From owner-freebsd-net@freebsd.org  Thu Nov  7 13:06:03 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 67C441B375F
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Thu,  7 Nov 2019 13:06:03 +0000 (UTC)
 (envelope-from SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net)
Received: from bosmailout04.eigbox.net (bosmailout04.eigbox.net [66.96.189.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4783Yk31Vwz4cb7;
 Thu,  7 Nov 2019 13:06:02 +0000 (UTC)
 (envelope-from SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net)
Received: from bosmailscan12.eigbox.net ([10.20.15.12])
 by bosmailout04.eigbox.net with esmtp (Exim)
 id 1iShU9-0002Wq-Fr; Thu, 07 Nov 2019 08:06:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=codenetworks.net; s=dkim; h=Sender:Content-Transfer-Encoding:Content-Type:
 In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:
 Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
 :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=0LqKukT3BISiiABIbmelq1rIVwBKOLzZW8G0pu8LA9k=; b=UClaq7JvlBVL5o2p72OBw2IPnI
 f6bowZ3M7YlJsFta2mogHON5yGlBYYp9Ocr38b57PBVElKv36wdJEiLJDhnkhAARNlqs3WXKzNCXq
 ORS+4x5LzTcMo96l4TE6OmbscLKr277QApev6EfD/Bc3JmSe786jWGG/K4l2oBuLam5bhO8uI9zuo
 Q/aklE6VG5A20xDL8UZW+KpnAlWBqeTflhb6meHIPsGgepBftutVaaCV1MS88DfSthom0TrC+roqg
 aoqKVY3QPqDLd9L74uwCrm1Nu6kWhjnPLv2GBu1eZHy5bEtyTOW9p6HayO8+CxQYglt8mANk/Wx08
 M/Spzn/Q==;
Received: from [10.115.3.32] (helo=bosimpout12)
 by bosmailscan12.eigbox.net with esmtp (Exim)
 id 1iShU3-0001FH-3v; Thu, 07 Nov 2019 08:05:55 -0500
Received: from bosauthsmtp15.yourhostingaccount.com ([10.20.18.15])
 by bosimpout12 with 
 id P15r2100C0KWaAJ0115uTK; Thu, 07 Nov 2019 08:05:55 -0500
X-Authority-Analysis: v=2.2 cv=BKTDlBYG c=1 sm=1 tr=0
 a=6thTdk0GfRoQwv0zj4iWMg==:117 a=Nzp8aqzG5mkBmvR+bY3zzA==:17
 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=MeAgGD-zjQ4A:10
 a=fcpqne9gOWkA:10 a=jiPuw5eMwTB2Z3C5Yv8A:9 a=QEXdDO2ut3YA:10
Received: from cpc149630-rdng29-2-0-cust146.15-3.cable.virginm.net
 ([82.19.160.147]:3247 helo=[192.168.0.100])
 by bosauthsmtp15.eigbox.net with esmtpsa
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim)
 id 1iShTz-0004vW-3i; Thu, 07 Nov 2019 08:05:51 -0500
Subject: Re: 10g IPsec ?
To: Kurt Jaeger <pi@freebsd.org>,
 Damien DEVILLE <damien.deville@stormshield.eu>
Cc: Lawrence Stewart <lstewart@freebsd.org>, olivier <olivier@freebsd.org>,
 Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
References: <20191104194637.GA71627@home.opsec.eu>
 <20191105191514.GG8521@funkthat.com>
 <CA+q+Tcogf6uiCX=LiENB=hpz3V-hJtKY-4m_2YYbxbuy9bFVww@mail.gmail.com>
 <f4051158-b80c-3c54-10c8-f1b01c401f0d@freebsd.org>
 <261b842d-51eb-4522-6ef5-0672e5d1594e@grosbein.net>
 <d2b64075-b9fe-b13d-760e-70cf0e074ea6@freebsd.org>
 <20191107073255.GU8521@funkthat.com>
 <54db0c82-ad44-13ed-8e1f-702557f331e5@grosbein.net>
 <972466586.1921723.1573120331472.JavaMail.zimbra@stormshield.eu>
 <20191107104128.GI1203@fc.opsec.eu>
From: Santiago Martinez <sm@codenetworks.net>
Message-ID: <c54bc3ce-aad3-040b-4f3a-1c0059363d83@codenetworks.net>
Date: Thu, 7 Nov 2019 13:05:39 +0000
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.1
MIME-Version: 1.0
In-Reply-To: <20191107104128.GI1203@fc.opsec.eu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-EN-UserInfo: d3bdfab0736480cedf04ed92aaea2ef5:931c98230c6409dcc37fa7e93b490c27
X-EN-AuthUser: sm@codenetworks.net
Sender: Santiago Martinez <sm@codenetworks.net>
X-EN-OrigIP: 82.19.160.147
X-EN-OrigHost: cpc149630-rdng29-2-0-cust146.15-3.cable.virginm.net
X-Rspamd-Queue-Id: 4783Yk31Vwz4cb7
X-Spamd-Bar: ++++
Authentication-Results: mx1.freebsd.org;
 dkim=none (invalid DKIM record) header.d=codenetworks.net header.s=dkim
 header.b=UClaq7Jv; 
 spf=pass (mx1.freebsd.org: domain of
 SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net designates 66.96.189.4 as
 permitted sender) smtp.mailfrom=SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net
X-Spamd-Result: default: False [4.04 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:66.96.128.0/18:c];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 NEURAL_SPAM_MEDIUM(1.00)[0.996,0]; RCPT_COUNT_FIVE(0.00)[6];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[codenetworks.net:~];
 NEURAL_SPAM_LONG(0.98)[0.983,0];
 RCVD_IN_DNSWL_NONE(0.00)[4.189.96.66.list.dnswl.org : 127.0.5.0];
 R_DKIM_PERMFAIL(0.00)[codenetworks.net:s=dkim];
 IP_SCORE(1.06)[ipnet: 66.96.128.0/18(2.88), asn: 29873(2.49), country:
 US(-0.05)]; 
 FORGED_SENDER(0.30)[sm@codenetworks.net,SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net];
 SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:29873, ipnet:66.96.128.0/18, country:US];
 FROM_NEQ_ENVFROM(0.00)[sm@codenetworks.net,SRS0=9TQT9z=Y7=codenetworks.net=sm@eigbox.net];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 13:06:03 -0000

Super interesting, I'm also up for it, i guess i can help with some funding.

Santi


On 2019-11-07 10:41, Kurt Jaeger wrote:
> Hi!
>
>> At Stormshield we have various patches related to that topic that we can share.
>>
>> On the flow id part, we have a patch that recompute a new flowid for the IPsec flow after encapsulation based on the spi.
>> This force the usage of the same transmit queue on the network card side for each tunnel/SPI.
>>
>> If you are interested i can make a review for this one to upstream it, it is a small and simple modification.
> Yes, please. If you have the review, please add me to it.
>
>> On one of our high end hardware (Intel(R) Xeon(R) E-2176G with 6 cores / ixl network cards), the previous code was running around 2.4Gbps using AES-GCM with a mix of packet size whose average size was around 650 bytes.
>> After various heavy optimization in opencrypto/crypto.c and on IPsec stack we managed to increase the performance on the same test to around 5Gbps. Take care this is mainly targeted to the subset of opencrypto feature we are using in our products (mainly IPsec with or without hardware cryptography)
>>
>> I can take some time to review and submit this big patch if there is some interest in it.
> I would appreciate this -- would it help if my company pays some
> money for this to make it happen ?
>
>> It will require some work on our side cause at the moment this patch is for FreeBSD 10.3 and has some depencies to our custom polling code which is not in FreeBSD. We made the modification to work using kproc in the non polling code but we have still to test those on an unmodified FreeBSD.
> Again, depending on the amount of work: it would definitly be interesting.
>
>> I can also share the various benchmark we did to illustrate the impact of some of the optimisation we did.
> That would be very interesting. The final point would be: How
> interoperable is the resulting IPsec connect with non-FreeBSD
> counterparts 8-} ?
>