From owner-freebsd-net@FreeBSD.ORG Fri Apr 24 00:06:00 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C3148F19 for ; Fri, 24 Apr 2015 00:06:00 +0000 (UTC) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E512164D for ; Fri, 24 Apr 2015 00:06:00 +0000 (UTC) Received: by wiax7 with SMTP id x7so23571283wia.0 for ; Thu, 23 Apr 2015 17:05:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=06PIwfEldjUIO+wBd3tOI+CF/u7X1EGb3bNjsY3FhMI=; b=O43Llz0bKxz6QarkRZrpaqKGxZN32l3fqfmUfLr777It61l5/cyZg2+JGpPaS4liB2 kFSTsRCwm4eHxANhgIRcs9XxW/BoIeRClVuFOPJJ+a2AxZ1vDCFa5JHuWzIcZ84+cUTq zsAXnllQNUZ0DFGfaJA4/zoL6XQun8ggP76OUVZlYWIFerleyqAOYkhC6neRapRZX9Yu 6ETAEnz5W5Y4OKGf9aoXZdugcj0Fv7JrOrIWKGC0hNFjKCN2iFU76oHBwN0Ij5v2QFx9 6D+2XacEeo9/GkM50JxkywzQDN2TLJvFBolisKYk30RX+UaynbFAOPZrkrXc6DQXcOzn 470g== X-Received: by 10.194.192.226 with SMTP id hj2mr10581026wjc.51.1429833958928; Thu, 23 Apr 2015 17:05:58 -0700 (PDT) Received: from ?IPv6:2a02:a03f:a39:de00:9b8:308d:8797:6d7c? ([2a02:a03f:a39:de00:9b8:308d:8797:6d7c]) by mx.google.com with ESMTPSA id o5sm5179407wia.0.2015.04.23.17.05.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Apr 2015 17:05:58 -0700 (PDT) From: Sydney Meyer X-Google-Original-From: Sydney Meyer Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: IPSec Performance under Xen In-Reply-To: <55397FB3.6080702@yandex.ru> Date: Fri, 24 Apr 2015 02:05:55 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <55397FB3.6080702@yandex.ru> To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2015 00:06:00 -0000 Hello Andrey, first off, thank you for your explanation. As for your Hint, i am not a C Programmer but i think i have a better = understanding of the issue now. I believe this is a know issue and the reason why IPSEC isn't in = GENERIC, afaik from this discussion = (https://lists.freebsd.org/pipermail/freebsd-hackers/2009-April/028364.htm= l). I have compiled the patched kernel and am installing on the vm's now.. = will get back to you. S. > On Apr 24, 2015, at 01:26, Andrey V. Elsukov = wrote: >=20 > On 24.04.2015 01:00, Sydney Meyer wrote: >> Hello, >>=20 >> I have set up 2 VM's under Xen running each one IPSec-Endpoint. >> Everything seems to work fine, but (measured with benchmarks/iperf) >> the performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200 >> Mb/s with IPSec compiled in, regardless of whether actually using >> IPSec or not. >=20 > Can you test this patch to see the difference? It isn't a fix. It is > just to see how will help avoiding of PCB check. >=20 > --- ip_output.c (revision 281867) > +++ ip_output.c (working copy) > @@ -482,7 +482,7 @@ again: >=20 > sendit: > #ifdef IPSEC > - switch(ip_ipsec_output(&m, inp, &flags, &error)) { > + switch(ip_ipsec_output(&m, NULL, &flags, &error)) { > case 1: > goto bad; > case -1: >=20 >=20 > --=20 > WBR, Andrey V. Elsukov