10g IPsec ?
Lawrence Stewart
lstewart at freebsd.org
Thu Nov 7 02:04:18 UTC 2019
On 7/11/19 12:52 pm, Eugene Grosbein wrote:
> 07.11.2019 8:36, Lawrence Stewart wrote:
>
>>>> AES-GCM can run at over 1GB/sec on a single core, so as long as the
>>>> traffic can be processed by multiple threads (via multiple queues
>>>> for example), it should be doable.
>>>>
>>>>
>>> I didn't bench this setup (10Gb/s IPSec) but I believe we will have the
>>> same problem with IPSec as with all VPN setups (like PPPoE or GRE): the
>>> IPSec tunnel will generate one IP flow preventing load sharing between all
>>> the NIC's RSS queues.
>>> I'm not aware of improvement to remove this limitation.
>>
>> I never understood why the IPsec SPI couldn't be used to shard
>> traffic... does anyone know if there is a technical reason why doing so
>> would be problematic?
>
> Generic way do distribute load over CPUs is distinct hardware receive queues of NIC
> using distinct interrupts to deliver packets to the host while interrupts are bound
> to distinct CPU cores. It needs hardware capable of splitting packet stream by IPsec SPI
> and I'm aware of only some 40Gpbs Intel NICs that can be programmed to do so.
Right, a "consumers need to ask for it" issue more so than an inherently
problematic approach. I assumed as much but wasn't sure.
Cheers
Lawrence
More information about the freebsd-net
mailing list