Date: Mon, 2 Mar 2009 15:59:52 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Vasile Marii <vascim@yahoo.com> Cc: freebsd-hackers@freebsd.org Subject: Re: slow freebsd cripto-accelerating framework Message-ID: <20090302145952.GA6708@zeninc.net> In-Reply-To: <965289.45194.qm@web38306.mail.mud.yahoo.com> References: <965289.45194.qm@web38306.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. On Mon, Mar 02, 2009 at 05:57:56AM -0800, Vasile Marii wrote: [....] > The netperf results between the two exactly the same > machines(with a tunnel(AES-CBC with HMAC_SHA256) between them) with > the exactly the same driver shows a throughput of maximum > 20Mbps(without IPSEC tunnel i can get 94,1 Mbps). > I've seen similar problems on some threads regarding VIA(which > should work with 1,1 Gbps throughput). While doing some benchs on IPsec, the very first thing to do is to ensure you'll have no fragmentation for ESP packets. You can do that by updating TCPMSS on the fly (for example with Pf), or by changing MTU on TRAFFIC interfaces (and NOT on tunnel interfaces). Once you did that, then you can start to have a look at performances. And yes, it take time to do IPsec processing, so your throughput will be much lower than non-IPsec traffic on the same hosts. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090302145952.GA6708>