User Tools

Site Tools


documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2017/09/04 01:23] – external edit 127.0.0.1documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2020/09/22 12:08] (current) – [Using IPSec bench "Equilibrium throughput" method] olivier
Line 17: Line 17:
  
 <code> <code>
-+---------------------+   +-------------------------------------+    +----------------------------------------+ ++---------------------+   +-------------------------------------+   +----------------------------------------+ 
-|          R1              Netgate RCC-VE 4860 (AES-NI)        |                     R3                 | +|          R1              Netgate RCC-VE 4860 (AES-NI)       |                     R3                 | 
-|   Packet generator  |             Device under Test            |              IPSec endpoint            | +|   Packet generator  |             Device under Test           |              IPSec endpoint            | 
-|     and receiver    |                                          |                 (AES-NI)               | +|     and receiver    |                                         |                 (AES-NI)               | 
-|                                                              |                                        | +|                                                             |                                        | 
-|igb2: 198.18.0.201/24|=>=| igb2: 198.18.0.209/24                  |                                        | +|igb2: 198.18.0.201/24|=>=| igb2: 198.18.0.209/24                 |                                        | 
-|       2001:2::201/64|   | 2001:2::209/64                      |    |                                        | +|       2001:2::201/64|   | 2001:2::209/64                      |   |                                        | 
-|    00:1b:21:d4:3f:2a|   | 00:08:a2:09:33:da                      |                                        | +|    00:1b:21:d4:3f:2a|   | 00:08:a2:09:33:da                     |                                        | 
-|                                                              |                                        | +|                                                             |                                        | 
-|                                     igb3: 198.18.1.209/24 |==>=| igb2: 198.18.1.203/24                  | +|                                     igb3: 198.18.1.209/24 |=>=| igb2: 198.18.1.203/24                  | 
-|                                        2001:2:0:1::209/64 |    |    2001:2:0:1::203/64                  | +|                                        2001:2:0:1::209/64 |   |    2001:2:0:1::203/64                  | 
-|                                         00:08:a2:09:33:db |    |     00:1b:21:c4:95:7a                  | +|                                         00:08:a2:09:33:db |   |     00:1b:21:c4:95:7a                  | 
-|                                                              |                                        | +|                                                             |                                        
-|                                    static routes          |    |             static routes              | +|                                   ipsec0: 198.18.2.209/24 |...| ipsec0: 198.18.2.203/24             | 
-|                           198.19.0.0/16 => 198.18.1.203      |     198.19.0.0/16 => 198.19.0.201      | +|                                        2001:2:0:2::209/64 |      2001:2:0:2::203/64               | 
-|                           198.18.0.0/16 => 198.18.0.201      |     198.18.0.0/16 => 198.18.1.209      | +|                                                                                                 
-|                             2001:2::/49 => 2001:2::201    |    |       2001:2::/49 => 2001:2:0:1::209   | +|                                    static routes          |   |             static routes              | 
-|                       |2001:2:0:8000::/49 => 2001:2:0:1::203|    | 2001:2:0:8000::/49=>2001:2:0:8000::201 | +|                           198.19.0.0/16 => 198.18.2.203     |     198.19.0.0/16 => 198.19.0.201      | 
-|                                                              |                                        | +|                           198.18.0.0/16 => 198.18.0.201     |     198.18.0.0/16 => 198.18.2.209      | 
-|igb3: 198.19.0.201/24|                                          |         igb3: 198.19.0.203/24          | +|                             2001:2::/49 => 2001:2::201    |   |       2001:2::/49 => 2001:2:0:2::209   | 
-|2001:2:0:8000::201/64|                                          |         2001:2:0:8000::203/64          | +|                       |2001:2:0:8000::/49 => 2001:2:0:2::203|   | 2001:2:0:8000::/49=>2001:2:0:8000::201 | 
-|   00:1b:21:d4:3f:2b |                                          |          00:1b:21:c4:95:7b             | +|                                                             |                                        | 
-+---------------------+   +-------------------------------------+    +----------------------------------------+ +|igb3: 198.19.0.201/24|                                         |         igb3: 198.19.0.203/24          | 
-          ||                                                                           || +|2001:2:0:8000::201/64|                                         |         2001:2:0:8000::203/64          | 
-   ==================================<============================================+|   00:1b:21:d4:3f:2b |                                         |          00:1b:21:c4:95:7b             | 
 ++---------------------+   +-------------------------------------+   +----------------------------------------+ 
 +          ||                                                                          || 
 +   ==================================<===========================================
 </code> </code>
 ===== Devices configuration ===== ===== Devices configuration =====
Line 49: Line 52:
 ==== Netgate (DUT) ==== ==== Netgate (DUT) ====
  
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
 Configure IP address, routes and static IPSec: Configure IP address, routes and static IPSec:
  
Line 58: Line 66:
 static_routes="generator receiver" static_routes="generator receiver"
 route_generator="-net 198.18.0.0/16 198.18.0.201" route_generator="-net 198.18.0.0/16 198.18.0.201"
-route_receiver="-net 198.19.0.0/16 198.18.1.203"+route_receiver="-net 198.19.0.0/16 198.18.2.203"
 static_arp_pairs="receiver generator" static_arp_pairs="receiver generator"
 static_arp_generator="198.18.0.201 00:1b:21:d4:3f:2a" static_arp_generator="198.18.0.201 00:1b:21:d4:3f:2a"
Line 70: Line 78:
 ipv6_static_routes="generator receiver" ipv6_static_routes="generator receiver"
 ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::201" ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::201"
-ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:1::203"+ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:2::203"
 static_ndp_pairs="receiver generator" static_ndp_pairs="receiver generator"
 static_ndp_generator="2001:2::201 00:1b:21:d4:3f:2a" static_ndp_generator="2001:2::201 00:1b:21:d4:3f:2a"
 static_ndp_receiver="2001:2:0:1::203 00:1b:21:c4:95:7a" static_ndp_receiver="2001:2:0:1::203 00:1b:21:c4:95:7a"
 +cloned_interfaces="ipsec0"
 +create_args_ipsec0="reqid 100"
 +ifconfig_ipsec0="inet 198.18.2.209/24 198.18.2.203 tunnel 198.18.1.209 198.18.1.203"
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::209 prefixlen 64"
  
-# Enabling IPSec+# Enabling IPsec
 ipsec_enable="YES" ipsec_enable="YES"
- 
-# Enabling AES-NI 
-kld_list="aesni" 
 </code> </code>
  
Line 86: Line 95:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P out ipsec esp/tunnel/198.18.1.209-198.18.1.203/require; +add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 100 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P in ipsec esp/tunnel/198.18.1.203-198.18.1.209/require; +add 198.18.1.209 198.18.1.203 esp 10001 -tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.203 198.18.1.209 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.209 198.18.1.203 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P out ipsec esp/tunnel/2001:2:0:1::209-2001:2:0:1::203/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P in ipsec esp/tunnel/2001:2:0:1::203-2001:2:0:1::209/require; +
-add 2001:2:0:1::203 2001:2:0:1::209 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::209 2001:2:0:1::203 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
  
 ==== R3 (Reference device) ==== ==== R3 (Reference device) ====
 +
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
  
 Configure IP address, routes and static IPSec. Configure IP address, routes and static IPSec.
Line 104: Line 113:
 # IPv4 router # IPv4 router
 gateway_enable="YES" gateway_enable="YES"
-ifconfig_igb2="inet 198.18.1.203/24" +ifconfig_igb2="inet 198.18.1.203/24 -tso4 -tso6 -lro
-ifconfig_igb3="inet 198.19.0.203/24"+ifconfig_igb3="inet 198.19.0.203/24 -tso4 -tso6 -lro"
  
 static_routes="generator receiver" static_routes="generator receiver"
-route_generator="-net 198.18.0.0/16 198.18.1.209"+route_generator="-net 198.18.0.0/16 198.18.2.209"
 route_receiver="-net 198.19.0.0/16 198.19.0.201" route_receiver="-net 198.19.0.0/16 198.19.0.201"
 static_arp_pairs="receiver generator" static_arp_pairs="receiver generator"
 static_arp_generator="198.18.1.209 00:08:a2:09:33:db" static_arp_generator="198.18.1.209 00:08:a2:09:33:db"
-static_arp_receiver="198.19.0.201 00:1b:21:d4:3f:2b"+static_arp_receiver="198.19.0.201 0c:c4:7a:da:3c:12"
  
 # IPv6 router # IPv6 router
Line 121: Line 130:
  
 ipv6_static_routes="generator receiver" ipv6_static_routes="generator receiver"
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:1::209"+ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:2::209"
 ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::201" ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::201"
 static_ndp_pairs="receiver generator" static_ndp_pairs="receiver generator"
 static_ndp_generator="2001:2:0:1::209 00:08:a2:09:33:db" static_ndp_generator="2001:2:0:1::209 00:08:a2:09:33:db"
-static_ndp_receiver="2001:2:0:8000::201 00:1b:21:d4:3f:2b"+static_ndp_receiver="2001:2:0:8000::201 0c:c4:7a:da:3c:12" 
 +cloned_interfaces="ipsec0" 
 +create_args_ipsec0="reqid 200" 
 +ifconfig_ipsec0="inet 198.18.2.203/24 198.18.2.209 tunnel 198.18.1.203 198.18.1.209" 
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::203 prefixlen 64"
  
-# Enabling IPSec +# Enabling IPsec
-kld_list="aesni"+
 ipsec_enable="YES" ipsec_enable="YES"
 </code> </code>
Line 137: Line 149:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P in ipsec esp/tunnel/198.18.1.209-198.18.1.203/require; +add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 200 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P out ipsec esp/tunnel/198.18.1.203-198.18.1.209/require; +add 198.18.1.209 198.18.1.203 esp 10001 -tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.203 198.18.1.209 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.209 198.18.1.203 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P in ipsec esp/tunnel/2001:2:0:1::209-2001:2:0:1::203/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P out ipsec esp/tunnel/2001:2:0:1::203-2001:2:0:1::209/require; +
-add 2001:2:0:1::203 2001:2:0:1::209 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::209 2001:2:0:1::203 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
 ===== Using IPSec bench "Equilibrium throughput" method ===== ===== Using IPSec bench "Equilibrium throughput" method =====
  
 Once done, we start using a fast method for measuring the "IPsec equilibrium throughput" of the DUT. Once done, we start using a fast method for measuring the "IPsec equilibrium throughput" of the DUT.
- 
-Notice that the reference device (IBM x3550-M3) used in front of the Netgate has a [[IPSec performance lab of an IBM System x3550 M3 with Intel 82580|equilibrium throughput of 843Mb/s]]. Then if the value measured during this bench is close to 843Mb/s we had to found a more powerful reference device. 
  
 From the packet generator/receiver a simple script that use netmap-pktgen will do the job: From the packet generator/receiver a simple script that use netmap-pktgen will do the job:
 <code> <code>
-[root@R1]~# equilibrium -u -4 -d 00:08:a2:09:33:da -t igb2 -r igb3+[root@R1]~# equilibrium -4 -u -d 00:08:a2:09:33:da -t igb1 -r igb2
 Benchmark tool using equilibrium throughput method Benchmark tool using equilibrium throughput method
 - Benchmark mode: Bandwitdh (bps) for VPN gateway - Benchmark mode: Bandwitdh (bps) for VPN gateway
Line 163: Line 167:
   - Offering load = 500 Mb/s   - Offering load = 500 Mb/s
   - Step = 250 Mb/s   - Step = 250 Mb/s
-  - Measured forwarding rate = 399 Mb/s+  - Measured forwarding rate = 499 Mb/s
 Iteration 2 Iteration 2
-  - Offering load = 250 Mb/s+  - Offering load = 750 Mb/s
   - Step = 250 Mb/s   - Step = 250 Mb/s
-  - Trend = decreasing +  - Trend = increasing 
-  - Measured forwarding rate = 250 Mb/s+  - Measured forwarding rate = 670 Mb/s
 Iteration 3 Iteration 3
-  - Offering load = 375 Mb/s+  - Offering load = 625 Mb/s
   - Step = 125 Mb/s   - Step = 125 Mb/s
-  - Trend = increasing +  - Trend = decreasing 
-  - Measured forwarding rate = 375 Mb/s+  - Measured forwarding rate = 624 Mb/s
 Iteration 4 Iteration 4
-  - Offering load = 437 Mb/s+  - Offering load = 687 Mb/s
   - Step = 62 Mb/s   - Step = 62 Mb/s
   - Trend = increasing   - Trend = increasing
-  - Measured forwarding rate = 399 Mb/s+  - Measured forwarding rate = 672 Mb/s
 Iteration 5 Iteration 5
-  - Offering load = 406 Mb/s+  - Offering load = 656 Mb/s
   - Step = 31 Mb/s   - Step = 31 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 399 Mb/s+  - Measured forwarding rate = 655 Mb/s
 Iteration 6 Iteration 6
-  - Offering load = 391 Mb/s+  - Offering load = 671 Mb/s
   - Step = 15 Mb/s   - Step = 15 Mb/s
-  - Trend = decreasing +  - Trend = increasing 
-  - Measured forwarding rate = 391 Mb/s+  - Measured forwarding rate = 670 Mb/s
 Iteration 7 Iteration 7
-  - Offering load = 398 Mb/s+  - Offering load = 678 Mb/s
   - Step = 7 Mb/s   - Step = 7 Mb/s
   - Trend = increasing   - Trend = increasing
-  - Measured forwarding rate = 398 Mb/s +  - Measured forwarding rate = 670 Mb/s 
-Estimated Equilibrium Ethernet throughput= 398 Mb/s (maximum value seen: 399 Mb/s)+Estimated Equilibrium Ethernet throughput= 670 Mb/s (maximum value seen: 672 Mb/s)
 </code> </code>
  
-Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 400Mb/s.+Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 672Mb/s.
  
-{{bench-ipsec-netgate-12head.png}}+{{bench.netgate.ipsec.13head.png}}
documentation/examples/ipsec_performance_of_a_netgate_rcc-ve_4860.1504480994.txt.gz · Last modified: 2017/09/04 01:23 by 127.0.0.1

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki