On 04/27/2009 03:45:58 AM, Benny Amorsen wrote:
It seems that OpenVPN is quite far away from the theoretical
performance
where kernel-userspace-kernel copying becomes an issue. Right now
encryption is quite expensive, except on a few platforms with
dedicated
AES instructions.
Dedicated encryption hardware is cheap. (<$100) And it seems
that using it can also involve a kernel/userspace
transition.
I've a box with an AMD Geode LX. This chip supports
AES-128 bit encryption. The same box also has a Hi/fn 7955
chip on a separate PCI card, which supports AES-256
as well as other algorithms.
When I switch from AES-128 to AES-256, or other, cheaper,
choices supported by the Hifn but not the Geode,
I see a large performance hit. Assuming my tests
are right; I've not put a lot of effort into it.
I suspect the problem is again kernel/userspace.
The CPU is available to userspace, but the Hifn
is not. (There are other possibilities. Perhaps
OpenSSL does not play well with multiple hardware
accelerators, or maybe my tests are just plain bad.)
So, I believe it's easy and cheap to add hardware
to a OpenVPN box and create a situation where
the kernel/userspace transition cost does matter.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
