From owner-freebsd-net@freebsd.org Fri Nov 30 17:13:36 2018 Return-Path: <owner-freebsd-net@freebsd.org> Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C4E4114A415 for <freebsd-net@mailman.ysv.freebsd.org>; Fri, 30 Nov 2018 17:13:36 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward104j.mail.yandex.net (forward104j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E5826D32D; Fri, 30 Nov 2018 17:13:34 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback14o.mail.yandex.net (mxback14o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::65]) by forward104j.mail.yandex.net (Yandex) with ESMTP id 944565813BA; Fri, 30 Nov 2018 20:13:17 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback14o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id XLS8N8n3C6-DH3egM5P; Fri, 30 Nov 2018 20:13:17 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1543597997; bh=QHuIYMDVmv27cImAiiSykNablp2YKaFXyQ5FDgu8Wnk=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=vBAO8sfK1ITCPecDqlGVu3bqM3GIe5/l4x2uDoCGL7A5UPhQVVCG5KbxOzZcEum7O JcwDSMrr+sZaqj/NvN/94FrcjcuZoIjGJ8swiOn0uuESibGmEKUvzuuuJYSosufcgt FHi5DTtDLrCvYpLr+b8NmC+M4LtbxX+4c4opvjQI= Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id OqjsHjUlb0-DGR8oejC; Fri, 30 Nov 2018 20:13:16 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1543597996; bh=QHuIYMDVmv27cImAiiSykNablp2YKaFXyQ5FDgu8Wnk=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=HZ2OOhpdOijYqkP1mbNSlEsnbkrHbGCUVVMhJYSp4GLUgZRiolORSBkPIj3q94Yyw DHxWnKWa5vsNIFyEmT737UEjDsa6DkkjNxkSjQuwjKnc2XUGt5F+dQon6BpH9RNyqq /i164fnMP0oxxwovzMLAI6DFQKTZSTpe4CxHLgsg= Authentication-Results: smtp3o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? To: Lev Serebryakov <lev@FreeBSD.org>, =?UTF-8?Q?Olivier_Cochard-Labb=c3=a9?= <olivier@freebsd.org> Cc: freebsd-net@freebsd.org, eugen@grosbein.net References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <881323908.20181130123008@serebryakov.spb.ru> <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net> <108847324.20181130150424@serebryakov.spb.ru> <CA+q+TcoQC=Xy_HBCo6jhoCzH0LRty=CD83kEjp_fFpsNu4sbHg@mail.gmail.com> <198535239.20181130184316@serebryakov.spb.ru> From: "Andrey V. Elsukov" <bu7cher@yandex.ru> Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <b5b6e3ca-7367-c44d-dd03-fb281091b10a@yandex.ru> Date: Fri, 30 Nov 2018 20:10:51 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: <198535239.20181130184316@serebryakov.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BGdHiDecAO0yZvSbePLLh1kM3yAE18A08" X-Rspamd-Queue-Id: 4E5826D32D X-Spamd-Result: default: False [-6.86 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0::/52]; FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: mx.yandex.ru]; DKIM_TRACE(0.00)[yandex.ru:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; NEURAL_HAM_SHORT(-0.92)[-0.920,0]; SIGNED_PGP(-2.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[7.0.1.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.8.0.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org : 127.0.5.1]; IP_SCORE(-1.73)[ipnet: 2a02:6b8::/32(-4.82), asn: 13238(-3.83), country: RU(0.01)]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 30 Nov 2018 17:13:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08 Content-Type: multipart/mixed; boundary="YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Lev Serebryakov <lev@FreeBSD.org>, =?UTF-8?Q?Olivier_Cochard-Labb=c3=a9?= <olivier@freebsd.org> Cc: freebsd-net@freebsd.org, eugen@grosbein.net Message-ID: <b5b6e3ca-7367-c44d-dd03-fb281091b10a@yandex.ru> Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <881323908.20181130123008@serebryakov.spb.ru> <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net> <108847324.20181130150424@serebryakov.spb.ru> <CA+q+TcoQC=Xy_HBCo6jhoCzH0LRty=CD83kEjp_fFpsNu4sbHg@mail.gmail.com> <198535239.20181130184316@serebryakov.spb.ru> In-Reply-To: <198535239.20181130184316@serebryakov.spb.ru> --YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 30.11.2018 18:43, Lev Serebryakov wrote: > Hello Olivier, >=20 > Friday, November 30, 2018, 3:34:50 PM, you wrote: >=20 >>> =C2=A0I'm benchmarking different possible "native" VPN configuration= s and I have >>> =C2=A0gif(4) and gre(4) with and without IPsec in my battery. I have= tunnel mode >>> =C2=A0IPsec too. Problem with gif(4) and gre(4) that hey are tremend= ously >>> =C2=A0expensive, and could be more expensive than IPsec itself on CP= Us with AES-NI. >>> =C2=A0So, this configuration impossible, I understand. Nothing to be= nchmark :-) >> And what about using IPSec VTI (virtual tunneling interface) mode:=C2= =A0 if_ipsec(4) > And this one too. It gives slightly more PPS than "setkey-based" tunn= el > mode, which is surprise for me. If your goal is increasing of PPS throughput, there are several ways to achieve it. For example, it is possible to make direct output from IPsec code, I mean make a route lookup and call if_output() directly from ipsec_process_done(). This removes many checks that does ip_output() and also extra call to pfil(9). Another idea is implementing some ipfw_ipsec(4) module, that can take packets and do IPsec processing. Then this module can be attached to Ethernet pfil hook and together with first idea, I think this can give a measurable improvement of PPS rate. --=20 WBR, Andrey V. Elsukov --YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9-- --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlwBbxsACgkQAcXqBBDI oXprUwgAtclFMxtSVQegft6t+Aqvs40taFcbn9GNq2GcReOeYgyRHOaKyu0hn3iJ xHCy3dEmNMHqBQ46tpQLL0LUvVzjzQTE21VJmhGVtLTwnQcGrX4DwCj7roBsMyHg Ziic8Kk/0L046qrNIuHbzrb0lGsLqYxdr/xBiSKqh01PwG/Clv1MRou8hwVqaCft ZNW157TdxcnnEN/ly/38SoKI97eXEQ2nEyYmFvLzV3do0hnaHgjnG9xl/pL+Sk3e hTX/blkwbnNgTrLE7iPeZU7lWukQ3BCejRZGVV2RzJrFUEvGOZJh35H7qz5mlCKo X9DJiAYnY3D7k6Rh/FgXdsVgDQxHFA== =9+ps -----END PGP SIGNATURE----- --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08--