Date: Tue, 5 Nov 2019 23:45:12 +0100 From: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@freebsd.org> To: John-Mark Gurney <jmg@funkthat.com> Cc: Kurt Jaeger <pi@freebsd.org>, freebsd-net@freebsd.org Subject: Re: 10g IPsec ? Message-ID: <CA%2Bq%2BTcogf6uiCX=LiENB=hpz3V-hJtKY-4m_2YYbxbuy9bFVww@mail.gmail.com> In-Reply-To: <20191105191514.GG8521@funkthat.com> References: <20191104194637.GA71627@home.opsec.eu> <20191105191514.GG8521@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 5, 2019 at 8:15 PM John-Mark Gurney <jmg@funkthat.com> wrote: > AES-GCM can run at over 1GB/sec on a single core, so as long as the > traffic can be processed by multiple threads (via multiple queues > for example), it should be doable. > > I didn't bench this setup (10Gb/s IPSec) but I believe we will have the same problem with IPSec as with all VPN setups (like PPPoE or GRE): the IPSec tunnel will generate one IP flow preventing load sharing between all the NIC's RSS queues. I'm not aware of improvement to remove this limitation. Regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcogf6uiCX=LiENB=hpz3V-hJtKY-4m_2YYbxbuy9bFVww>