Re: Is if_ipsec/ipsec - AESNI accelerated ?
Mike Tancsa wrote this message on Fri, Aug 10, 2018 at 16:44 -0400: > On 8/9/2018 4:11 PM, David P. Discher wrote: > > [ pts/0 sjc2 util201:~ ] > > [ dpd ] > sudo setkey -D > > Password: > > 10.245.0.201 10.245.0.202 > > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c) > > E: rijndael-cbc > > > BTW, if you use a static psk, does not the above line essentially give > someone with access to the ESP traffic a way to decode your traffic ? Yes, this does... And the A: line gives you the ability to spoof packets as well... Hopefully there wasn't any important data encrypted w/ that key... Always X those out... > > A: hmac-sha2-256 xxx -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
David P. Discher wrote this message on Thu, Aug 09, 2018 at 13:11 -0700: > The documentation for using IPSec (especially if_ipsec) is really thin for > freebsd, so I pieced some of this together from various posts and mailing > lists threads. > > Is there no need for racoon ? How in this example is the IKE/ISAKMP setup > done ? Is setkey doing this ? Yeah, it is... A few of us have sample config files floating around.. When I was doing testing I used: https://github.com/jmgurney/ipseccfgs > > On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov wrote: > > > > # kldload aesni > > # setkey -DF > > # setkey -c > > add 10.0.0.25 10.0.0.15 esp 1 -m tunnel -u 16385 -E rijndael-cbc > > "0123456789123456"; > > add 10.0.0.15 10.0.0.25 esp 2 -m tunnel -u 16385 -E rijndael-cbc > > "0123456789123456"; > > > > # sysctl net.inet.ipsec.async_crypto=0 > > net.inet.ipsec.async_crypto: 1 -> 0 > > This is 11.2-stable, shortly after release ??? I don???t have this sysctl. > > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sysctl net.inet.ipsec > net.inet.ipsec.def_policy: 1 > net.inet.ipsec.esp_trans_deflev: 1 > net.inet.ipsec.esp_net_deflev: 1 > net.inet.ipsec.ah_trans_deflev: 1 > net.inet.ipsec.ah_net_deflev: 1 > net.inet.ipsec.ah_cleartos: 1 > net.inet.ipsec.dfbit: 0 > net.inet.ipsec.ecn: 0 > net.inet.ipsec.debug: 0 > net.inet.ipsec.filtertunnel: 0 > net.inet.ipsec.natt_cksum_policy: 0 > net.inet.ipsec.check_policy_history: 0 > net.inet.ipsec.crypto_support: 50331648 > > > > > On Aug 9, 2018, at 6:40 AM, John-Mark Gurney wrote: > > > > > > You don't show what ciphers you are using. It could be that you're > > using CBC mode, which is known to be slow, or that you're using a > > slow AH that is limiting performance, and not the cipher... > > > > Need to see your setkey.conf, or at least the output of setkey -D.. > > racoon.conf is : > > sainfo anonymous > { > pfs_group 2; > lifetime time 86400 seconds; > encryption_algorithm aes; > authentication_algorithm hmac_sha256; > compression_algorithm deflate; > } > > remote 10.245.0.202 [500] { > passive off; > my_identifier address 172.30.1.13; > exchange_mode main; > lifetime time 24 hour; > proposal { > encryption_algorithm aes; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > }} > > > For some reason, I don???t think I can use AES-GCM on the juniper side, > because of a combination of other required settings. I remember trying, but > don???t remember why I can???t. > > > setkey.conf is : > > flush; > spdflush; > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; > > And that results in : > > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sudo setkey -D > Password: > 10.245.0.201 10.245.0.202 > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c) > E: rijndael-cbc > A: hmac-sha2-256 Yeah, this is AES-CBC, and will always be slow on encryption, decryption will be fast though... To get max possible speed (per core), you can run: openssl speed -evp aes-128-cbc I believe that crypto will be single threaded on output, so you could try to enable net.inet.ipsec.async_crypto and see if that helps.. This will let your sending process be on one core while handing the encryption off to another thread... If you were running HEAD, you'd also get further improvements by there being multiple threads doing processing, but it looks like that change hasn't been MFC'd yet... Switching to SHA2-512 will also improve performance on 64bit systems... Also, check to make sure that the various processes are consuming 100% usage, and likely you'll see that.. Also, try running multiple streams to see if you get better performance, you should get signifcantly better performance as that'll split the work among multiple threads... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
On 8/9/2018 4:11 PM, David P. Discher wrote: > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sudo setkey -D > Password: > 10.245.0.201 10.245.0.202 > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c) > E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed BTW, if you use a static psk, does not the above line essentially give someone with access to the ESP traffic a way to decode your traffic ? ---Mike > A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc > 6bb39fbb 212abce0 > seq=0x0011 replay=4 flags=0x state=mature > created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 > diff: 1018(s) hard: 86400(s) soft: 69120(s) > last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s) > current: 2652(bytes)hard: 0(bytes) soft: 0(bytes) > allocated: 17 hard: 0 soft: 0 > sadb_seq=1 pid=2441 refcnt=1 > 10.245.0.202 10.245.0.201 > esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x000c) > E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 > A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 > bf5ea2c9 0e3f5f27 > seq=0x replay=4 flags=0x state=mature > created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 > diff: 1018(s) hard: 86400(s) soft: 69120(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0hard: 0 soft: 0 > sadb_seq=0 pid=2441 refcnt=1 > > > > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sudo setkey -D -P > 172.30.1.12/30[any] 172.30.1.12/30[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=22 seq=11 pid=2443 scope=global > refcnt=1 > 172.30.1.4/30[any] 172.30.1.4/30[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=24 seq=10 pid=2443 scope=global > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > ::/0[any] ::/0[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=13 seq=7 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > ::/0[any] ::/0[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=15 seq=6 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > 172.30.1.12/30[any] 172.30.1.12/30[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=21 seq=5 pid=2443 scope=global > refcnt=1 > 172.30.1.4/30[any] 172.30.1.4/30[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=23 seq=4 pid=2443 scope=global > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=6 seq=3 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > ::/0[any] ::/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=8 seq=2 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=14 seq=1 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > ::/0[any] ::/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=16 seq=0 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > > > -- > David P. Discher > https://davidpdischer.com/ > 408.368.3725 • d...@dpdtech.com > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > > -- --- Mike Tancsa, tel +1 519 651 3400 x203 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
You're not running AES-GCM, you're running AES-CBC + HMAC-SHA256 >E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 >A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27 Try running AES-GCM. Example (from the work that gnn@ and I did back in 2014/15): https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/dut-aes-gcm.conf https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/source-aes-gcm.conf Results on larger hardware, if you care: https://github.com/freebsd-net/netperf/blob/master/Documentation/Presentations/BSDCan2015.pdf Once you have that running, see if setting net.inet.ipsec.async_crypto=1 helps Also, if PMTU doesn't work on your path, clamp TCP MSS to 1400 on both sides. # ipfw add # tcp-setmss 1400 or scrub on max-mss 1400 in your pf.conf That all said, I only get around 400Mbps using AES-GCM over a real 1gbps path between my house and work running a C2558 at home. I'm running pfSense (because... you know...), but you should be able to achieve similar results with a stock FreeBSD 11.2 system. If you want to go faster, we've seen 856 mbps over a pair of C3558s, using just AES-GCM w/AES-NI. This is with 'pf' on, and KPI mitigations running, btw. If anything, i'd expect routed ipsec to be a bit faster. Jim On Thu, Aug 9, 2018 at 3:55 PM, Andrey V. Elsukov wrote: > On 09.08.2018 23:11, David P. Discher wrote: > > The documentation for using IPSec (especially if_ipsec) is really thin > > for freebsd, so I pieced some of this together from various posts and > > mailing lists threads. > > > > Is there no need for racoon ? How in this example is the IKE/ISAKMP > > setup done ? Is setkey doing this ? > > > This is 11.2-stable, shortly after release … I don’t have this sysctl. > > This is manually configured tunnel between two FreeBSD 12.0-CURRENT > hosts. I can suggest to try patch and config from this post: > > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html > > >> Need to see your setkey.conf, or at least the output of setkey -D.. > > > > > > setkey.conf is : > > > > flush; > > spdflush; > > > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec > > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec > > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec > > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec > > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; > > You don't need to create security policies for if_ipsec interfaces. They > are created by interface automatically. > > -- > WBR, Andrey V. Elsukov > > ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
On 09.08.2018 23:11, David P. Discher wrote: > The documentation for using IPSec (especially if_ipsec) is really thin > for freebsd, so I pieced some of this together from various posts and > mailing lists threads. > > Is there no need for racoon ? How in this example is the IKE/ISAKMP > setup done ? Is setkey doing this ? > This is 11.2-stable, shortly after release … I don’t have this sysctl. This is manually configured tunnel between two FreeBSD 12.0-CURRENT hosts. I can suggest to try patch and config from this post: https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html >> Need to see your setkey.conf, or at least the output of setkey -D.. > > > setkey.conf is : > > flush; > spdflush; > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; You don't need to create security policies for if_ipsec interfaces. They are created by interface automatically. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: Is if_ipsec/ipsec - AESNI accelerated ?
The documentation for using IPSec (especially if_ipsec) is really thin for freebsd, so I pieced some of this together from various posts and mailing lists threads. Is there no need for racoon ? How in this example is the IKE/ISAKMP setup done ? Is setkey doing this ? > On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov wrote: > > # kldload aesni > # setkey -DF > # setkey -c > add 10.0.0.25 10.0.0.15 esp 1 -m tunnel -u 16385 -E rijndael-cbc > "0123456789123456"; > add 10.0.0.15 10.0.0.25 esp 2 -m tunnel -u 16385 -E rijndael-cbc > "0123456789123456"; > > # sysctl net.inet.ipsec.async_crypto=0 > net.inet.ipsec.async_crypto: 1 -> 0 This is 11.2-stable, shortly after release … I don’t have this sysctl. [ pts/0 sjc2 util201:~ ] [ dpd ] > sysctl net.inet.ipsec net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 0 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.natt_cksum_policy: 0 net.inet.ipsec.check_policy_history: 0 net.inet.ipsec.crypto_support: 50331648 > On Aug 9, 2018, at 6:40 AM, John-Mark Gurney wrote: > > > You don't show what ciphers you are using. It could be that you're > using CBC mode, which is known to be slow, or that you're using a > slow AH that is limiting performance, and not the cipher... > > Need to see your setkey.conf, or at least the output of setkey -D.. racoon.conf is : sainfo anonymous { pfs_group 2; lifetime time 86400 seconds; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } remote 10.245.0.202 [500] { passive off; my_identifier address 172.30.1.13; exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; }} For some reason, I don’t think I can use AES-GCM on the juniper side, because of a combination of other required settings. I remember trying, but don’t remember why I can’t. setkey.conf is : flush; spdflush; spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec esp/tunnel/10.245.0.201-10.245.0.202/unique:12; spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12; spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec esp/tunnel/10.245.0.201-10.245.0.203/unique:4; spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4; And that results in : [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo setkey -D Password: 10.245.0.201 10.245.0.202 esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x000c) E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc 6bb39fbb 212abce0 seq=0x0011 replay=4 flags=0x state=mature created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 diff: 1018(s) hard: 86400(s) soft: 69120(s) last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s) current: 2652(bytes)hard: 0(bytes) soft: 0(bytes) allocated: 17 hard: 0 soft: 0 sadb_seq=1 pid=2441 refcnt=1 10.245.0.202 10.245.0.201 esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x000c) E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27 seq=0x replay=4 flags=0x state=mature created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 diff: 1018(s) hard: 86400(s) soft: 69120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0hard: 0 soft: 0 sadb_seq=0 pid=2441 refcnt=1 [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo setkey -D -P 172.30.1.12/30[any] 172.30.1.12/30[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=22 seq=11 pid=2443 scope=global refcnt=1 172.30.1.4/30[any] 172.30.1.4/30[any] any in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4 spid=24 seq=10 pid=2443 scope=global refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12 refcnt=1 0.0.0.0/0[any]
Re: Is if_ipsec/ipsec - AESNI accelerated ?
David P. Discher wrote this message on Thu, Aug 09, 2018 at 00:00 -0700: > > > On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov wrote: > > > > On 09.08.2018 06:57, David P. Discher wrote: > >> I???m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. > >> Is this correct ? > > > > IPsec uses crypto(9) framework that works by default without any > > acceleration. You need to load aesni(4) kernel module to enable > > acceleration. Also, you need to recreate security associations after > > module loading to take effect. > > Yes. I booted with AESNI loaded ??? via loader.conf. Transcript below. Two > endpoint are identical hardware. You don't show what ciphers you are using. It could be that you're using CBC mode, which is known to be slow, or that you're using a slow AH that is limiting performance, and not the cipher... Need to see your setkey.conf, or at least the output of setkey -D.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
On 09.08.2018 10:00, David P. Discher wrote: > [ pts/0 sjc2 util201:~ ] > [ dpd ] > iperf3 -c 10.245.0.202 -i 8 -t 16 > Connecting to host 10.245.0.202, port 5201 > [ 5] local 10.245.0.201 port 55165 connected to 10.245.0.202 port 5201 > [ ID] Interval Transfer Bitrate Retr Cwnd > [ 5] 0.00-8.00 sec 887 MBytes 930 Mbits/sec0419 KBytes > [ 5] 8.00-16.00 sec 898 MBytes 941 Mbits/sec0419 KBytes > - - - - - - - - - - - - - - - - - - - - - - - - - > [ ID] Interval Transfer Bitrate Retr > [ 5] 0.00-16.00 sec 1.74 GBytes 936 Mbits/sec0 > sender > [ 5] 0.00-16.01 sec 1.74 GBytes 935 Mbits/sec > receiver > > iperf Done. > > [ pts/0 sjc2 util201:~ ] > [ dpd ] > iperf3 -c 172.30.1.14 -i 8 -t 16 > Connecting to host 172.30.1.14, port 5201 > [ 5] local 172.30.1.13 port 41671 connected to 172.30.1.14 port 5201 > [ ID] Interval Transfer Bitrate Retr Cwnd > [ 5] 0.00-8.00 sec 166 MBytes 174 Mbits/sec0 64.3 KBytes > [ 5] 8.00-16.00 sec 168 MBytes 176 Mbits/sec0 64.3 KBytes > - - - - - - - - - - - - - - - - - - - - - - - - - > [ ID] Interval Transfer Bitrate Retr > [ 5] 0.00-16.00 sec 334 MBytes 175 Mbits/sec0 > sender > [ 5] 0.00-16.01 sec 334 MBytes 175 Mbits/sec > receiver I did some tests and here are my results: # ifconfig ipsec0 ipsec0: flags=8051 metric 0 mtu 1400 tunnel inet 10.0.0.15 --> 10.0.0.25 inet 192.168.0.15 --> 192.168.0.25 netmask 0xff00 inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x8 nd6 options=23 reqid: 16385 groups: ipsec # iperf -c 10.0.0.25 -i 8 -t 16 Client connecting to 10.0.0.25, TCP port 5001 TCP window size: 35.0 KByte (default) [ 3] local 10.0.0.15 port 21371 connected with 10.0.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 9.09 GBytes 9.77 Gbits/sec [ 3] 8.0-16.0 sec 9.22 GBytes 9.90 Gbits/sec [ 3] 0.0-16.0 sec 18.3 GBytes 9.83 Gbits/sec # iperf -c 192.168.0.25 -i 8 -t 16 Client connecting to 192.168.0.25, TCP port 5001 TCP window size: 33.2 KByte (default) [ 3] local 192.168.0.15 port 30394 connected with 192.168.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 607 MBytes 636 Mbits/sec [ 3] 8.0-16.0 sec 606 MBytes 636 Mbits/sec [ 3] 0.0-16.0 sec 1.19 GBytes 636 Mbits/sec # sysctl net.inet.ipsec.async_crypto=1 net.inet.ipsec.async_crypto: 0 -> 1 # iperf -c 192.168.0.25 -i 8 -t 16 Client connecting to 192.168.0.25, TCP port 5001 TCP window size: 33.2 KByte (default) [ 3] local 192.168.0.15 port 17716 connected with 192.168.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 1.38 GBytes 1.48 Gbits/sec [ 3] 8.0-16.0 sec 1.40 GBytes 1.51 Gbits/sec [ 3] 0.0-16.0 sec 2.78 GBytes 1.50 Gbits/sec # kldload aesni # setkey -DF # setkey -c add 10.0.0.25 10.0.0.15 esp 1 -m tunnel -u 16385 -E rijndael-cbc "0123456789123456"; add 10.0.0.15 10.0.0.25 esp 2 -m tunnel -u 16385 -E rijndael-cbc "0123456789123456"; # sysctl net.inet.ipsec.async_crypto=0 net.inet.ipsec.async_crypto: 1 -> 0 # iperf -c 192.168.0.25 -i 8 -t 16 Client connecting to 192.168.0.25, TCP port 5001 TCP window size: 33.2 KByte (default) [ 3] local 192.168.0.15 port 57206 connected with 192.168.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 1.08 GBytes 1.16 Gbits/sec [ 3] 8.0-16.0 sec 1.11 GBytes 1.19 Gbits/sec [ 3] 0.0-16.0 sec 2.19 GBytes 1.18 Gbits/sec # sysctl net.inet.ipsec.async_crypto=1 net.inet.ipsec.async_crypto: 0 -> 1 # ifconfig ipsec0 mtu 8000 down up # iperf -c 192.168.0.25 -i 8 -t 16 Client connecting to 192.168.0.25, TCP port 5001 TCP window size: 38.9 KByte (default) [ 3] local 192.168.0.15 port 37641 connected with 192.168.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 5.64 GBytes 6.06 Gbits/sec [ 3] 8.0-16.0 sec 5.76 GBytes 6.19 Gbits/sec [ 3] 0.0-16.0 sec 11.4 GBytes 6.12 Gbits/sec -- WBR, Andrey V. Elsukov signature.asc Description:
Re: Is if_ipsec/ipsec - AESNI accelerated ?
> On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov wrote: > > On 09.08.2018 06:57, David P. Discher wrote: >> I’m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is >> this correct ? > > IPsec uses crypto(9) framework that works by default without any > acceleration. You need to load aesni(4) kernel module to enable > acceleration. Also, you need to recreate security associations after > module loading to take effect. Yes. I booted with AESNI loaded … via loader.conf. Transcript below. Two endpoint are identical hardware. -- David P. Discher https://davidpdischer.com/ 408.368.3725 • d...@dpdtech.com [ pts/0 sjc2 util201:~ ] [ dpd ] > kldstat Id Refs AddressSize Name 1 32 0x8020 2081408 kernel 21 0x82283000 259e0geom_mirror.ko 31 0x822a9000 e568 if_bridge.ko 42 0x822b8000 6d28 bridgestp.ko 51 0x822bf000 7600 if_tap.ko 61 0x822c7000 f988 ipmi.ko 72 0x822d7000 2d10 smbus.ko 81 0x822da000 381130 zfs.ko 92 0x8265c000 a380 opensolaris.ko 101 0x82667000 af98 aesni.ko 111 0x82b11000 2328 ums.ko [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo /usr/local/etc/rc.d/racoon stop Password: Stopping racoon. Waiting for PIDS: 1065. [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo /usr/local/etc/rc.d/racoon start Starting racoon. [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo setkey -f /usr/local/etc/racoon/setkey.conf [ pts/0 sjc2 util201:~ ] [ dpd ] > ifconfig ipsec12 ipsec12: flags=8151 metric 0 mtu 1350 tunnel inet 10.245.0.201 --> 10.245.0.202 inet 172.30.1.13 --> 172.30.1.14 netmask 0xfffc nd6 options=29 reqid: 12 groups: ipsec [ pts/0 sjc2 util201:~ ] [ dpd ] > ping 172.30.1.14 PING 172.30.1.14 (172.30.1.14): 56 data bytes 64 bytes from 172.30.1.14: icmp_seq=2 ttl=64 time=0.452 ms 64 bytes from 172.30.1.14: icmp_seq=3 ttl=64 time=0.368 ms 64 bytes from 172.30.1.14: icmp_seq=4 ttl=64 time=0.353 ms ^C --- 172.30.1.14 ping statistics --- 5 packets transmitted, 3 packets received, 40.0% packet loss round-trip min/avg/max/stddev = 0.353/0.391/0.452/0.044 ms [ pts/0 sjc2 util201:~ ] [ dpd ] > iperf3 -c 10.245.0.202 -i 8 -t 16 Connecting to host 10.245.0.202, port 5201 [ 5] local 10.245.0.201 port 55165 connected to 10.245.0.202 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-8.00 sec 887 MBytes 930 Mbits/sec0419 KBytes [ 5] 8.00-16.00 sec 898 MBytes 941 Mbits/sec0419 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-16.00 sec 1.74 GBytes 936 Mbits/sec0 sender [ 5] 0.00-16.01 sec 1.74 GBytes 935 Mbits/sec receiver iperf Done. [ pts/0 sjc2 util201:~ ] [ dpd ] > iperf3 -c 172.30.1.14 -i 8 -t 16 Connecting to host 172.30.1.14, port 5201 [ 5] local 172.30.1.13 port 41671 connected to 172.30.1.14 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-8.00 sec 166 MBytes 174 Mbits/sec0 64.3 KBytes [ 5] 8.00-16.00 sec 168 MBytes 176 Mbits/sec0 64.3 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-16.00 sec 334 MBytes 175 Mbits/sec0 sender [ 5] 0.00-16.01 sec 334 MBytes 175 Mbits/sec receiver iperf Done. [ pts/0 sjc2 util201:~ ] [ dpd ] > uname -a FreeBSD util201.sjc2.ixsystems.com 11.2-STABLE FreeBSD 11.2-STABLE #3: Tue Jul 24 20:57:34 UTC 2018 r...@proxima.sjc2.ixsystems.com:/usr/obj/usr/src/sys/IX amd64 [ pts/0 sjc2 util201:~ ] [ dpd ] > ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Is if_ipsec/ipsec - AESNI accelerated ?
On 09.08.2018 06:57, David P. Discher wrote: > I’m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is > this correct ? IPsec uses crypto(9) framework that works by default without any acceleration. You need to load aesni(4) kernel module to enable acceleration. Also, you need to recreate security associations after module loading to take effect. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: Is if_ipsec/ipsec - AESNI accelerated ?
09.08.2018 10:57, David P. Discher wrote: > I’m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is > this correct ? > > A small system, with an Atom C2758 and AESNI can hit 940-950 Mbps on a 1g > copper link SCPing a file with Chiper=aes256-gcm. SSH/OpenSSL automatically > uses AESNI if available. (Side Note, loading cryptodev - openSSH/SSL will > grab crypto dev and cut your speed in half). Same with un-encryrpted > iperf2/3, even with just a single TCP connection. > > Over an IPsec tunnel, this same system bottle necks at 180 Mbps. These > systems are on the same vlan and subnet, same physical switch - so direct > route. > > So, does IPSec use AESNI ? I would have at least expected 600-700 Mbps. Do you have aesni(4) driver in the kernel or loaded as module? It is present in FreeBSD since version 9.0 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"