Date: Tue, 5 Nov 2019 11:15:14 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Kurt Jaeger <pi@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: 10g IPsec ? Message-ID: <20191105191514.GG8521@funkthat.com> In-Reply-To: <20191104194637.GA71627@home.opsec.eu> References: <20191104194637.GA71627@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kurt Jaeger wrote this message on Mon, Nov 04, 2019 at 20:46 +0100:
> Has anyone experience with operating a highspeed IPsec connection
> up to 10gigabit/s between 2 FreeBSD hosts ?
>
> Is that speed achievable ? How much tuning is necessary ?
I haven't, but do know some hints. Make sure that you have a machine
w/ AESNI, AND make sure you're using AES-GCM or AES-CTR.. Using
AES-GCM is best as it avoids using a costly auth algorithm, as the
AESNI instructions provide instructionts to make the GCM (auth) part
of AES-GCM faster.
AES-GCM can run at over 1GB/sec on a single core, so as long as the
traffic can be processed by multiple threads (via multiple queues
for example), it should be doable.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191105191514.GG8521>