From owner-freebsd-net@FreeBSD.ORG Fri Jun 14 13:51:37 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6BD4EF26 for ; Fri, 14 Jun 2013 13:51:37 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id EE6891074 for ; Fri, 14 Jun 2013 13:51:36 +0000 (UTC) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id CFA2F27988B; Fri, 14 Jun 2013 15:51:35 +0200 (CEST) Received: by nono (Postfix, from userid 1000) id 3185F20BA6; Fri, 14 Jun 2013 15:59:22 +0200 (CEST) Date: Fri, 14 Jun 2013 15:59:22 +0200 From: VANHULLEBUS Yvan To: Slawa Olhovchenkov Subject: Re: IPSec improvement Message-ID: <20130614135921.GB23484@zeninc.net> References: <20130614103615.GQ34554@zxy.spb.ru> <20130614131400.GA23375@zeninc.net> <20130614132430.GS34554@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130614132430.GS34554@zxy.spb.ru> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jun 2013 13:51:37 -0000 On Fri, Jun 14, 2013 at 05:24:30PM +0400, Slawa Olhovchenkov wrote: > On Fri, Jun 14, 2013 at 03:14:00PM +0200, VANHULLEBUS Yvan wrote: > > > On Fri, Jun 14, 2013 at 02:36:15PM +0400, Slawa Olhovchenkov wrote: > > > I am plan to do some improve in IPSec stack: > > > > > > - AES-GCM support (from OpenBSD) > > > > Dylan Castine already started to work on that last year (see ML's > > archives), and we took some time to work together on that. > > > > Unfortunately, patch hasn't been commited since, as Dylan needed some > > more time to do some important cleanups on the code. > > > > I'll try to recontact Dylan to see if he could take time to finish > > that. > > OK, you inform about progress in this list? Yep. Just for information, Dylan also talked about such code last year, but the patch I got were from Riaan Kruger. I just sent him a mail on that subject. The patchset Riaan provided me was working on basic tests. On the benchmark we did, software AES-GCM was faster than software AES-CBC+SHA1, but slower than hardware accelerated AES-CBC+SHA1 (tried with both VIA's Padlock and Intel's AESNI). As AES-CBC / SHA1 acceleration is quite common today, but AES-GCM hardware acceleration is still not so common, AES-GCM may be really interesting only on hardware which provide such acceleration (or in older hardware which provide none of them). We also started to have a look at AES-CTR acceleration (more common than AES-GCM acceleration) to provide a partial hardware work for AES-GCM, and it looks like at least OpenSSL's guys coud implement that, with interesting benchmarks. > > > - GOST 28147-89 and 34.10-2001 support (by modules) > > > - support for IPSec acceleration in network cards > > > > What kind of acceleration, in which kind of network card ? > > > > Are you talking about encryption/authentication done in the network > > card (or CPUs, or .....), or do you want to use advanced IPsec > > offloading provided by some chipsets ? > > IPSec offloadin (ex. Intel 82599). Interesting. Yvan.