lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 23 Apr 2019 10:27:26 -0700 (PDT)
From:   David Miller <>
Subject: Re: ipsec tunnel performance degrade

From: Florian Westphal <>
Date: Tue, 23 Apr 2019 18:25:21 +0200

> Vakul Garg <> wrote:
>> > Vakul Garg <> wrote:
>> > > > Do you use xfrm interfaces?
>> > >
>> > > I don't think so. I use setkey to create policies/SAs.
>> > > Can you please give me some hint about it?
>> > 
>> > Then you're not using ipsec interfaces.
>> > 
>> Instead of creating policies/SA using setkey, I shifted to using 'ip xfrm' commands.
>> With this, I get good performance improvement (20% better in one case).
>> Now xfrm_state_find() function is not taking much cpu.
> Thats very strange, I have no explanation for this.
> It would be good to find the cause, PF_KEY and 'ip xfrm'
> are just different control plane frontends, they should have no impact
> on data path performance.

I wonder if the masks and/or prefixes that end up being used are subtly
different for some reason.

Powered by blists - more mailing lists