Hi,
we recently found that the switch to constant-time AES has quite a heavy
impact on IPsec performance. But since according to CVS that was part
of OpenBSD 6.2 already, it's probably something else.
https://github.com/openbsd/src/commit/d223d7cb85c1f2f705da547a0134b949655abe6a
Patric
Hello,
I'm currently doing some IPsec performance testing between OpenBSD 6.3 and 6.5.
Dmesg and ipsec.conf is below for information.
Testing with iperf3 and 1500B packets, throughput drops around 1/3, from 919
Mbps to 623 Mbps.
I also tried 6.4, which has similar perfomance to 6.5.
I
SEC peers, this
resulted to high CPU usage on CPU0 on both boxes (± 80% on client and
± 55% on server), so this test is not 100% accurate from maximum
possible performance of view.
Did anybody have significantly better results? Any luck to improve
ipsec performance today?
Power of Proof:
Screensh
om]
> Envoyé : dimanche 21 juillet 2013 13:17
> Ã : BARDOU Pierre
> Cc : misc@openbsd.org
> Objet : Re: OpenBSD ipsec performance on modern HW
>
> All,
>
> during my tests I seen that CPU on all cores and memory usage was very low.
> Just interesting if there are an
--
Cordialement,
Pierre BARDOU
De : Evgeniy Sudyr [mailto:eject.in...@gmail.com]
Envoyé : dimanche 21 juillet 2013 13:17
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBSD ipsec performance on modern HW
All,
during my tests I seen that CPU on all cores and memory usage was very low.
Just
On 2013 Jul 21 (Sun) at 14:16:32 +0300 (+0300), Evgeniy Sudyr wrote:
:All,
:
:during my tests I seen that CPU on all cores and memory usage was very low.
:Just interesting if there are any bottlenecks and how to fix them.
Lots of bottlenecks. They can only be fixed in code, and others are
working
All,
during my tests I seen that CPU on all cores and memory usage was very low.
Just interesting if there are any bottlenecks and how to fix them.
1) Does anybody care tcp stack tuning for high speed IPSEC ?
2) Can I run IPSEC (that's isakmpd ?) on other cores?
Pierre,
can you share your ipsec
BARDOU
-Message d'origine-
De : Chris Cappuccio [mailto:ch...@nmedia.net]
Envoyé : mardi 16 juillet 2013 00:51
À : Evgeniy Sudyr
Cc : misc@openbsd.org; mi...@openbsd.org
Objet : Re: OpenBSD ipsec performance on modern HW
Evgeniy Sudyr [eject.in...@gmail.com] wrote:
>
>
Evgeniy Sudyr [eject.in...@gmail.com] wrote:
>
> BOX1 dmesg:
> cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.45 MHz
> cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
> cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
> cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
> cpu
ure if I can improve isakmpd / ipsec performance in my setup
> > on openbsd -current
> >
> > I have two boxes connected to each other via 1Gbit link and I'm using
> iperf
> > to test performance with default ipsec.conf between these two servers:
> >
> &g
Evgeniy Sudyr wrote:
> I need to figure if I can improve isakmpd / ipsec performance in my setup
> on openbsd -current
>
> I have two boxes connected to each other via 1Gbit link and I'm using iperf
> to test performance with default ipsec.conf between these two servers:
&
systat output from one of Box-es:
4 usersLoad 0.89 0.35 0.22 Sun Jul 14 13:34:03
2013
memory totals (in KB)PAGING SWAPPING
Interrupts
real virtual free in out in out12188
total
Active24660 24660 3930
Hi
I need to figure if I can improve isakmpd / ipsec performance in my setup
on openbsd -current
I have two boxes connected to each other via 1Gbit link and I'm using iperf
to test performance with default ipsec.conf between these two servers:
# cat ipsec.conf:
ike esp from aaa.aaa.aaa.1
That depends what kind of hardware you have and what type of setting
it will be used in.
For example, have used a 100Mhz net4511 on a home-based connection
without much trouble, but it would be inappropriate for much above
that.
-Will
On Thu, Feb 21, 2008 at 12:37 PM, Gustavo Polillo <[EMAIL PRO
How much OpenBSD performance is losted with IPSEC enable?
Christian Weisgerber [EMAIL PROTECTED] wrote:
>
> As reported ad nauseum, the vpn1411 doesn't work reliably in earlier
> Soekrises. Whether this still applies to the net5501 is a valid
> question.
>
The only common piece between the 4501 and the 4801 was the ethernet chip.
Everything else was d
Chris Cappuccio <[EMAIL PROTECTED]> wrote:
> > Has anybody checked how much traffic you can push through a net5501
> > serving as an IPsec gateway?
>
> There are plenty of examples of people running the openssl benchmark routine.
Benchmarking OpenSSL is not an application I'm interested in, in
t
Christian Weisgerber [EMAIL PROTECTED] wrote:
> So...
> Has anybody checked how much traffic you can push through a net5501
> serving as an IPsec gateway?
>
There are plenty of examples of people running the openssl benchmark routine.
> Has anybody tried a vpn1411 in a net5501 yet?
>
It alrea
So...
Has anybody checked how much traffic you can push through a net5501
serving as an IPsec gateway?
Has anybody tried a vpn1411 in a net5501 yet?
--
Christian "naddy" Weisgerber [EMAIL PROTECTED]
Henning Brauer wrote:
no.
there is no benefit from SMP in this case.
I believe you. In fact, many Cisco VPN routers came with a 400-700 Mhz
Intel PII or PIII cpu's which could handle a few thousand IPSEC
connections.
I've had a good throughput with a 1.0 Ghz PIII with a large number of
cl
* J.C. Roberts <[EMAIL PROTECTED]> [2005-11-09 16:50]:
> On Wed, 9 Nov 2005 14:34:27 +0100, Henning Brauer
> <[EMAIL PROTECTED]> wrote:
> >* J.C. Roberts <[EMAIL PROTECTED]> [2005-11-08 10:26]:
> >> Now think to yourself on this one. You've got 60 tunnels that must be
> >> serviced by the processor
On Wed, 9 Nov 2005 14:34:27 +0100, Henning Brauer
<[EMAIL PROTECTED]> wrote:
>* J.C. Roberts <[EMAIL PROTECTED]> [2005-11-08 10:26]:
>> Now think to yourself on this one. You've got 60 tunnels that must be
>> serviced by the processor. A single threaded processor with limited
>> cache and task swi
* J.C. Roberts <[EMAIL PROTECTED]> [2005-11-08 10:26]:
> Now think to yourself on this one. You've got 60 tunnels that must be
> serviced by the processor. A single threaded processor with limited
> cache and task switching (i.e. Celeron) is the wrong choice if not the
> worst choice you could make
OoO En cette fin de matinie radieuse du mardi 08 novembre 2005, vers
11:05, Otto Moerbeek <[EMAIL PROTECTED]> disait:
>> >OpenBSD is running on a Celeron 2.4 GHz and openssl speed aes gives 70
>> >MB/s and des-ede3 gives 15 MB/s. With 40 Mb/s (megabits/s) of traffic,
>> >the processor is used at
OoO En cette matinie pluvieuse du mardi 08 novembre 2005, vers 10:24,
"J.C. Roberts" <[EMAIL PROTECTED]> disait:
> Now think to yourself on this one. You've got 60 tunnels that must be
> serviced by the processor. A single threaded processor with limited
> cache and task switching (i.e. Celeron)
On Tue, 8 Nov 2005, J.C. Roberts wrote:
> On Tue, 08 Nov 2005 08:51:06 +0100, Vincent Bernat <[EMAIL PROTECTED]>
> wrote:
>
> >Hi !
> >
> >I have several questions about IPsec performance in OpenBSD. I am
> >using IPsec to maintain more than 60 tun
On Tue, 08 Nov 2005 08:51:06 +0100, Vincent Bernat <[EMAIL PROTECTED]>
wrote:
>Hi !
>
>I have several questions about IPsec performance in OpenBSD. I am
>using IPsec to maintain more than 60 tunnels and it performs well when
>those tunnels are idle. Tunnels are eit
Hi !
I have several questions about IPsec performance in OpenBSD. I am
using IPsec to maintain more than 60 tunnels and it performs well when
those tunnels are idle. Tunnels are either using 3DES or AES. 3DES is
due to the fact that clients are using Windows where AES is not
28 matches
Mail list logo
