Date: Fri, 30 Nov 2018 20:10:51 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Lev Serebryakov <lev@FreeBSD.org>, =?UTF-8?Q?Olivier_Cochard-Labb=c3=a9?= <olivier@freebsd.org> Cc: freebsd-net@freebsd.org, eugen@grosbein.net Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? Message-ID: <b5b6e3ca-7367-c44d-dd03-fb281091b10a@yandex.ru> In-Reply-To: <198535239.20181130184316@serebryakov.spb.ru> References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <881323908.20181130123008@serebryakov.spb.ru> <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net> <108847324.20181130150424@serebryakov.spb.ru> <CA%2Bq%2BTcoQC=Xy_HBCo6jhoCzH0LRty=CD83kEjp_fFpsNu4sbHg@mail.gmail.com> <198535239.20181130184316@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08 Content-Type: multipart/mixed; boundary="YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Lev Serebryakov <lev@FreeBSD.org>, =?UTF-8?Q?Olivier_Cochard-Labb=c3=a9?= <olivier@freebsd.org> Cc: freebsd-net@freebsd.org, eugen@grosbein.net Message-ID: <b5b6e3ca-7367-c44d-dd03-fb281091b10a@yandex.ru> Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <881323908.20181130123008@serebryakov.spb.ru> <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net> <108847324.20181130150424@serebryakov.spb.ru> <CA+q+TcoQC=Xy_HBCo6jhoCzH0LRty=CD83kEjp_fFpsNu4sbHg@mail.gmail.com> <198535239.20181130184316@serebryakov.spb.ru> In-Reply-To: <198535239.20181130184316@serebryakov.spb.ru> --YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 30.11.2018 18:43, Lev Serebryakov wrote: > Hello Olivier, >=20 > Friday, November 30, 2018, 3:34:50 PM, you wrote: >=20 >>> =C2=A0I'm benchmarking different possible "native" VPN configuration= s and I have >>> =C2=A0gif(4) and gre(4) with and without IPsec in my battery. I have= tunnel mode >>> =C2=A0IPsec too. Problem with gif(4) and gre(4) that hey are tremend= ously >>> =C2=A0expensive, and could be more expensive than IPsec itself on CP= Us with AES-NI. >>> =C2=A0So, this configuration impossible, I understand. Nothing to be= nchmark :-) >> And what about using IPSec VTI (virtual tunneling interface) mode:=C2= =A0 if_ipsec(4) > And this one too. It gives slightly more PPS than "setkey-based" tunn= el > mode, which is surprise for me. If your goal is increasing of PPS throughput, there are several ways to achieve it. For example, it is possible to make direct output from IPsec code, I mean make a route lookup and call if_output() directly from ipsec_process_done(). This removes many checks that does ip_output() and also extra call to pfil(9). Another idea is implementing some ipfw_ipsec(4) module, that can take packets and do IPsec processing. Then this module can be attached to Ethernet pfil hook and together with first idea, I think this can give a measurable improvement of PPS rate. --=20 WBR, Andrey V. Elsukov --YkoXEsjUEkZGo05v8fJgIoF7YJVyCsZr9-- --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlwBbxsACgkQAcXqBBDI oXprUwgAtclFMxtSVQegft6t+Aqvs40taFcbn9GNq2GcReOeYgyRHOaKyu0hn3iJ xHCy3dEmNMHqBQ46tpQLL0LUvVzjzQTE21VJmhGVtLTwnQcGrX4DwCj7roBsMyHg Ziic8Kk/0L046qrNIuHbzrb0lGsLqYxdr/xBiSKqh01PwG/Clv1MRou8hwVqaCft ZNW157TdxcnnEN/ly/38SoKI97eXEQ2nEyYmFvLzV3do0hnaHgjnG9xl/pL+Sk3e hTX/blkwbnNgTrLE7iPeZU7lWukQ3BCejRZGVV2RzJrFUEvGOZJh35H7qz5mlCKo X9DJiAYnY3D7k6Rh/FgXdsVgDQxHFA== =9+ps -----END PGP SIGNATURE----- --BGdHiDecAO0yZvSbePLLh1kM3yAE18A08--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b5b6e3ca-7367-c44d-dd03-fb281091b10a>