> /andreas
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ