Hi all.
I'm looking for suggestions as to why my IPSec performance is so bad
when using the built in 2.6 IPSec implementation.
My setup is pretty simple, a tunnel with a Watchguard Firebox on one end
and an AMD K6/333 on the other end running Redhat 9. I've used two
different IPsec implementations on the Linux system, one is
SuperFreeS/WAN with a patched Redhat kernel using the available SRPMS
and the other is the built-in 2.6 IPSec code with racoon.
My Internet connection is a DSL circuit that typically delivers about
150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
good, averaging about 125KB/s (this seems about reasonable with
overhead) but when making the identical connection with racoon and the
2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
any reason why this would be the case.
Any hints would be appreciated.
Later,
Tom
On 27 Aug 2003, Tom Sightler wrote:
> My Internet connection is a DSL circuit that typically delivers about
> 150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
> good, averaging about 125KB/s (this seems about reasonable with
> overhead) but when making the identical connection with racoon and the
> 2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
> any reason why this would be the case.
>
> Any hints would be appreciated.
I think SFS uses assembly crypto algorithms where possible, which would
account for roughly 2x performance increase.
- James
--
James Morris
<[email protected]>
At 2003-08-28 2:56:37, James Morris wrote:
>On 27 Aug 2003, Tom Sightler wrote:
>
>> My Internet connection is a DSL circuit that typically delivers about
>> 150KB/s. When I connect with SuperFreeS/WAN my VPN throughput is quite
>> good, averaging about 125KB/s (this seems about reasonable with
>> overhead) but when making the identical connection with racoon and the
>> 2.6 kernel I can only achieve 50KB/s. I've been unable to come up with
>> any reason why this would be the case.
>>
>> Any hints would be appreciated.
>
>I think SFS uses assembly crypto algorithms where possible, which would
>account for roughly 2x performance increase.
I believe that assembly AES processes about 50MB/second on a
1GHz machine, but Tom is talking about the difference between 125kB/sec.
and 50kB/sec. The C versus assembly issue is not on the scale that
Tom is asking about.
Tom, although I'm not sure that I'll immediately have the time
to dig into your problem, I think it would increase the likelihood of
someone tracking it down if you could answer the following questions.
In which direction did you take these benchmarks, inbound to the
Linux box, outbound from the Linux box, or both? If both, is
there a difference between inbound and outbound performance? What
private key algorithm are you configuring (aes, des, serpent)? How
is your DSL connected (via ethernet, via USB, such as with SpeedStream)?
What kind of CPU are you using (probably doesn't matter, even if you're
using a 16MHz 386, but it would help in reproducing your problem to
know what the benchmarks should look like on a different system).
Adam J. Richter __ ______________ 575 Oroville Road
[email protected] \ / Milpitas, California 95035
+1 408 309-6081 | g g d r a s i l United States of America
"Free Software For The Rest Of Us."
> In which direction did you take these benchmarks, inbound to the
> Linux box, outbound from the Linux box, or both? If both, is
> there a difference between inbound and outbound performance? What
> private key algorithm are you configuring (aes, des, serpent)? How
> is your DSL connected (via ethernet, via USB, such as with SpeedStream)?
> What kind of CPU are you using (probably doesn't matter, even if you're
> using a 16MHz 386, but it would help in reproducing your problem to
> know what the benchmarks should look like on a different system).
Unfortunately my DSL service is ADSL and my uplink is only 256Kbps which
gives me about 25-30KB/s on a typical, non-IPsec FTP upload. Both SFS
and in-kernel IPsec give approximately the same outbound speed over this
limited link, roughly 20KB/s, which seems about right to me.
I'm using 3des for the encryption algorithm.
DSL is connected via ethernet.
CPU is an AMD K6/2 333Mhz.
I also just thought about the fact that I could test my laptop to see if
this is a CPU related issue. It's running the same basic kernel but of
course with options for laptop devices enabled and compiled for i686,
etc. It's a much faster machine, a PIII/1.13Ghz system. If I still get
roughly the same performance then we can probably safely assume it's not
a CPU constraint. I'll test the tonight.
I'm also going to try and pull some TCP dump data to see if it gives me
any hints.
Anything else I can answer.
Later,
Tom
On 28 Aug 2003, Tom Sightler wrote:
> I'm using 3des for the encryption algorithm.
What authentication algorithm (if any) ?
- James
--
James Morris
<[email protected]>
Can't we use per-arch assembly algorithms for ipv6 in kernel also?
-kartikey mahendra bhatt
>From: James Morris <[email protected]>
>To: Tom Sightler <[email protected]>
>CC: "Adam J. Richter" <[email protected]>,LKML
><[email protected]>
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Thu, 28 Aug 2003 23:40:04 +1000 (EST)
>
>On 28 Aug 2003, Tom Sightler wrote:
>
> > I'm using 3des for the encryption algorithm.
>
>What authentication algorithm (if any) ?
>
>
>- James
>--
>James Morris
><[email protected]>
>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
MSN Hotmail now on your Mobile phone.
http://server1.msn.co.in/sp03/mobilesms/ Click here.
On Fri, 29 Aug 2003, kartikey bhatt wrote:
> Can't we use per-arch assembly algorithms for ipv6 in kernel also?
>
Yes, it has just not been done yet.
- James
--
James Morris
<[email protected]>
I'll do my best to integrate code from freeswan to kernel.
-Kartikey
>From: James Morris <[email protected]>
>To: kartikey bhatt <[email protected]>
>CC: [email protected]
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Fri, 29 Aug 2003 11:37:14 +1000 (EST)
>
>On Fri, 29 Aug 2003, kartikey bhatt wrote:
>
> > Can't we use per-arch assembly algorithms for ipv6 in kernel also?
> >
>
>Yes, it has just not been done yet.
>
>
>- James
>--
>James Morris
><[email protected]>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
Narain Karthikeyan. He's fast, really fast.
http://server1.msn.co.in/sp03/tataracing/index.asp Want to meet him?
This is taken from FreeS/Wan HOWTO.
"AES is a new US government block cipher standard, designed to replace the
obsolete DES. If FreeS/WAN
using 3DES is not fast enough for your application, the AES patch may help.
To date (March 2002) we have had only one mailing list report of
measurements with the patch applied. It
indicates that, at least for the tested load on that user's network, AES
roughly doubles IPsec
hroughput."
-Kartikey Mahendra Bhatt
>From: James Morris <[email protected]>
>To: Tom Sightler <[email protected]>
>CC: "Adam J. Richter" <[email protected]>,LKML
><[email protected]>
>Subject: Re: Poor IPSec performance with 2.6 kernels
>Date: Thu, 28 Aug 2003 23:40:04 +1000 (EST)
>
>On 28 Aug 2003, Tom Sightler wrote:
>
> > I'm using 3des for the encryption algorithm.
>
>What authentication algorithm (if any) ?
>
>
>- James
>--
>James Morris
><[email protected]>
>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
_________________________________________________________________
Need a naukri? Your search ends here. http://www.msn.co.in/naukri/ 50,000 of
the best jobs!