Re: Is if_ipsec/ipsec - AESNI accelerated ?
Mike Tancsa wrote this message on Fri, Aug 10, 2018 at 16:44 -0400: > On 8/9/2018 4:11 PM, David P. Discher wrote: > > [ pts/0 sjc2 util201:~ ] > > [ dpd ] > sudo setkey -D > > Password: > > 10.245.0.201 10.245.0.202 > > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c) > > E: rijndael-cbc > > > BTW, if you use a static psk, does not the above line essentially give > someone with access to the ESP traffic a way to decode your traffic ? Yes, this does... And the A: line gives you the ability to spoof packets as well... Hopefully there wasn't any important data encrypted w/ that key... Always X those out... > > A: hmac-sha2-256 xxx -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
David P. Discher wrote this message on Thu, Aug 09, 2018 at 13:11 -0700:
> The documentation for using IPSec (especially if_ipsec) is really thin for
> freebsd, so I pieced some of this together from various posts and mailing
> lists threads.
>
> Is there no need for racoon ? How in this example is the IKE/ISAKMP setup
> done ? Is setkey doing this ?
Yeah, it is... A few of us have sample config files floating around..
When I was doing testing I used:
https://github.com/jmgurney/ipseccfgs
> > On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov wrote:
> >
> > # kldload aesni
> > # setkey -DF
> > # setkey -c
> > add 10.0.0.25 10.0.0.15 esp 1 -m tunnel -u 16385 -E rijndael-cbc
> > "0123456789123456";
> > add 10.0.0.15 10.0.0.25 esp 2 -m tunnel -u 16385 -E rijndael-cbc
> > "0123456789123456";
> >
> > # sysctl net.inet.ipsec.async_crypto=0
> > net.inet.ipsec.async_crypto: 1 -> 0
>
> This is 11.2-stable, shortly after release ??? I don???t have this sysctl.
>
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sysctl net.inet.ipsec
> net.inet.ipsec.def_policy: 1
> net.inet.ipsec.esp_trans_deflev: 1
> net.inet.ipsec.esp_net_deflev: 1
> net.inet.ipsec.ah_trans_deflev: 1
> net.inet.ipsec.ah_net_deflev: 1
> net.inet.ipsec.ah_cleartos: 1
> net.inet.ipsec.dfbit: 0
> net.inet.ipsec.ecn: 0
> net.inet.ipsec.debug: 0
> net.inet.ipsec.filtertunnel: 0
> net.inet.ipsec.natt_cksum_policy: 0
> net.inet.ipsec.check_policy_history: 0
> net.inet.ipsec.crypto_support: 50331648
>
>
>
> > On Aug 9, 2018, at 6:40 AM, John-Mark Gurney wrote:
> >
> >
> > You don't show what ciphers you are using. It could be that you're
> > using CBC mode, which is known to be slow, or that you're using a
> > slow AH that is limiting performance, and not the cipher...
> >
> > Need to see your setkey.conf, or at least the output of setkey -D..
>
> racoon.conf is :
>
> sainfo anonymous
> {
> pfs_group 2;
> lifetime time 86400 seconds;
> encryption_algorithm aes;
> authentication_algorithm hmac_sha256;
> compression_algorithm deflate;
> }
>
> remote 10.245.0.202 [500] {
> passive off;
> my_identifier address 172.30.1.13;
> exchange_mode main;
> lifetime time 24 hour;
> proposal {
> encryption_algorithm aes;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> }}
>
>
> For some reason, I don???t think I can use AES-GCM on the juniper side,
> because of a combination of other required settings. I remember trying, but
> don???t remember why I can???t.
>
>
> setkey.conf is :
>
> flush;
> spdflush;
>
> spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12;
> spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12;
> spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4;
> spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4;
>
> And that results in :
>
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sudo setkey -D
> Password:
> 10.245.0.201 10.245.0.202
> esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c)
> E: rijndael-cbc
> A: hmac-sha2-256
Yeah, this is AES-CBC, and will always be slow on encryption, decryption
will be fast though... To get max possible speed (per core), you can
run:
openssl speed -evp aes-128-cbc
I believe that crypto will be single threaded on output, so you could
try to enable net.inet.ipsec.async_crypto and see if that helps.. This
will let your sending process be on one core while handing the encryption
off to another thread...
If you were running HEAD, you'd also get further improvements by there
being multiple threads doing processing, but it looks like that change
hasn't been MFC'd yet...
Switching to SHA2-512 will also improve performance on 64bit systems...
Also, check to make sure that the various processes are consuming 100%
usage, and likely you'll see that.. Also, try running multiple streams
to see if you get better performance, you should get signifcantly better
performance as that'll split the work among multiple threads...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 230510] iflib/vlan panic: sleeping thread
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230510 Mark Linimon changed: What|Removed |Added Keywords||panic Assignee|b...@freebsd.org|n...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
On 8/9/2018 4:11 PM, David P. Discher wrote:
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sudo setkey -D
> Password:
> 10.245.0.201 10.245.0.202
> esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c)
> E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed
BTW, if you use a static psk, does not the above line essentially give
someone with access to the ESP traffic a way to decode your traffic ?
---Mike
> A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc
> 6bb39fbb 212abce0
> seq=0x0011 replay=4 flags=0x state=mature
> created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
> diff: 1018(s) hard: 86400(s) soft: 69120(s)
> last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s)
> current: 2652(bytes)hard: 0(bytes) soft: 0(bytes)
> allocated: 17 hard: 0 soft: 0
> sadb_seq=1 pid=2441 refcnt=1
> 10.245.0.202 10.245.0.201
> esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x000c)
> E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723
> A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1
> bf5ea2c9 0e3f5f27
> seq=0x replay=4 flags=0x state=mature
> created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
> diff: 1018(s) hard: 86400(s) soft: 69120(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0hard: 0 soft: 0
> sadb_seq=0 pid=2441 refcnt=1
>
>
>
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sudo setkey -D -P
> 172.30.1.12/30[any] 172.30.1.12/30[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=22 seq=11 pid=2443 scope=global
> refcnt=1
> 172.30.1.4/30[any] 172.30.1.4/30[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=24 seq=10 pid=2443 scope=global
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> ::/0[any] ::/0[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=13 seq=7 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> ::/0[any] ::/0[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=15 seq=6 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> 172.30.1.12/30[any] 172.30.1.12/30[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=21 seq=5 pid=2443 scope=global
> refcnt=1
> 172.30.1.4/30[any] 172.30.1.4/30[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=23 seq=4 pid=2443 scope=global
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=6 seq=3 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> ::/0[any] ::/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=8 seq=2 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=14 seq=1 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> ::/0[any] ::/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=16 seq=0 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
>
>
> --
> David P. Discher
> https://davidpdischer.com/
> 408.368.3725 • d...@dpdtech.com
>
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
>
--
---
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
New iflib/e1000 panic (vlan) report [Was: Re: svn commit: r333338 - in stable/11/sys: dev/bnxt kern net sys]
Am 08.05.2018 um 11:52 schrieb Kevin Bowling: On Tue, May 8, 2018 at 2:43 AM, Harry Schmalzbauer wrote: Bezüglich Kevin Bowling's Nachricht vom 08.05.2018 11:26 (localtime): iflib in stable/11 only affects bnxt at this time. You should try out HEAD and let us know for the rest of your questions. … it's more than one, I'll file a PR. But if the simple iflib/hw-support test with kawela+hartwell helps I'm happy to do. At this point it would be helpful, we think e1000 is nearing pretty good shape and I need to become familiar with any outstanding bugs. FYI: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230510 Didn't know if I should add people's email to the bug "users" without their request/permission. -harry ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 218579] Wake on Lan doesn't work for bge NIC driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218579 NK changed: What|Removed |Added CC||nkul...@gmail.com --- Comment #10 from NK --- There still have issue with WOL patch for bge driver on FreeBSD 11.2. It seems there is boot issues, see here: https://www.xigmanas.com/forums/viewtopic.php?f=78=13807#p85480 -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
