[Swan] Libreswan Performance tests

Muenz, Michael m.muenz at spam-fetish.org
Fri Jan 9 17:04:41 EET 2015 

Am 09.01.2015 um 14:55 schrieb Paul Wouters:
> I'd be interested in the esp= algos listed on the above libreswan page.
> Note that some of those algorithms are not available for KLIPS.
>

So in this test it was:
         ike=aes256-sha1;modp2048
         phase2alg=aes256-sha1;modp2048

I'll play around with other alg's next week.


> (My tests on the IBM x3550m4 failed to run properly for KLIPS, so I
> could only provide NETKEY numbers. KLIPS worked for simple pings, but
> running iperf it just locked up)

This is the output with NETKEY (huge gain with tcp / window 512):
TCP tests




iperf -i1 -w 32k -c SRV

------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size: 64.0 KByte (WARNING: requested 32.0 KByte)
------------------------------------------------------------
[  3] local 10.12.10.100 port 46384 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  32.4 MBytes   272 Mbits/sec
[  3]  1.0- 2.0 sec  32.1 MBytes   269 Mbits/sec
[  3]  2.0- 3.0 sec  32.0 MBytes   268 Mbits/sec
[  3]  3.0- 4.0 sec  32.6 MBytes   274 Mbits/sec
[  3]  4.0- 5.0 sec  32.8 MBytes   275 Mbits/sec
[  3]  5.0- 6.0 sec  32.2 MBytes   271 Mbits/sec
[  3]  6.0- 7.0 sec  32.5 MBytes   273 Mbits/sec
[  3]  7.0- 8.0 sec  32.5 MBytes   273 Mbits/sec
[  3]  8.0- 9.0 sec  32.6 MBytes   274 Mbits/sec
[  3]  9.0-10.0 sec  32.6 MBytes   274 Mbits/sec
[  3]  0.0-10.0 sec   324 MBytes   272 Mbits/sec




iperf -i1 -w 512k -c SRV

------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size:  416 KByte (WARNING: requested  512 KByte)
------------------------------------------------------------
[  3] local 10.12.10.100 port 46389 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec   106 MBytes   891 Mbits/sec
[  3]  1.0- 2.0 sec   108 MBytes   904 Mbits/sec
[  3]  2.0- 3.0 sec   108 MBytes   903 Mbits/sec
[  3]  3.0- 4.0 sec   108 MBytes   903 Mbits/sec
[  3]  4.0- 5.0 sec   108 MBytes   903 Mbits/sec
[  3]  5.0- 6.0 sec   108 MBytes   904 Mbits/sec
[  3]  6.0- 7.0 sec   108 MBytes   904 Mbits/sec
[  3]  7.0- 8.0 sec   108 MBytes   904 Mbits/sec
[  3]  8.0- 9.0 sec   108 MBytes   904 Mbits/sec
[  3]  9.0-10.0 sec   108 MBytes   904 Mbits/sec
[  3]  0.0-10.0 sec  1.05 GBytes   902 Mbits/sec




UDP with max. packet size (UDP bandwidth) tests




iperf -u -i1 -c SRV -b 100m

------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.12.10.100 port 55228 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  1.0- 2.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  2.0- 3.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  3.0- 4.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  4.0- 5.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  5.0- 6.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  6.0- 7.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  7.0- 8.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  8.0- 9.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  9.0-10.0 sec  12.0 MBytes   101 Mbits/sec
[  3]  0.0-10.0 sec   120 MBytes   101 Mbits/sec
[  3] Sent 85471 datagrams
[  3] WARNING: did not receive ack of last datagram after 10 tries.




iperf -u -i1 -c SRV -b 1000m

------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.12.10.100 port 39588 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  1.0- 2.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  2.0- 3.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  3.0- 4.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  4.0- 5.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  5.0- 6.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  6.0- 7.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  7.0- 8.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  8.0- 9.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  9.0-10.0 sec  96.9 MBytes   813 Mbits/sec
[  3]  0.0-10.0 sec   969 MBytes   813 Mbits/sec
[  3] Sent 691024 datagrams
[  3] Server Report:
[  3]  0.0-10.0 sec   966 MBytes   810 Mbits/sec   0.113 ms 2266/691023 
(0.33%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order




UDP with small packets for PPS measuring




iperf -l 64 -u -i1 -c SRV -b 1000m

------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 64 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.12.10.100 port 54439 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  1.0- 2.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  2.0- 3.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  3.0- 4.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  4.0- 5.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  5.0- 6.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  6.0- 7.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  7.0- 8.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  8.0- 9.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  9.0-10.0 sec  4.22 MBytes  35.4 Mbits/sec
[  3]  0.0-10.0 sec  42.2 MBytes  35.4 Mbits/sec
[  3] Sent 691026 datagrams
[  3] Server Report:
[  3]  0.0-10.0 sec  42.2 MBytes  35.4 Mbits/sec   0.021 ms 406/691025 
(0.059%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order




iperf -l 128 -u -i1 -c SRV -b 1000m

------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 128 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.12.10.100 port 53285 connected with 10.12.11.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  1.0- 2.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  2.0- 3.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  3.0- 4.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  4.0- 5.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  5.0- 6.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  6.0- 7.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  7.0- 8.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  8.0- 9.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  9.0-10.0 sec  8.44 MBytes  70.8 Mbits/sec
[  3]  0.0-10.0 sec  84.4 MBytes  70.8 Mbits/sec
[  3] Sent 691024 datagrams
[  3] Server Report:
[  3]  0.0-10.0 sec  84.3 MBytes  70.7 Mbits/sec   0.018 ms 680/691023 
(0.098%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order



>
> Note that on embedded platforms, you might see a lot of gain using the
> OCF kernel module (ocf.ko with cryptosoft.ko) with KLIPS for those
> crypto hardware drivers supported by Linux natively. OCF will also allow
> KLIPS to use multiple CPU cores, which it cannot do without OCF.
> See _stackmanager for some OCF detection/configuration if you are not
> using _stackmanager on your embedded platform to start libreswan.

This system is only AES-NI capable
>
>
> It would be good if we could compare plaintext speeds with IPsec speeds,
> so that we have an idea of what the cost is for enabling IPsec on those
> devices.

Here is the comparison:
http://www.routerperformance.net/routers/nexcom-nsa/iperf-results-nexcom-nsa3150/

>
> Note also that for LAN connections and high speed interfaces (10GigE)
> you should really set the MTU to 9000 or else you won't see more than
> 1Gbps. The ethtool output might also be useful to verify various
> hardware offload settings which can get in the way of performance when
> running IPsec.

Oh, ok, I'll change everything to 9000, next week you get the results.

Here's ethtool output:
Settings for eth0:
         Supported ports: [ TP ]
         Supported link modes:   10baseT/Half 10baseT/Full
                                 100baseT/Half 100baseT/Full
                                 1000baseT/Full
         Supported pause frame use: Symmetric
         Supports auto-negotiation: Yes
         Advertised link modes:  10baseT/Half 10baseT/Full
                                 100baseT/Half 100baseT/Full
                                 1000baseT/Full
         Advertised pause frame use: Symmetric
         Advertised auto-negotiation: Yes
         Speed: 1000Mb/s
         Duplex: Full
         Port: Twisted Pair
         PHYAD: 1
         Transceiver: internal
         Auto-negotiation: on
         MDI-X: on (auto)
         Supports Wake-on: pumbg
         Wake-on: g
         Current message level: 0x00000007 (7)
                                drv probe link
         Link detected: yes


Features for eth0:
rx-checksumming: on
tx-checksumming: on
         tx-checksum-ipv4: on
         tx-checksum-ip-generic: off [fixed]
         tx-checksum-ipv6: on
         tx-checksum-fcoe-crc: off [fixed]
         tx-checksum-sctp: on
scatter-gather: on
         tx-scatter-gather: on
         tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
         tx-tcp-segmentation: on
         tx-tcp-ecn-segmentation: off [fixed]
         tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
busy-poll: off [fixed]


>
> I would love to add  some summaries of hardware and performance on our
> libreswan benchmarking page with links to yours if we can get the
> additional information (hardware, cpu model, ram, nic brands, etc)
>

Sure, put it on your wiki! :)
Nexcom NSA3150
- Support 4th generation Intel® Core™ processors
- Intel® H81Chipset

Intel i3-4330 3,5 GHz - 2 core - LGA1150 Socket - 4 MB Cache
4th Generation / Haswell
Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16 
Controller (rev 06)


Apacer 4GB RAM (x2 = 8GB)
DDR3 UDIMM 1333 256x8 2R CL9


02:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network 
Connection (rev 03)

http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-security-appliance-nsa-3150


> Paul
>

Michael

More information about the Swan mailing list