Date: Thu, 31 Dec 2020 14:51:48 -0800 From: John Baldwin <jhb@FreeBSD.org> To: Franco Fichtner <franco@lastsummer.de>, Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Allan Jude <allanjude@freebsd.org>, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Enabling AESNI by default Message-ID: <919661a7-cfd6-c106-244f-16853e34b059@FreeBSD.org> In-Reply-To: <7DF6338B-9DDF-4F3C-B217-DADD72D16898@lastsummer.de> References: <5d56280e-a8dd-b28d-7039-f8fe0bc0cd6f@freebsd.org> <20201231200702.22gvepvlzfwncalz@mutt-hbsd> <7DF6338B-9DDF-4F3C-B217-DADD72D16898@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/31/20 12:15 PM, Franco Fichtner wrote: > https://cgit.freebsd.org/src/commit/sys/crypto/aesni?h=stable/12&id=95b37a4ed741fd116809d0f2cb295c4e9977f5b6 > > may have subtly broken a number of IPsec installations by stalling active > connections after certain amounts of traffic transferred. We're still > trying to confirm, but it looks like this had an overall impact on 12.0 > and 12.1 except that only one person in OPNsense traced it back to aesni.ko > to our knowledge to effective work around an apparent issue there. > > If that is not the actual fix, the problem still exists in 12.2 and onward ;) We don't support AES-CCM for IPsec, so there is 0 chance that commit has any effect on IPsec in 12. There's not much detail in the forum posts though (e.g. netstat -s output to get ipsec, esp, and ah stats). Also, at least one forum post mentioned it happened when doing an upgrade from 11.2 to 12.1 which is a larger set of changes. I know the pfsense folks had a major performance regression due to iflib with Intel e1000 devices that might manifest as this perhaps? Disabling aseni might just be throttling the connection slow enough to avoid hitting a bug in a NIC driver for example. I think netstat -s would be a better place to start to try to debug this. > https://github.com/opnsense/core/issues/4415 -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?919661a7-cfd6-c106-244f-16853e34b059>