IPSec improvement

VANHULLEBUS Yvan vanhu at FreeBSD.org
Fri Jun 14 13:51:37 UTC 2013 

On Fri, Jun 14, 2013 at 05:24:30PM +0400, Slawa Olhovchenkov wrote:
> On Fri, Jun 14, 2013 at 03:14:00PM +0200, VANHULLEBUS Yvan wrote:
> 
> > On Fri, Jun 14, 2013 at 02:36:15PM +0400, Slawa Olhovchenkov wrote:
> > > I am plan to do some improve in IPSec stack:
> > > 
> > > - AES-GCM support (from OpenBSD)
> > 
> > Dylan Castine already started to work on that last year (see ML's
> > archives), and we took some time to work together on that.
> > 
> > Unfortunately, patch hasn't been commited since, as Dylan needed some
> > more time to do some important cleanups on the code.
> > 
> > I'll try to recontact Dylan to see if he could take time to finish
> > that.
> 
> OK, you inform about progress in this list?

Yep.

Just for information, Dylan also talked about such code last year, but
the patch I got were from Riaan Kruger.
I just sent him a mail on that subject.

The patchset Riaan provided me was working on basic tests.
On the benchmark we did, software AES-GCM was faster than software
AES-CBC+SHA1, but slower than hardware accelerated AES-CBC+SHA1 (tried
with both VIA's Padlock and Intel's AESNI).

As AES-CBC / SHA1 acceleration is quite common today, but AES-GCM
hardware acceleration is still not so common, AES-GCM may be really
interesting only on hardware which provide such acceleration (or in
older hardware which provide none of them).

We also started to have a look at AES-CTR acceleration (more common
than AES-GCM acceleration) to provide a partial hardware work for
AES-GCM, and it looks like at least OpenSSL's guys coud implement
that, with interesting benchmarks.


> > > - GOST 28147-89 and 34.10-2001 support (by modules)
> > > - support for IPSec acceleration in network cards
> > 
> > What kind of acceleration, in which kind of network card ?
> > 
> > Are you talking about encryption/authentication done in the network
> > card (or CPUs, or .....), or do you want to use advanced IPsec
> > offloading provided by some chipsets ?
> 
> IPSec offloadin (ex. Intel 82599).

Interesting.


Yvan.

More information about the freebsd-net mailing list