* Re: Poor IPSec performance with 2.6 kernels
@ 2003-09-01 17:25 kartikey bhatt
0 siblings, 0 replies; 9+ messages in thread
From: kartikey bhatt @ 2003-09-01 17:25 UTC (permalink / raw)
To: jmorris; +Cc: linux-kernel
This is taken from FreeS/Wan HOWTO.
"AES is a new US government block cipher standard, designed to replace the
obsolete DES. If FreeS/WAN
using 3DES is not fast enough for your application, the AES patch may help.
To date (March 2002) we have had only one mailing list report of
measurements with the patch applied. It
indicates that, at least for the tested load on that user's network, AES
roughly doubles IPsec
hroughput."
-Kartikey Mahendra Bhatt
>From: James Morris <jmorris@intercode.com.au>
>To: Tom Sightler <ttsig@tuxyturvy.com>
>CC: "Adam J. Richter" <adam@yggdrasil.com>,LKML
><linux-kernel@vger.kernel.org>
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Thu, 28 Aug 2003 23:40:04 +1000 (EST)
>
>On 28 Aug 2003, Tom Sightler wrote:
>
> > I'm using 3des for the encryption algorithm.
>
>What authentication algorithm (if any) ?
>
>
>- James
>--
>James Morris
><jmorris@intercode.com.au>
>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
Need a naukri? Your search ends here. http://www.msn.co.in/naukri/ 50,000 of
the best jobs!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
@ 2003-08-30 17:13 kartikey bhatt
0 siblings, 0 replies; 9+ messages in thread
From: kartikey bhatt @ 2003-08-30 17:13 UTC (permalink / raw)
To: jmorris; +Cc: linux-kernel
I'll do my best to integrate code from freeswan to kernel.
-Kartikey
>From: James Morris <jmorris@intercode.com.au>
>To: kartikey bhatt <kartik_me@hotmail.com>
>CC: linux-kernel@vger.kernel.org
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Fri, 29 Aug 2003 11:37:14 +1000 (EST)
>
>On Fri, 29 Aug 2003, kartikey bhatt wrote:
>
> > Can't we use per-arch assembly algorithms for ipv6 in kernel also?
> >
>
>Yes, it has just not been done yet.
>
>
>- James
>--
>James Morris
><jmorris@intercode.com.au>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
Narain Karthikeyan. He's fast, really fast.
http://server1.msn.co.in/sp03/tataracing/index.asp Want to meet him?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
2003-08-28 18:56 kartikey bhatt
@ 2003-08-29 1:37 ` James Morris
0 siblings, 0 replies; 9+ messages in thread
From: James Morris @ 2003-08-29 1:37 UTC (permalink / raw)
To: kartikey bhatt; +Cc: linux-kernel
On Fri, 29 Aug 2003, kartikey bhatt wrote:
> Can't we use per-arch assembly algorithms for ipv6 in kernel also?
>
Yes, it has just not been done yet.
- James
--
James Morris
<jmorris@intercode.com.au>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
@ 2003-08-28 18:56 kartikey bhatt
2003-08-29 1:37 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: kartikey bhatt @ 2003-08-28 18:56 UTC (permalink / raw)
To: jmorris; +Cc: linux-kernel
Can't we use per-arch assembly algorithms for ipv6 in kernel also?
-kartikey mahendra bhatt
>From: James Morris <jmorris@intercode.com.au>
>To: Tom Sightler <ttsig@tuxyturvy.com>
>CC: "Adam J. Richter" <adam@yggdrasil.com>,LKML
><linux-kernel@vger.kernel.org>
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Thu, 28 Aug 2003 23:40:04 +1000 (EST)
>
>On 28 Aug 2003, Tom Sightler wrote:
>
> > I'm using 3des for the encryption algorithm.
>
>What authentication algorithm (if any) ?
>
>
>- James
>--
>James Morris
><jmorris@intercode.com.au>
>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
MSN Hotmail now on your Mobile phone.
http://server1.msn.co.in/sp03/mobilesms/ Click here.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
2003-08-28 13:09 ` Tom Sightler
@ 2003-08-28 13:40 ` James Morris
0 siblings, 0 replies; 9+ messages in thread
From: James Morris @ 2003-08-28 13:40 UTC (permalink / raw)
To: Tom Sightler; +Cc: Adam J. Richter, LKML
On 28 Aug 2003, Tom Sightler wrote:
> I'm using 3des for the encryption algorithm.
What authentication algorithm (if any) ?
- James
--
James Morris
<jmorris@intercode.com.au>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
2003-08-28 10:16 Adam J. Richter
@ 2003-08-28 13:09 ` Tom Sightler
2003-08-28 13:40 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: Tom Sightler @ 2003-08-28 13:09 UTC (permalink / raw)
To: Adam J. Richter; +Cc: jmorris, LKML
> In which direction did you take these benchmarks, inbound to the
> Linux box, outbound from the Linux box, or both? If both, is
> there a difference between inbound and outbound performance? What
> private key algorithm are you configuring (aes, des, serpent)? How
> is your DSL connected (via ethernet, via USB, such as with SpeedStream)?
> What kind of CPU are you using (probably doesn't matter, even if you're
> using a 16MHz 386, but it would help in reproducing your problem to
> know what the benchmarks should look like on a different system).
Unfortunately my DSL service is ADSL and my uplink is only 256Kbps which
gives me about 25-30KB/s on a typical, non-IPsec FTP upload. Both SFS
and in-kernel IPsec give approximately the same outbound speed over this
limited link, roughly 20KB/s, which seems about right to me.
I'm using 3des for the encryption algorithm.
DSL is connected via ethernet.
CPU is an AMD K6/2 333Mhz.
I also just thought about the fact that I could test my laptop to see if
this is a CPU related issue. It's running the same basic kernel but of
course with options for laptop devices enabled and compiled for i686,
etc. It's a much faster machine, a PIII/1.13Ghz system. If I still get
roughly the same performance then we can probably safely assume it's not
a CPU constraint. I'll test the tonight.
I'm also going to try and pull some TCP dump data to see if it gives me
any hints.
Anything else I can answer.
Later,
Tom
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
@ 2003-08-28 10:16 Adam J. Richter
2003-08-28 13:09 ` Tom Sightler
0 siblings, 1 reply; 9+ messages in thread
From: Adam J. Richter @ 2003-08-28 10:16 UTC (permalink / raw)
To: ttsig; +Cc: jmorris, linux-kernel
At 2003-08-28 2:56:37, James Morris wrote:
>On 27 Aug 2003, Tom Sightler wrote:
>
>> My Internet connection is a DSL circuit that typically delivers about
>> 150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
>> good, averaging about 125KB/s (this seems about reasonable with
>> overhead) but when making the identical connection with racoon and the
>> 2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
>> any reason why this would be the case.
>>
>> Any hints would be appreciated.
>
>I think SFS uses assembly crypto algorithms where possible, which would
>account for roughly 2x performance increase.
I believe that assembly AES processes about 50MB/second on a
1GHz machine, but Tom is talking about the difference between 125kB/sec.
and 50kB/sec. The C versus assembly issue is not on the scale that
Tom is asking about.
Tom, although I'm not sure that I'll immediately have the time
to dig into your problem, I think it would increase the likelihood of
someone tracking it down if you could answer the following questions.
In which direction did you take these benchmarks, inbound to the
Linux box, outbound from the Linux box, or both? If both, is
there a difference between inbound and outbound performance? What
private key algorithm are you configuring (aes, des, serpent)? How
is your DSL connected (via ethernet, via USB, such as with SpeedStream)?
What kind of CPU are you using (probably doesn't matter, even if you're
using a 16MHz 386, but it would help in reproducing your problem to
know what the benchmarks should look like on a different system).
Adam J. Richter __ ______________ 575 Oroville Road
adam@yggdrasil.com \ / Milpitas, California 95035
+1 408 309-6081 | g g d r a s i l United States of America
"Free Software For The Rest Of Us."
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Poor IPSec performance with 2.6 kernels
2003-08-28 2:38 Tom Sightler
@ 2003-08-28 2:56 ` James Morris
0 siblings, 0 replies; 9+ messages in thread
From: James Morris @ 2003-08-28 2:56 UTC (permalink / raw)
To: Tom Sightler; +Cc: LKML
On 27 Aug 2003, Tom Sightler wrote:
> My Internet connection is a DSL circuit that typically delivers about
> 150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
> good, averaging about 125KB/s (this seems about reasonable with
> overhead) but when making the identical connection with racoon and the
> 2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
> any reason why this would be the case.
>
> Any hints would be appreciated.
I think SFS uses assembly crypto algorithms where possible, which would
account for roughly 2x performance increase.
- James
--
James Morris
<jmorris@intercode.com.au>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Poor IPSec performance with 2.6 kernels
@ 2003-08-28 2:38 Tom Sightler
2003-08-28 2:56 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: Tom Sightler @ 2003-08-28 2:38 UTC (permalink / raw)
To: LKML
Hi all.
I'm looking for suggestions as to why my IPSec performance is so bad
when using the built in 2.6 IPSec implementation.
My setup is pretty simple, a tunnel with a Watchguard Firebox on one end
and an AMD K6/333 on the other end running Redhat 9. I've used two
different IPsec implementations on the Linux system, one is
SuperFreeS/WAN with a patched Redhat kernel using the available SRPMS
and the other is the built-in 2.6 IPSec code with racoon.
My Internet connection is a DSL circuit that typically delivers about
150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
good, averaging about 125KB/s (this seems about reasonable with
overhead) but when making the identical connection with racoon and the
2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
any reason why this would be the case.
Any hints would be appreciated.
Later,
Tom
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-09-01 17:27 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-09-01 17:25 Poor IPSec performance with 2.6 kernels kartikey bhatt
-- strict thread matches above, loose matches on Subject: below --
2003-08-30 17:13 kartikey bhatt
2003-08-28 18:56 kartikey bhatt
2003-08-29 1:37 ` James Morris
2003-08-28 10:16 Adam J. Richter
2003-08-28 13:09 ` Tom Sightler
2003-08-28 13:40 ` James Morris
2003-08-28 2:38 Tom Sightler
2003-08-28 2:56 ` James Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).