10g IPsec ?
    Lawrence Stewart 
    lstewart at freebsd.org
       
    Thu Nov  7 01:36:42 UTC 2019
    
    
  
On 6/11/19 9:45 am, Olivier Cochard-Labbé wrote:
> On Tue, Nov 5, 2019 at 8:15 PM John-Mark Gurney <jmg at funkthat.com> wrote:
> 
>> AES-GCM can run at over 1GB/sec on a single core, so as long as the
>> traffic can be processed by multiple threads (via multiple queues
>> for example), it should be doable.
>>
>>
> I didn't bench this setup (10Gb/s IPSec) but I believe we will have the
> same problem with IPSec as with all VPN setups (like PPPoE or GRE): the
> IPSec tunnel will generate one IP flow preventing load sharing between all
> the NIC's RSS queues.
> I'm not aware of improvement to remove this limitation.
I never understood why the IPsec SPI couldn't be used to shard
traffic... does anyone know if there is a technical reason why doing so
would be problematic?
Cheers,
Lawrence
    
    
More information about the freebsd-net
mailing list