Am 09.01.2015 um 14:55 schrieb Paul Wouters:
I'd be interested in the esp= algos listed on the above libreswan page.
Note that some of those algorithms are not available for KLIPS.
So in this test it was:
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
I'll play around with other alg's next week.
(My tests on the IBM x3550m4 failed to run properly for KLIPS, so I
could only provide NETKEY numbers. KLIPS worked for simple pings, but
running iperf it just locked up)
This is the output with NETKEY (huge gain with tcp / window 512):
TCP tests
iperf -i1 -w 32k -c SRV
------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size: 64.0 KByte (WARNING: requested 32.0 KByte)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 46384 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 32.4 MBytes 272 Mbits/sec
[ 3] 1.0- 2.0 sec 32.1 MBytes 269 Mbits/sec
[ 3] 2.0- 3.0 sec 32.0 MBytes 268 Mbits/sec
[ 3] 3.0- 4.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 4.0- 5.0 sec 32.8 MBytes 275 Mbits/sec
[ 3] 5.0- 6.0 sec 32.2 MBytes 271 Mbits/sec
[ 3] 6.0- 7.0 sec 32.5 MBytes 273 Mbits/sec
[ 3] 7.0- 8.0 sec 32.5 MBytes 273 Mbits/sec
[ 3] 8.0- 9.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 9.0-10.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 0.0-10.0 sec 324 MBytes 272 Mbits/sec
iperf -i1 -w 512k -c SRV
------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size: 416 KByte (WARNING: requested 512 KByte)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 46389 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 106 MBytes 891 Mbits/sec
[ 3] 1.0- 2.0 sec 108 MBytes 904 Mbits/sec
[ 3] 2.0- 3.0 sec 108 MBytes 903 Mbits/sec
[ 3] 3.0- 4.0 sec 108 MBytes 903 Mbits/sec
[ 3] 4.0- 5.0 sec 108 MBytes 903 Mbits/sec
[ 3] 5.0- 6.0 sec 108 MBytes 904 Mbits/sec
[ 3] 6.0- 7.0 sec 108 MBytes 904 Mbits/sec
[ 3] 7.0- 8.0 sec 108 MBytes 904 Mbits/sec
[ 3] 8.0- 9.0 sec 108 MBytes 904 Mbits/sec
[ 3] 9.0-10.0 sec 108 MBytes 904 Mbits/sec
[ 3] 0.0-10.0 sec 1.05 GBytes 902 Mbits/sec
UDP with max. packet size (UDP bandwidth) tests
iperf -u -i1 -c SRV -b 100m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 55228 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 1.0- 2.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 2.0- 3.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 3.0- 4.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 4.0- 5.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 5.0- 6.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 6.0- 7.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 7.0- 8.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 8.0- 9.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 9.0-10.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 0.0-10.0 sec 120 MBytes 101 Mbits/sec
[ 3] Sent 85471 datagrams
[ 3] WARNING: did not receive ack of last datagram after 10 tries.
iperf -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 39588 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 1.0- 2.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 2.0- 3.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 3.0- 4.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 4.0- 5.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 5.0- 6.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 6.0- 7.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 7.0- 8.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 8.0- 9.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 9.0-10.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 0.0-10.0 sec 969 MBytes 813 Mbits/sec
[ 3] Sent 691024 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 966 MBytes 810 Mbits/sec 0.113 ms 2266/691023
(0.33%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
UDP with small packets for PPS measuring
iperf -l 64 -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 64 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 54439 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 1.0- 2.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 2.0- 3.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 3.0- 4.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 4.0- 5.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 5.0- 6.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 6.0- 7.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 7.0- 8.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 8.0- 9.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 9.0-10.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 0.0-10.0 sec 42.2 MBytes 35.4 Mbits/sec
[ 3] Sent 691026 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 42.2 MBytes 35.4 Mbits/sec 0.021 ms 406/691025
(0.059%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
iperf -l 128 -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 128 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 53285 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 1.0- 2.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 2.0- 3.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 3.0- 4.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 4.0- 5.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 5.0- 6.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 6.0- 7.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 7.0- 8.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 8.0- 9.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 9.0-10.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 0.0-10.0 sec 84.4 MBytes 70.8 Mbits/sec
[ 3] Sent 691024 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 84.3 MBytes 70.7 Mbits/sec 0.018 ms 680/691023
(0.098%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
Note that on embedded platforms, you might see a lot of gain using the
OCF kernel module (ocf.ko with cryptosoft.ko) with KLIPS for those
crypto hardware drivers supported by Linux natively. OCF will also allow
KLIPS to use multiple CPU cores, which it cannot do without OCF.
See _stackmanager for some OCF detection/configuration if you are not
using _stackmanager on your embedded platform to start libreswan.
This system is only AES-NI capable
It would be good if we could compare plaintext speeds with IPsec speeds,
so that we have an idea of what the cost is for enabling IPsec on those
devices.
Here is the comparison:
http://www.routerperformance.net/routers/nexcom-nsa/iperf-results-nexcom-nsa3150/
Note also that for LAN connections and high speed interfaces (10GigE)
you should really set the MTU to 9000 or else you won't see more than
1Gbps. The ethtool output might also be useful to verify various
hardware offload settings which can get in the way of performance when
running IPsec.
Oh, ok, I'll change everything to 9000, next week you get the results.
Here's ethtool output:
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: on (auto)
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
Features for eth0:
rx-checksumming: on
tx-checksumming: on
tx-checksum-ipv4: on
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: on
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: on
scatter-gather: on
tx-scatter-gather: on
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
tx-tcp-segmentation: on
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
busy-poll: off [fixed]
I would love to add some summaries of hardware and performance on our
libreswan benchmarking page with links to yours if we can get the
additional information (hardware, cpu model, ram, nic brands, etc)
Sure, put it on your wiki! :)
Nexcom NSA3150
- Support 4th generation Intel® Core™ processors
- Intel® H81Chipset
Intel i3-4330 3,5 GHz - 2 core - LGA1150 Socket - 4 MB Cache
4th Generation / Haswell
Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16
Controller (rev 06)
Apacer 4GB RAM (x2 = 8GB)
DDR3 UDIMM 1333 256x8 2R CL9
02:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network
Connection (rev 03)
http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-security-appliance-nsa-3150
Paul
Michael
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
