From owner-freebsd-net@FreeBSD.ORG Thu Apr 23 22:00:38 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1A50231 for ; Thu, 23 Apr 2015 22:00:38 +0000 (UTC) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 58CD1194E for ; Thu, 23 Apr 2015 22:00:38 +0000 (UTC) Received: by wizk4 with SMTP id k4so717554wiz.1 for ; Thu, 23 Apr 2015 15:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=ZsoS87qDdqe9l8qp32TLRUZL12kxhfakVXRuba7b5/k=; b=GGo9XNXtbNS5ev7AuOWN1BCgIdRzLcahRE2OfGRo0PxWA3Kkfl7EFhtPHtbhB41ibm N3QQCfSFLLPnLhBC9rE+6u2QT8i7SrZVMkKdV9hzdl5iL4fDdAux7MmEYWY41RWVuFH8 x43t8d3HNKC/JecXYiV/5nWuJLizX6jMWiq4+GdD7X1IFDIDkREycTqKRkHvVZjCiNz7 U3kI6xcrEs2wHEO7sYQU98bPQ3mBvyA+ylOpIqE9H5q0a4wELqm4SgWRDaZIM9xHz7bi aDAWhA6ser1DinDQnQ7kZH9AVopTYBLtIrLJfw7/jevak7KlvrxgYVOvFoHkqBtCagn5 o21Q== X-Received: by 10.180.106.131 with SMTP id gu3mr775603wib.16.1429826436859; Thu, 23 Apr 2015 15:00:36 -0700 (PDT) Received: from ?IPv6:2a02:a03f:a39:de00:9b8:308d:8797:6d7c? ([2a02:a03f:a39:de00:9b8:308d:8797:6d7c]) by mx.google.com with ESMTPSA id n3sm4832242wix.1.2015.04.23.15.00.35 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Apr 2015 15:00:36 -0700 (PDT) From: Sydney Meyer X-Google-Original-From: Sydney Meyer Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: IPSec Performance under Xen Message-Id: Date: Fri, 24 Apr 2015 00:00:33 +0200 To: freebsd-net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Apr 2015 22:00:38 -0000 Hello, I have set up 2 VM's under Xen running each one IPSec-Endpoint. = Everything seems to work fine, but (measured with benchmarks/iperf) the = performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200 Mb/s with = IPSec compiled in, regardless of whether actually using IPSec or not. I have read about reasoning why IPSec isn't enabled in GENERIC, but = wanted to ask if this is the kind of performance hit one has to expect. I have observed this on FreeBSD 10.1 and 10 Stable, both AMD64. The = Hypervisor is running Xen 4.4 with a Linux 3.16 Dom0.=