‐‐‐ Original Message ‐‐‐
On Thursday, June 13, 2019 10:46 PM, Stuart Henderson
wrote:
> 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases
> and don't want to reboot mine to check now either :)
Finally managed to reboot my firewall box and so I can confirm th
On 13 Jun 2019, at 22:46, Stuart Henderson wrote:
On 2019/06/13 20:08, mabi wrote:
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
wrote:
If you're on an old BIOS revision for the APU (more than a couple of
months old), try updating, they have enable
On 2019/06/13 20:08, mabi wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
> wrote:
>
> > If you're on an old BIOS revision for the APU (more than a couple of
> > months old), try updating, they have enabled "core performance boost"
> > which inc
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
wrote:
> If you're on an old BIOS revision for the APU (more than a couple of
> months old), try updating, they have enabled "core performance boost"
> which increases speed of a single core if the others are
On 2019-06-12, Stuart Henderson wrote:
> If you're on an old BIOS revision for the APU (more than a couple of
> months old), try updating, they have enabled "core performance boost"
> which increases speed of a single core if the others are not under
> heavy load.
>
> I haven't done network benchm
If you're on an old BIOS revision for the APU (more than a couple of
months old), try updating, they have enabled "core performance boost"
which increases speed of a single core if the others are not under
heavy load.
I haven't done network benchmarks but there is a noticable improvement
in some o
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 11:34 AM, Daniel Gracia wrote:
> Those look like reasonable numbers for the given scenario. Improving
> your IPsec bandwidth would take more horsepower than an APU box.
> Improving site-to-site encrypted VPN speed, asuming two APU boxes
Those look like reasonable numbers for the given scenario. Improving
your IPsec bandwidth would take more horsepower than an APU box.
Improving site-to-site encrypted VPN speed, asuming two APU boxes,
would require switching from IPsec to something like a WireGuard VPN,
available on -current as a p
‐‐‐ Original Message ‐‐‐
On Tuesday, June 11, 2019 1:04 PM, Christian Weisgerber
wrote:
> > childsa enc aes-128-gcm
>
> Correct.
For reference I now changed the childsa encryption cipher to aes-128-gcm and
get 93 Mbit/s throughput instead of the 80 Mbit/s I saw with aes-256.
Better th
mabi:
> Last question hopefully... Reading the iked.conf man page I conclude that all
> I need for that is to add to my ikev2 config is the following additional
> parameter:
>
> childsa enc aes-128-gcm
Correct.
--
Christian "naddy" Weisgerber na...@mips.inka.de
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber
wrote:
> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.
L
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber
wrote:
> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.
A
mabi:
> > enc aes-128-gcm etc.
>
> That part for the "enc" parameter makes sense to me but what about the "auth"
> parameter?
No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
it handles both encryption and authentication at the same time.
Specifying an additional "auth" algor
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 6:00 PM, Christian Weisgerber
wrote:
> enc aes-128-gcm etc.
That part for the "enc" parameter makes sense to me but what about the "auth"
parameter? Would you keep the default hmac-sha2-256? or which combination with
the "enc aes-128-g
mabi:
> Thanks for the tip regarding the cpu cost of the authentication algorithm.
> Now I was wondering how do you use the AES-GCM combo? I can't find any auth
> or enc parameters mentioning that combo.
enc aes-128-gcm etc.
--
Christian "naddy" Weisgerber na
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 4:49 PM, Christian Weisgerber
wrote:
> It helps to understand that the authentication algorithm can require
> as much or more CPU than the encryption. HMAC-SHA2 is expensive.
> On hardware that has AES-NI support, like the APU2 family, AE
On 2019-06-10, mabi wrote:
> Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput
> which is quite satisfying. The bandwidth throughput over my IPsec tunnel
> achieves a max of 80 Mbit/s which I was sort of expecting with the default
> encryption settings (auth hmac-sha2-
Hi,
I am currently testing a PC Engines APU4C4 with OpenBSD 6.5 and iked for an
IPsec tunnnel between two sites which both have 1 Gbit/s uplink.
Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput
which is quite satisfying. The bandwidth throughput over my IPsec tunnel
a
18 matches
Mail list logo
