From owner-freebsd-hackers@FreeBSD.ORG Mon Mar 2 15:06:27 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D242C1065674 for ; Mon, 2 Mar 2009 15:06:27 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8E8988FC16 for ; Mon, 2 Mar 2009 15:06:27 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 3384B2798B8; Mon, 2 Mar 2009 15:50:23 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id 4349E17050; Mon, 2 Mar 2009 15:59:52 +0100 (CET) Date: Mon, 2 Mar 2009 15:59:52 +0100 From: VANHULLEBUS Yvan To: Vasile Marii Message-ID: <20090302145952.GA6708@zeninc.net> References: <965289.45194.qm@web38306.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <965289.45194.qm@web38306.mail.mud.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-hackers@freebsd.org Subject: Re: slow freebsd cripto-accelerating framework X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 15:06:28 -0000 Hi. On Mon, Mar 02, 2009 at 05:57:56AM -0800, Vasile Marii wrote: [....] > The netperf results between the two exactly the same > machines(with a tunnel(AES-CBC with HMAC_SHA256) between them) with > the exactly the same driver shows a throughput of maximum > 20Mbps(without IPSEC tunnel i can get 94,1 Mbps). > I've seen similar problems on some threads regarding VIA(which > should work with 1,1 Gbps throughput). While doing some benchs on IPsec, the very first thing to do is to ensure you'll have no fragmentation for ESP packets. You can do that by updating TCPMSS on the fly (for example with Pf), or by changing MTU on TRAFFIC interfaces (and NOT on tunnel interfaces). Once you did that, then you can start to have a look at performances. And yes, it take time to do IPsec processing, so your throughput will be much lower than non-IPsec traffic on the same hosts. Yvan.