> Thanks for the info, couple of questions , > > 1. However there was a bug in pre 4.1 kernels where AES-NI does not work > right for GCM operations.
See https://wiki.strongswan.org/issues/341 and http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e31ac32d3bc for your reference. > kapil : can you point me to > > > On Mon, Jun 20, 2016 at 12:31 PM, Jeff Leung <[email protected]> > wrote: > > > > Hi, > > > > i am looking for ways to improve the throughput while using the > > strongswan IPSEC. > > > > I read that AES-GCM provides excellent throughput over default > > AES-CBC- > > 128 when used with AES-NI support in intel processors. > > > > > > i want to enable AES-GCM128 cipher in my xeon E5 processor, and > from > > looking at the Intel white paper, it mentioned about using "Linux > > AES-NI- GCM Crypto Plug-in" to enable this support. > > It described about a patch to existing AES-NI driver file, called > > aesni- intel_glue.c and aesni-intel_asm.s. > As strongSwan uses XFRM stack by default on Linux and XFRM being > a kernel level implementation, it has the capability of using AES-NI at the > driver level. However there was a bug in pre 4.1 kernels where AES-NI does > not work right for GCM operations. > > > > > > > Paper: http://www.intel.com/content/www/us/en/intelligent- > > systems/wireless-infrastructure/aes-ipsec-performance-linux- > paper.html > > > > > > 1. There is strongswan plugin for intel AES-NI, Can somebody > > confirm/tell me a way to find if this is the same plugin as the one > > mentioned in intel Doc ? To me it looks like that, but i wanted to > > check with someone who might be already using this. > iirc that is meant for userspace mode of operation only. XFRM stack > still uses the kernel cryptographic drivers for encrypting and decrypting ESP > payloads. > > > 2. Is there some other way to get higher throughput ? > > pcrypt module is available, will it work with AES-GCM ? > > > > > > libstrongswan plugin : > > > > aesni - Intel AES-NI crypto plugin (since 5.3.1 > > <https://wiki.strongswan.org/versions/56> ) > > > > > > > > > > The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and > GCM crypto > > primitives for AES-128/192/256. > > > > The plugin requires AES-NI and PCLMULQDQ instructions and works > on > > both > > x86 and x64 architectures. It provides superior crypto performance > in > > userland without any external libraries. > > > > > > Thanks > > kapil. > > > > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
