[Swan] Libreswan Performance tests
Muenz, Michael
m.muenz at spam-fetish.org
Fri Jan 9 17:04:41 EET 2015
Am 09.01.2015 um 14:55 schrieb Paul Wouters:
> I'd be interested in the esp= algos listed on the above libreswan page.
> Note that some of those algorithms are not available for KLIPS.
>
So in this test it was:
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
I'll play around with other alg's next week.
> (My tests on the IBM x3550m4 failed to run properly for KLIPS, so I
> could only provide NETKEY numbers. KLIPS worked for simple pings, but
> running iperf it just locked up)
This is the output with NETKEY (huge gain with tcp / window 512):
TCP tests
iperf -i1 -w 32k -c SRV
------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size: 64.0 KByte (WARNING: requested 32.0 KByte)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 46384 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 32.4 MBytes 272 Mbits/sec
[ 3] 1.0- 2.0 sec 32.1 MBytes 269 Mbits/sec
[ 3] 2.0- 3.0 sec 32.0 MBytes 268 Mbits/sec
[ 3] 3.0- 4.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 4.0- 5.0 sec 32.8 MBytes 275 Mbits/sec
[ 3] 5.0- 6.0 sec 32.2 MBytes 271 Mbits/sec
[ 3] 6.0- 7.0 sec 32.5 MBytes 273 Mbits/sec
[ 3] 7.0- 8.0 sec 32.5 MBytes 273 Mbits/sec
[ 3] 8.0- 9.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 9.0-10.0 sec 32.6 MBytes 274 Mbits/sec
[ 3] 0.0-10.0 sec 324 MBytes 272 Mbits/sec
iperf -i1 -w 512k -c SRV
------------------------------------------------------------
Client connecting to 10.12.11.100, TCP port 5001
TCP window size: 416 KByte (WARNING: requested 512 KByte)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 46389 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 106 MBytes 891 Mbits/sec
[ 3] 1.0- 2.0 sec 108 MBytes 904 Mbits/sec
[ 3] 2.0- 3.0 sec 108 MBytes 903 Mbits/sec
[ 3] 3.0- 4.0 sec 108 MBytes 903 Mbits/sec
[ 3] 4.0- 5.0 sec 108 MBytes 903 Mbits/sec
[ 3] 5.0- 6.0 sec 108 MBytes 904 Mbits/sec
[ 3] 6.0- 7.0 sec 108 MBytes 904 Mbits/sec
[ 3] 7.0- 8.0 sec 108 MBytes 904 Mbits/sec
[ 3] 8.0- 9.0 sec 108 MBytes 904 Mbits/sec
[ 3] 9.0-10.0 sec 108 MBytes 904 Mbits/sec
[ 3] 0.0-10.0 sec 1.05 GBytes 902 Mbits/sec
UDP with max. packet size (UDP bandwidth) tests
iperf -u -i1 -c SRV -b 100m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 55228 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 1.0- 2.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 2.0- 3.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 3.0- 4.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 4.0- 5.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 5.0- 6.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 6.0- 7.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 7.0- 8.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 8.0- 9.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 9.0-10.0 sec 12.0 MBytes 101 Mbits/sec
[ 3] 0.0-10.0 sec 120 MBytes 101 Mbits/sec
[ 3] Sent 85471 datagrams
[ 3] WARNING: did not receive ack of last datagram after 10 tries.
iperf -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 39588 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 1.0- 2.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 2.0- 3.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 3.0- 4.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 4.0- 5.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 5.0- 6.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 6.0- 7.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 7.0- 8.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 8.0- 9.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 9.0-10.0 sec 96.9 MBytes 813 Mbits/sec
[ 3] 0.0-10.0 sec 969 MBytes 813 Mbits/sec
[ 3] Sent 691024 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 966 MBytes 810 Mbits/sec 0.113 ms 2266/691023
(0.33%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
UDP with small packets for PPS measuring
iperf -l 64 -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 64 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 54439 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 1.0- 2.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 2.0- 3.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 3.0- 4.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 4.0- 5.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 5.0- 6.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 6.0- 7.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 7.0- 8.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 8.0- 9.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 9.0-10.0 sec 4.22 MBytes 35.4 Mbits/sec
[ 3] 0.0-10.0 sec 42.2 MBytes 35.4 Mbits/sec
[ 3] Sent 691026 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 42.2 MBytes 35.4 Mbits/sec 0.021 ms 406/691025
(0.059%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
iperf -l 128 -u -i1 -c SRV -b 1000m
------------------------------------------------------------
Client connecting to 10.12.11.100, UDP port 5001
Sending 128 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 10.12.10.100 port 53285 connected with 10.12.11.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 1.0- 2.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 2.0- 3.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 3.0- 4.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 4.0- 5.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 5.0- 6.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 6.0- 7.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 7.0- 8.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 8.0- 9.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 9.0-10.0 sec 8.44 MBytes 70.8 Mbits/sec
[ 3] 0.0-10.0 sec 84.4 MBytes 70.8 Mbits/sec
[ 3] Sent 691024 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 84.3 MBytes 70.7 Mbits/sec 0.018 ms 680/691023
(0.098%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
>
> Note that on embedded platforms, you might see a lot of gain using the
> OCF kernel module (ocf.ko with cryptosoft.ko) with KLIPS for those
> crypto hardware drivers supported by Linux natively. OCF will also allow
> KLIPS to use multiple CPU cores, which it cannot do without OCF.
> See _stackmanager for some OCF detection/configuration if you are not
> using _stackmanager on your embedded platform to start libreswan.
This system is only AES-NI capable
>
>
> It would be good if we could compare plaintext speeds with IPsec speeds,
> so that we have an idea of what the cost is for enabling IPsec on those
> devices.
Here is the comparison:
http://www.routerperformance.net/routers/nexcom-nsa/iperf-results-nexcom-nsa3150/
>
> Note also that for LAN connections and high speed interfaces (10GigE)
> you should really set the MTU to 9000 or else you won't see more than
> 1Gbps. The ethtool output might also be useful to verify various
> hardware offload settings which can get in the way of performance when
> running IPsec.
Oh, ok, I'll change everything to 9000, next week you get the results.
Here's ethtool output:
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: on (auto)
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
Features for eth0:
rx-checksumming: on
tx-checksumming: on
tx-checksum-ipv4: on
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: on
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: on
scatter-gather: on
tx-scatter-gather: on
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
tx-tcp-segmentation: on
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
busy-poll: off [fixed]
>
> I would love to add some summaries of hardware and performance on our
> libreswan benchmarking page with links to yours if we can get the
> additional information (hardware, cpu model, ram, nic brands, etc)
>
Sure, put it on your wiki! :)
Nexcom NSA3150
- Support 4th generation Intel® Core™ processors
- Intel® H81Chipset
Intel i3-4330 3,5 GHz - 2 core - LGA1150 Socket - 4 MB Cache
4th Generation / Haswell
Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16
Controller (rev 06)
Apacer 4GB RAM (x2 = 8GB)
DDR3 UDIMM 1333 256x8 2R CL9
02:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network
Connection (rev 03)
http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-security-appliance-nsa-3150
> Paul
>
Michael
More information about the Swan
mailing list