[Swan] scaling IPsec throughput with CPUs
antony at phenome.org
Sun Nov 24 06:30:37 UTC 2019
Libreswan developers and Linux kernel developers are working together to
improve the IPsec throughout using CPU(to encrypt and decrypt). Initial
results are ~15 Gbps and ~5-6Gbps per flow. Using upto 3CPU cores.
So far the idea look promising. It seems to scale with number of CPUs. With
faster flows cache miss appears to be the biggest slowing down factor.
At the last couple of IETF hackethons we hacked on this. Now it is ready for
very early testers. The details can be found at
We are still working on it, so there is no concrete plans to merge the code
yet. Both Linux Kernel XFRM changes and related Libreswan changes need more
work. Such as support rekey (kernel), libreswan auto=route.
However, if you are looking for this kind of IPsec scalability and able to
test it please do. I would be happy to help. Also more testing and feedback
would drive us to get this merged sooner than later.
More information about the Swan