On Thu, Oct 13, 2005 at 04:07:00PM -0600, Theo de Raadt wrote: > > Even though the card is detected, I'm not seeing any boost in > > IPsec performance. > > > Cpu is a Geode1100 - doing 10Mb/s IPsec has it maxed out :) > > The cpu is unable to feed the crypto card fast enough. > > You would think that doing crypto operations, especially 3DES > is a lot of work. And it is. But there is a nearly fixed > overhead for in the driver for managing the card. > > And it is a high overhead.
friend of mine and i tried setting up a 4501 as a router doing IPsec for any wirelessly connected hosts ( WAPs on the ethernets ). we found the 4501 getting slaughtered by doing IPsec itself ( throughput from wireless to wired host, having gone through the 4501, was down from ~1.2MB/s clear to ~180KB/s with IPsec ), and then found that a 4501 + a 1411 really ain't that much to write home about either. ( don't remember precisely what it went up to with the 1411, maybe about 20%-30% of the way between CPU_IPsec and cleartext speeds ). did some testing on a 4801 ( which your numbers seem to indicate as being what you are doing it on too ) and saw things pretty close to what you saw, +/- 1.5 Mb/s here or there. of note was that the type of crypto we were doing ( so long as it was supported by the hifn ) didn't matter at all. we got essentially same throughput ( eg within less than a megabit ) if we did 3des-cbc/MD5 or aes-128-cbc/MD5 or aes-256-cbc/SHA., etc as a sidenote, i've also put a 1401 in a dual athlon.mp 2.14GHz and seen openssl speed crank out a 20% or more improvement in the 8k blocksize column, as compared to straight CPU. ( the hifn eats it compared to straight CPU for the lower 3 blocksizes, 4th one is sometimes either/or, depends on how much -multi i am testing ). in other words, the problem ain't the hifn, nor would your situation be made better by a faster crypto chip; again, the athlon.mp machine got beat at 8k blocksize with a hifn versus without. it's easy to be an armchair quarterback, and perhaps i don't know the whole story, but it'd be nice if soren-et-al. appeared to not be resting on the laurels of selling a boat load of 4501/4801s over the past few years and instead was pumping out some hardware that was fast enough to not suck for use as something like a LAN<->LAN IPsec'd wireless router/AP. jared -- [ openbsd 3.8 GENERIC ( sep 27 ) // i386 ]
