Date: Thu, 7 Nov 2019 17:06:23 +0100 (CET) From: Damien DEVILLE <damien.deville@stormshield.eu> To: Santiago Martinez <sm@codenetworks.net> Cc: Kurt Jaeger <pi@freebsd.org>, Lawrence Stewart <lstewart@freebsd.org>, olivier <olivier@freebsd.org>, Eugene Grosbein <eugen@grosbein.net>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: 10g IPsec ? Message-ID: <2101535259.3199309.1573142783905.JavaMail.zimbra@stormshield.eu> In-Reply-To: <c54bc3ce-aad3-040b-4f3a-1c0059363d83@codenetworks.net> References: <20191104194637.GA71627@home.opsec.eu> <261b842d-51eb-4522-6ef5-0672e5d1594e@grosbein.net> <d2b64075-b9fe-b13d-760e-70cf0e074ea6@freebsd.org> <20191107073255.GU8521@funkthat.com> <54db0c82-ad44-13ed-8e1f-702557f331e5@grosbein.net> <972466586.1921723.1573120331472.JavaMail.zimbra@stormshield.eu> <20191107104128.GI1203@fc.opsec.eu> <c54bc3ce-aad3-040b-4f3a-1c0059363d83@codenetworks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, There are no limitation in term of interoperability with other IPsec stack. Funding is not needed as working on FreeBSD is part of my day time job. Ava= ilable time is more the issue ;) Damien -- Damien Deville IPS Technical Leader http://www.stormshield.eu Stormshield 2/6 Avenue de l'Horizon, Bat. 6 - FR 59650 Villeneuve d'Ascq ----- Le 7 Nov 19, =C3=A0 14:05, Santiago Martinez sm@codenetworks.net a = =C3=A9crit : | Super interesting, I'm also up for it, i guess i can help with some fundi= ng. |=20 | Santi |=20 |=20 | On 2019-11-07 10:41, Kurt Jaeger wrote: |> Hi! |> |>> At Stormshield we have various patches related to that topic that we ca= n share. |>> |>> On the flow id part, we have a patch that recompute a new flowid for th= e IPsec |>> flow after encapsulation based on the spi. |>> This force the usage of the same transmit queue on the network card sid= e for |>> each tunnel/SPI. |>> |>> If you are interested i can make a review for this one to upstream it, = it is a |>> small and simple modification. |> Yes, please. If you have the review, please add me to it. |> |>> On one of our high end hardware (Intel(R) Xeon(R) E-2176G with 6 cores = / ixl |>> network cards), the previous code was running around 2.4Gbps using AES-= GCM with |>> a mix of packet size whose average size was around 650 bytes. |>> After various heavy optimization in opencrypto/crypto.c and on IPsec st= ack we |>> managed to increase the performance on the same test to around 5Gbps. T= ake care |>> this is mainly targeted to the subset of opencrypto feature we are usin= g in our |>> products (mainly IPsec with or without hardware cryptography) |>> |>> I can take some time to review and submit this big patch if there is so= me |>> interest in it. |> I would appreciate this -- would it help if my company pays some |> money for this to make it happen ? |> |>> It will require some work on our side cause at the moment this patch is= for |>> FreeBSD 10.3 and has some depencies to our custom polling code which is= not in |>> FreeBSD. We made the modification to work using kproc in the non pollin= g code |>> but we have still to test those on an unmodified FreeBSD. |> Again, depending on the amount of work: it would definitly be interestin= g. |> |>> I can also share the various benchmark we did to illustrate the impact = of some |>> of the optimisation we did. |> That would be very interesting. The final point would be: How |> interoperable is the resulting IPsec connect with non-FreeBSD |> counterparts 8-} ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2101535259.3199309.1573142783905.JavaMail.zimbra>