From owner-freebsd-net@freebsd.org Thu Aug 9 13:40:55 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5790310668DA for ; Thu, 9 Aug 2018 13:40:55 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D532973488 for ; Thu, 9 Aug 2018 13:40:54 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id w79Dejit084596 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 9 Aug 2018 06:40:45 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id w79DejrY084595; Thu, 9 Aug 2018 06:40:45 -0700 (PDT) (envelope-from jmg) Date: Thu, 9 Aug 2018 06:40:45 -0700 From: John-Mark Gurney To: "David P. Discher" Cc: "Andrey V. Elsukov" , freebsd-net@freebsd.org Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Message-ID: <20180809134045.GN2884@funkthat.com> Mail-Followup-To: "David P. Discher" , "Andrey V. Elsukov" , freebsd-net@freebsd.org References: <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 09 Aug 2018 06:40:45 -0700 (PDT) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2018 13:40:55 -0000 David P. Discher wrote this message on Thu, Aug 09, 2018 at 00:00 -0700: > > > On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov wrote: > > > > On 09.08.2018 06:57, David P. Discher wrote: > >> I???m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is this correct ? > > > > IPsec uses crypto(9) framework that works by default without any > > acceleration. You need to load aesni(4) kernel module to enable > > acceleration. Also, you need to recreate security associations after > > module loading to take effect. > > Yes. I booted with AESNI loaded ??? via loader.conf. Transcript below. Two endpoint are identical hardware. You don't show what ciphers you are using. It could be that you're using CBC mode, which is known to be slow, or that you're using a slow AH that is limiting performance, and not the cipher... Need to see your setkey.conf, or at least the output of setkey -D.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."