iflib.tx_abdicate: very strange behavior on incoming IPsec traffic (regression?)

Lev Serebryakov lev at FreeBSD.org
Fri Dec 7 15:40:42 UTC 2018

On 07.12.2018 18:02, Lev Serebryakov wrote:

>>  (I'm not sure, that it is exactly "bug" or "defect" and want to
>  ... discuss it here before filing PR.
>>  Now I'm throwing IPsec into mix. All incoming traffic is tunneled with
>> IPsec policy, with aes-128-gcm encryption. And with IPsec tx_abdicate
>> makes thing much worse and much more unstable.
>  I could say, that it doesn't matter, if I using IPsec with "tunnel"
> policy to encrypt and tunnel transit traffic or if I add "gif" into mix
> and encrypt GIF traffic in "transport" mode. In both cases tx_abdicate
> makes PPS much lower.
 And one more datapoint: if I'm using "null" cipher (so, IPsec is in
play, but no real encryption is performed) losses in packet rate are
about 50% from turning on tx_abdicate. It is worst-case scenario.

 And if I have outbound traffic (traffic is received without IPsec
processing and sent with IPsec processing on other interface) I have
noticeable gains, up to 15% in packets per second and bandwidth.

 So, lookslike tx_abdicate works well when it is applied to
non-IPsec-processed traffic.

// Lev Serebryakov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20181207/186757e2/attachment.sig>

More information about the freebsd-current mailing list