| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM-1W_v_P49VKnsxUdLkXEDyVw-YHKq6YCJ-R4WSexwHuU8Ejw@mail.gmail.com> Date: Mon, 10 Feb 2025 18:08:32 +0100 From: Furkan Sahin <furkan@...cloud.com> To: netdev@...r.kernel.org Cc: Daniel Farina <daniel@...cloud.com>, Junhao Li <junhao@...cloud.com>, Ozgun Erdogan <ozgun@...cloud.com> Subject: [Performance] ip-xfrm 20x encapsulation penalty Hello all, Respectfully, I have a question regarding the performance impact of encryption + encapsulation with ip xfrm. I have a very basic setup with two namespaces in the same server. Then, we are running a very basic iperf command with and without tunnels. The performance jump is extremely high going from encrypted to not. Here are the numbers: Without encryption and encapsulation: ``` [root@...m4859621y4j6xxsfgxc3wkh ~]# ip netns exec interface2 bash [root@...m4859621y4j6xxsfgxc3wkh ~]# iperf -s -V [root@...m4859621y4j6xxsfgxc3wkh ~]# ip netns exec interface1 bash [root@...m4859621y4j6xxsfgxc3wkh ~]# iperf -c 2a01:4f8:10a:128b:456::1 -b 100G -P 1 ------------------------------------------------------------ Client connecting to 2a01:4f8:10a:128b:456::1, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 1] local 2a01:4f8:10a:128b:: port 50882 connected with 2a01:4f8:10a:128b:456::1 port 5001 [ ID] Interval Transfer Bandwidth [ 1] 0.0000-10.0116 sec 52.0 GBytes 44.6 Gbits/sec ``` With encryption and encapsulation: ``` [root@...m4859621y4j6xxsfgxc3wkh ~]# ip netns exec interface2 bash [root@...m4859621y4j6xxsfgxc3wkh ~]# iperf -s -V [root@...m4859621y4j6xxsfgxc3wkh ~]# ip netns exec interface1 bash [root@...m4859621y4j6xxsfgxc3wkh ~]# iperf -c fd53:3f0e:d350:6740:456::2 -b 100G -P 1 ------------------------------------------------------------ Client connecting to fd53:3f0e:d350:6740:456::2, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 1] local fd53:3f0e:d350:6740:: port 33162 connected with fd53:3f0e:d350:6740:456::2 port 5001 [ ID] Interval Transfer Bandwidth [ 1] 0.0000-10.0098 sec 1.46 GBytes 1.26 Gbits/sec ``` My question is, what am I missing? Why do we see such a poor performance with encryption + encapsulation. I didn’t want to provide more terminal output but even with null encryption, we are seeing around 2.2 Gbit/sec. That is quite a big jump from 44.6 Gbit/sec for encapsulation. Is this expected? Here is the very basic script I use to setup the interfaces and tunnels: ``` ip netns add interface1 ip netns add interface2 ip link add vethointerface1 addr 7a:b5:34:4e:44:be type veth peer name vethiinterface1 addr ce:8f:66:87:d5:6f netns interface1 ip link add vethointerface2 addr 1e:e7:ef:aa:21:c0 type veth peer name vethiinterface2 addr ba:9b:f0:50:68:cd netns interface2 ip link set dev vethointerface1 up ip route replace 2a01:4f8:10a:128b:123::/80 via fe80::cc8f:66ff:fe87:d56f dev vethointerface1 ip -n interface1 addr replace 2a01:4f8:10a:128b:123::1/80 dev vethiinterface1 ip -n interface1 link set dev vethiinterface1 up ip -n interface1 route replace 2000::/3 via fe80::78b5:34ff:fe4e:44be dev vethiinterface1 ip link set dev vethointerface2 up ip route replace 2a01:4f8:10a:128b:456::/79 via fe80::b89b:f0ff:fe50:68cd dev vethointerface2 ip -n interface2 addr replace 2a01:4f8:10a:128b:456::1/80 dev vethiinterface2 ip -n interface2 link set dev vethiinterface2 up ip -n interface2 route replace 2000::/3 via fe80::1ce7:efff:feaa:21c0 dev vethiinterface2 ip -n interface1 xfrm policy add src fd53:3f0e:d350:6740:123::/79 dst fd53:3f0e:d350:6740:456::/79 dir out tmpl src 2a01:4f8:10a:128b:123::1 dst 2a01:4f8:10a:128b:456::1 proto esp reqid 85910 mode tunnel ip -n interface2 xfrm policy add src fd53:3f0e:d350:6740:123::/79 dst fd53:3f0e:d350:6740:456::/79 dir in tmpl src 2a01:4f8:10a:128b:123::1 dst 2a01:4f8:10a:128b:456::1 proto esp reqid 85910 mode tunnel ip -n interface1 xfrm policy add src fd53:3f0e:d350:6740:456::/79 dst fd53:3f0e:d350:6740:123::/79 dir in tmpl src 2a01:4f8:10a:128b:456::1 dst 2a01:4f8:10a:128b:123::1 proto esp reqid 49480 mode tunnel ip -n interface2 xfrm policy add src fd53:3f0e:d350:6740:456::/79 dst fd53:3f0e:d350:6740:123::/79 dir out tmpl src 2a01:4f8:10a:128b:456::1 dst 2a01:4f8:10a:128b:123::1 proto esp reqid 49480 mode tunnel ip -n interface1 xfrm state add src 2a01:4f8:10a:128b:123::1 dst 2a01:4f8:10a:128b:456::1 proto esp spi 0x33ff09b5 reqid 85910 mode tunnel replay-window 0 aead 'rfc4106(gcm(aes))' 0x0efb31b0e1837b2a6f4145dc6ed81565d04654e691a063d06d1c826e001e50519e692675 128 sel src ::/0 dst ::/0 ip -n interface1 xfrm state add src 2a01:4f8:10a:128b:456::1 dst 2a01:4f8:10a:128b:123::1 proto esp spi 0x62f75b71 reqid 49480 mode tunnel replay-window 0 aead 'rfc4106(gcm(aes))' 0xb89577cecab3a5150bc275042d1485bf917ab55fa2f3100cb135cbfc21d7ee31aa5cf5d0 128 sel src ::/0 dst ::/0 ip -n interface2 xfrm state add src 2a01:4f8:10a:128b:123::1 dst 2a01:4f8:10a:128b:456::1 proto esp spi 0x33ff09b5 reqid 85910 mode tunnel replay-window 0 aead 'rfc4106(gcm(aes))' 0x0efb31b0e1837b2a6f4145dc6ed81565d04654e691a063d06d1c826e001e50519e692675 128 sel src ::/0 dst ::/0 ip -n interface2 xfrm state add src 2a01:4f8:10a:128b:456::1 dst 2a01:4f8:10a:128b:123::1 proto esp spi 0x62f75b71 reqid 49480 mode tunnel replay-window 0 aead 'rfc4106(gcm(aes))' 0xb89577cecab3a5150bc275042d1485bf917ab55fa2f3100cb135cbfc21d7ee31aa5cf5d0 128 sel src ::/0 dst ::/0 ip -n interface1 addr add fd53:3f0e:d350:6740:123::2/80 dev vethiinterface1 ip -n interface2 addr add fd53:3f0e:d350:6740:456::2/80 dev vethiinterface2 ip -n interface1 route add fd53:3f0e:d350:6740:456::2/80 dev vethiinterface1 ip -n interface2 route add fd53:3f0e:d350:6740:123::2/80 dev vethiinterface2 ``` Best regards, Furkan
Powered by blists - more mailing lists