Date: Thu, 9 Aug 2018 06:40:45 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: "David P. Discher" <dpd@dpdtech.com> Cc: "Andrey V. Elsukov" <bu7cher@yandex.ru>, freebsd-net@freebsd.org Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Message-ID: <20180809134045.GN2884@funkthat.com> In-Reply-To: <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> References: <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David P. Discher wrote this message on Thu, Aug 09, 2018 at 00:00 -0700:
>
> > On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:
> >
> > On 09.08.2018 06:57, David P. Discher wrote:
> >> I???m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is this correct ?
> >
> > IPsec uses crypto(9) framework that works by default without any
> > acceleration. You need to load aesni(4) kernel module to enable
> > acceleration. Also, you need to recreate security associations after
> > module loading to take effect.
>
> Yes. I booted with AESNI loaded ??? via loader.conf. Transcript below. Two endpoint are identical hardware.
You don't show what ciphers you are using. It could be that you're
using CBC mode, which is known to be slow, or that you're using a
slow AH that is limiting performance, and not the cipher...
Need to see your setkey.conf, or at least the output of setkey -D..
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180809134045.GN2884>