Date: Fri, 14 Jun 2013 18:12:40 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: IPSec improvement Message-ID: <20130614141240.GU34554@zxy.spb.ru> In-Reply-To: <20130614135921.GB23484@zeninc.net> References: <20130614103615.GQ34554@zxy.spb.ru> <20130614131400.GA23375@zeninc.net> <20130614132430.GS34554@zxy.spb.ru> <20130614135921.GB23484@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 14, 2013 at 03:59:22PM +0200, VANHULLEBUS Yvan wrote: > On Fri, Jun 14, 2013 at 05:24:30PM +0400, Slawa Olhovchenkov wrote: > > On Fri, Jun 14, 2013 at 03:14:00PM +0200, VANHULLEBUS Yvan wrote: > > > > > On Fri, Jun 14, 2013 at 02:36:15PM +0400, Slawa Olhovchenkov wrote: > > > > I am plan to do some improve in IPSec stack: > > > > > > > > - AES-GCM support (from OpenBSD) > > > > > > Dylan Castine already started to work on that last year (see ML's > > > archives), and we took some time to work together on that. > > > > > > Unfortunately, patch hasn't been commited since, as Dylan needed some > > > more time to do some important cleanups on the code. > > > > > > I'll try to recontact Dylan to see if he could take time to finish > > > that. > > > > OK, you inform about progress in this list? > > Yep. > > Just for information, Dylan also talked about such code last year, but > the patch I got were from Riaan Kruger. > I just sent him a mail on that subject. > > The patchset Riaan provided me was working on basic tests. > On the benchmark we did, software AES-GCM was faster than software > AES-CBC+SHA1, but slower than hardware accelerated AES-CBC+SHA1 (tried > with both VIA's Padlock and Intel's AESNI). > > As AES-CBC / SHA1 acceleration is quite common today, but AES-GCM > hardware acceleration is still not so common, AES-GCM may be really > interesting only on hardware which provide such acceleration (or in > older hardware which provide none of them). > > We also started to have a look at AES-CTR acceleration (more common > than AES-GCM acceleration) to provide a partial hardware work for > AES-GCM, and it looks like at least OpenSSL's guys coud implement > that, with interesting benchmarks. As I know, AESNI support accelerating AES-GCM https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf > > > > - GOST 28147-89 and 34.10-2001 support (by modules) > > > > - support for IPSec acceleration in network cards > > > > > > What kind of acceleration, in which kind of network card ? > > > > > > Are you talking about encryption/authentication done in the network > > > card (or CPUs, or .....), or do you want to use advanced IPsec > > > offloading provided by some chipsets ? > > > > IPSec offloadin (ex. Intel 82599). > > Interesting. > > > Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130614141240.GU34554>