Bihlmaier Andreas wrote:
My problem with the speed is that compared to the performance I get out
of openssl (by USERcrypto) the IPSEC (in kernel) performance is terrible.
AFAIK right now it doesn't even make use of the crypto hardware because
I can get the same throughput with a comparable fast CPU (without crypto
hardware).
This explained on http://www.openbsd.org/crypto.html
"VIA C3 CPUs with a step 8 or later Nehemiah core contains an AES
implementation accessible via simple instructions. As of 3.4 the kernel
supports them to be used in an IPsec context and exported by
/dev/crypto. As of 3.5 performances have been greatly improved and
OpenSSL now uses the new instruction directly when available without the
need to enter the kernel, resulting in vastly improved speed (AES-128
measured at 780MByte/sec) for applications using OpenSSL to perform AES
encryption."
As I say earlier, the hardware is working, but the performance
bottleneck is elsewhere (presumably kernel crypto framework).
Cheers,
Dries
