BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2017/10/23 12:17] – external edit 127.0.0.1documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2020/09/22 11:56] (current) – [Encryption algorithms] olivier
Line 1: Line 1:
 ====== IPSec performance lab of SuperServer 5018A-FTN4 ====== ====== IPSec performance lab of SuperServer 5018A-FTN4 ======
-{{description>IPSec performance lab of a 8 cores Atom}}+{{description>IPSec VTI performance lab of a 8 cores Atom}}
  
 ===== Hardware detail ===== ===== Hardware detail =====
Line 29: Line 29:
 |                    |                    2001:2:0:1::208/64 |      2001:2:0:1::210/64              | |                    |                    2001:2:0:1::208/64 |      2001:2:0:1::210/64              |
 |                    |                     00:07:43:2e:e5:98 |       00:07:43:2e:e4:70              | |                    |                     00:07:43:2e:e5:98 |       00:07:43:2e:e4:70              |
 +|                    |                                                                            |
 +|                    |               ipsec0: 198.18.2.208/24 |...| ipsec0: 198.18.2.210/24            |
 +|                    |                    2001:2:0:2::208/64 |      2001:2:0:2::210/64              |
 |                    |                                                                            | |                    |                                                                            |
 |                    |                static routes          |              static routes           | |                    |                static routes          |              static routes           |
-|                    |       198.19.0.0/16 => 198.18.1.210        198.19.0.0/16 => 198.19.0.2     | +|                    |       198.19.0.0/16 => 198.18.2.210        198.19.0.0/16 => 198.19.0.2     | 
-|                    |       198.18.0.0/16 => 198.18.0.2          198.18.0.0/16 => 198.18.1.208   | +|                    |       198.18.0.0/16 => 198.18.0.2          198.18.0.0/16 => 198.18.2.208   | 
-|                    |         2001:2::/49 => 2001:2::     |        2001:2::/49 => 2001:2:0:1::208| +|                    |         2001:2::/49 => 2001:2::     |        2001:2::/49 => 2001:2:0:2::208| 
-|                    |   |2001:2:0:8000::/49 => 2001:2:0:1::210|   |2001:2:0:8000::/49=>2001:2:0:8000::2|+|                    |   |2001:2:0:8000::/49 => 2001:2:0:2::210|   |2001:2:0:8000::/49=>2001:2:0:8000::2|
 |                    |                                                                            | |                    |                                                                            |
 |vcxl1: 198.19.0.2/24|                                                cxl1: 198.19.0.210/24       | |vcxl1: 198.19.0.2/24|                                                cxl1: 198.19.0.210/24       |
Line 51: Line 54:
  
 Configure IP address, routes and static IPSec. Configure IP address, routes and static IPSec.
 +
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
  
 /etc/rc.conf: /etc/rc.conf:
Line 56: Line 65:
 # IPv4 router # IPv4 router
 gateway_enable="YES" gateway_enable="YES"
-static_routes="generator receiver" 
-route_generator="-net 198.18.0.0/16 198.18.0.2" 
-route_receiver="-net 198.19.0.0/16 198.18.1.210" 
 ifconfig_cxl0="inet 198.18.0.208/24 -tso4 -tso6 -lro" ifconfig_cxl0="inet 198.18.0.208/24 -tso4 -tso6 -lro"
 ifconfig_cxl1="inet 198.18.1.208/24 -tso4 -tso6 -lro" ifconfig_cxl1="inet 198.18.1.208/24 -tso4 -tso6 -lro"
 +static_routes="generator receiver"
 +route_generator="-net 198.18.0.0/16 198.18.0.2"
 +route_receiver="-net 198.19.0.0/16 198.18.2.210"
 static_arp_pairs="generator receiver" static_arp_pairs="generator receiver"
-static_arp_generator="198.18.0.2 00:07:43:2f:fe:b2"+static_arp_generator="198.18.0.2 00:07:43:2f:fe:b1"
 static_arp_receiver="198.18.1.210 00:07:43:2e:e4:70" static_arp_receiver="198.18.1.210 00:07:43:2e:e4:70"
  
Line 68: Line 77:
 ipv6_gateway_enable="YES" ipv6_gateway_enable="YES"
 ipv6_activate_all_interfaces="YES" ipv6_activate_all_interfaces="YES"
-ipv6_static_routes="generator receiver" 
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::2" 
-ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:1::210" 
 ifconfig_cxl0_ipv6="inet6 2001:2::208 prefixlen 64" ifconfig_cxl0_ipv6="inet6 2001:2::208 prefixlen 64"
 ifconfig_cxl1_ipv6="inet6 2001:2:0:1::208 prefixlen 64" ifconfig_cxl1_ipv6="inet6 2001:2:0:1::208 prefixlen 64"
 +ipv6_static_routes="generator receiver"
 +ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::2"
 +ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:2::210"
 static_ndp_pairs="generator receiver" static_ndp_pairs="generator receiver"
-static_ndp_generator="2001:2::2 00:07:43:2f:fe:b2"+static_ndp_generator="2001:2::2 00:07:43:2f:fe:b1"
 static_ndp_receiver="2001:2:0:1::210 00:07:43:2e:e4:70" static_ndp_receiver="2001:2:0:1::210 00:07:43:2e:e4:70"
  
-# Enabling IPSec +cloned_interfaces="ipsec0" 
-kld_list="aesni"+create_args_ipsec0="reqid 100" 
 +ifconfig_ipsec0="inet 198.18.2.208/24 198.18.2.210 tunnel 198.18.1.208 198.18.1.210" 
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::208 prefixlen 64" 
 + 
 +# Enabling IPsec
 ipsec_enable="YES" ipsec_enable="YES"
 </code> </code>
Line 87: Line 100:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P out ipsec esp/tunnel/198.18.1.208-198.18.1.210/require; +add 198.18.1.208 198.18.1.210 esp 10000 -tunnel -u 100 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P in ipsec esp/tunnel/198.18.1.210-198.18.1.208/require; +add 198.18.1.210 198.18.1.208 esp 10001 -tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.208 198.18.1.210 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.210 198.18.1.208 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P out ipsec esp/tunnel/2001:2:0:1::208-2001:2:0:1::210/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P in ipsec esp/tunnel/2001:2:0:1::210-2001:2:0:1::208/require; +
-add 2001:2:0:1::208 2001:2:0:1::210 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::210 2001:2:0:1::208 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
  
 ==== Reference Endpoint ==== ==== Reference Endpoint ====
 +
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
  
 Configure IP address, routes and static IPSec: Configure IP address, routes and static IPSec:
 <code> <code>
-# IPv4 router 
 gateway_enable="YES" gateway_enable="YES"
 ifconfig_cxl0="inet 198.18.1.210/24 -tso4 -tso6 -lro -vlanhwtso" ifconfig_cxl0="inet 198.18.1.210/24 -tso4 -tso6 -lro -vlanhwtso"
 ifconfig_cxl1="inet 198.19.0.210/24 -tso4 -tso6 -lro -vlanhwtso" ifconfig_cxl1="inet 198.19.0.210/24 -tso4 -tso6 -lro -vlanhwtso"
 static_routes="generator receiver" static_routes="generator receiver"
-route_generator="-net 198.18.0.0/16 198.18.1.208"+route_generator="-net 198.18.0.0/16 198.18.2.208"
 route_receiver="-net 198.19.0.0/16 198.19.0.2" route_receiver="-net 198.19.0.0/16 198.19.0.2"
 static_arp_pairs="generator receiver" static_arp_pairs="generator receiver"
 static_arp_generator="198.18.1.208 00:07:43:2e:e5:98" static_arp_generator="198.18.1.208 00:07:43:2e:e5:98"
-static_arp_receiver="198.19.0.2 00:07:43:2f:fe:ba"+static_arp_receiver="198.19.0.2 00:07:43:2f:fe:b9"
  
 # IPv6 router # IPv6 router
Line 118: Line 130:
 ifconfig_cxl1_ipv6="inet6 2001:2:0:8000::210 prefixlen 64" ifconfig_cxl1_ipv6="inet6 2001:2:0:8000::210 prefixlen 64"
 ipv6_static_routes="generator receiver" ipv6_static_routes="generator receiver"
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:1::208"+ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:2::208"
 ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::2" ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::2"
 static_ndp_pairs="generator receiver" static_ndp_pairs="generator receiver"
 static_ndp_generator="2001:2:0:1::208 00:07:43:2e:e5:98" static_ndp_generator="2001:2:0:1::208 00:07:43:2e:e5:98"
-static_ndp_receiver="2001:2:0:8000::2 00:07:43:2f:fe:ba"+static_ndp_receiver="2001:2:0:8000::2 00:07:43:2f:fe:b9" 
 +cloned_interfaces="ipsec0" 
 +create_args_ipsec0="reqid 200" 
 +ifconfig_ipsec0="inet 198.18.2.210/24 198.18.2.208 tunnel 198.18.1.210 198.18.1.208" 
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::210 prefixlen 64"
  
-# Enabling IPSec +# Enabling IPsec
-kld_list="aesni"+
 ipsec_enable="YES" ipsec_enable="YES"
 </code> </code>
Line 134: Line 149:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P in ipsec esp/tunnel/198.18.1.208-198.18.1.210/require; +add 198.18.1.208 198.18.1.210 esp 10000 -tunnel -u 200 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P out ipsec esp/tunnel/198.18.1.210-198.18.1.208/require; +add 198.18.1.210 198.18.1.208 esp 10001 -tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.208 198.18.1.210 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.210 198.18.1.208 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P in ipsec esp/tunnel/2001:2:0:1::208-2001:2:0:1::210/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P out ipsec esp/tunnel/2001:2:0:1::210-2001:2:0:1::208/require; +
-add 2001:2:0:1::208 2001:2:0:1::210 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::210 2001:2:0:1::208 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
  
Line 160: Line 169:
   - Offering load = 5000 Mb/s   - Offering load = 5000 Mb/s
   - Step = 2500 Mb/s   - Step = 2500 Mb/s
-  - Measured forwarding rate = 1383 Mb/s+  - Measured forwarding rate = 1598 Mb/s
   - Forwared rate too low, forcing OLOAD=FWRATE and STEP=FWRATE/2   - Forwared rate too low, forcing OLOAD=FWRATE and STEP=FWRATE/2
 Iteration 2 Iteration 2
-  - Offering load = 1383 Mb/s +  - Offering load = 1598 Mb/s 
-  - Step = 691 Mb/s+  - Step = 799 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 1384 Mb/s +  - Measured forwarding rate = 1597 Mb/s
-  - forwarding rate greater than offering load! (forcing FWRATE=OLOAD)+
 Iteration 3 Iteration 3
-  - Offering load = 1728 Mb/s +  - Offering load = 1997 Mb/s 
-  - Step = 345 Mb/s+  - Step = 399 Mb/s
   - Trend = increasing   - Trend = increasing
-  - Measured forwarding rate = 1383 Mb/s+  - Measured forwarding rate = 1602 Mb/s
 Iteration 4 Iteration 4
-  - Offering load = 1556 Mb/s +  - Offering load = 1798 Mb/s 
-  - Step = 172 Mb/s+  - Step = 199 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 1386 Mb/s+  - Measured forwarding rate = 1599 Mb/s
 Iteration 5 Iteration 5
-  - Offering load = 1470 Mb/s +  - Offering load = 1699 Mb/s 
-  - Step = 86 Mb/s+  - Step = 99 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 1384 Mb/s+  - Measured forwarding rate = 1600 Mb/s
 Iteration 6 Iteration 6
-  - Offering load = 1427 Mb/s +  - Offering load = 1650 Mb/s 
-  - Step = 43 Mb/s+  - Step = 49 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 1385 Mb/s+  - Measured forwarding rate = 1603 Mb/s
 Iteration 7 Iteration 7
-  - Offering load = 1406 Mb/s +  - Offering load = 1626 Mb/s 
-  - Step = 21 Mb/s+  - Step = 24 Mb/s
   - Trend = decreasing   - Trend = decreasing
-  - Measured forwarding rate = 1384 Mb/s +  - Measured forwarding rate = 1604 Mb/s 
-Estimated Equilibrium Ethernet throughput= 1384 Mb/s (maximum value seen: 1386 Mb/s)+Estimated Equilibrium Ethernet throughput= 1604 Mb/s (maximum value seen: 1604 Mb/s)
 </code> </code>
  
-=> We reach about 1.386Gb/s of encrypted traffic (notice the equilibrium script bug at step 2 that could stop here).+=> We reach about 1.604Gb/s to encrypt 5000 flows.
  
 ==== Encryption algorithms ==== ==== Encryption algorithms ====
- 
-TO DO: 
- 
-<code> 
-~/netbenches/Atom_C2758_8Cores-Chelsio_T540-CR % ../scripts/bench-lab.sh -f bench-lab-3nodes.config -c ipsec/configs/ -p ../pktgen.configs/dualstack-vpn/ -d ipsec/results/fbsd11.1/ 
-</code> 
  
  
 +{{:documentation:examples:bsdrp-8core-atom-ipsec-bench.png}}
  
  
  
documentation/examples/ipsec_performance_of_a_superserver_5018a-ftn4.1508753838.txt.gz · Last modified: 2017/10/23 12:17 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki