documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2020/09/22 11:49] – [Diagram] olivier | documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2020/09/22 11:56] (current) – [Encryption algorithms] olivier | ||
---|---|---|---|
Line 54: | Line 54: | ||
Configure IP address, routes and static IPSec. | Configure IP address, routes and static IPSec. | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # Loading AES-NI module sooner to be sure it is loaded before IPsec keys | ||
+ | aesni_load=" | ||
+ | </ | ||
/ | / | ||
Line 59: | Line 65: | ||
# IPv4 router | # IPv4 router | ||
gateway_enable=" | gateway_enable=" | ||
- | static_routes=" | ||
- | route_generator=" | ||
- | route_receiver=" | ||
ifconfig_cxl0=" | ifconfig_cxl0=" | ||
ifconfig_cxl1=" | ifconfig_cxl1=" | ||
+ | static_routes=" | ||
+ | route_generator=" | ||
+ | route_receiver=" | ||
static_arp_pairs=" | static_arp_pairs=" | ||
- | static_arp_generator=" | + | static_arp_generator=" |
static_arp_receiver=" | static_arp_receiver=" | ||
Line 71: | Line 77: | ||
ipv6_gateway_enable=" | ipv6_gateway_enable=" | ||
ipv6_activate_all_interfaces=" | ipv6_activate_all_interfaces=" | ||
- | ipv6_static_routes=" | ||
- | ipv6_route_generator=" | ||
- | ipv6_route_receiver=" | ||
ifconfig_cxl0_ipv6=" | ifconfig_cxl0_ipv6=" | ||
ifconfig_cxl1_ipv6=" | ifconfig_cxl1_ipv6=" | ||
+ | ipv6_static_routes=" | ||
+ | ipv6_route_generator=" | ||
+ | ipv6_route_receiver=" | ||
static_ndp_pairs=" | static_ndp_pairs=" | ||
- | static_ndp_generator=" | + | static_ndp_generator=" |
static_ndp_receiver=" | static_ndp_receiver=" | ||
- | # Enabling IPSec | + | cloned_interfaces=" |
- | kld_list="aesni" | + | create_args_ipsec0="reqid 100" |
+ | ifconfig_ipsec0=" | ||
+ | ifconfig_ipsec0_ipv6=" | ||
+ | |||
+ | # Enabling IPsec | ||
ipsec_enable=" | ipsec_enable=" | ||
</ | </ | ||
Line 90: | Line 100: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
- | spdadd 198.18.0.0/ | + | add 198.18.1.208 198.18.1.210 |
- | spdadd 198.19.0.0/ | + | add 198.18.1.210 198.18.1.208 esp 10001 -m tunnel -u 100 -E aes-gcm-16 " |
- | add 198.18.1.208 198.18.1.210 esp 0x1000 | + | |
- | add 198.18.1.210 198.18.1.208 esp 0x1001 | + | |
- | spdadd 2001:2::/49 2001: | + | |
- | spdadd 2001: | + | |
- | add 2001: | + | |
- | add 2001: | + | |
</ | </ | ||
==== Reference Endpoint ==== | ==== Reference Endpoint ==== | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # Loading AES-NI module sooner to be sure it is loaded before IPsec keys | ||
+ | aesni_load=" | ||
+ | </ | ||
Configure IP address, routes and static IPSec: | Configure IP address, routes and static IPSec: | ||
< | < | ||
- | # IPv4 router | ||
gateway_enable=" | gateway_enable=" | ||
ifconfig_cxl0=" | ifconfig_cxl0=" | ||
ifconfig_cxl1=" | ifconfig_cxl1=" | ||
static_routes=" | static_routes=" | ||
- | route_generator=" | + | route_generator=" |
route_receiver=" | route_receiver=" | ||
static_arp_pairs=" | static_arp_pairs=" | ||
static_arp_generator=" | static_arp_generator=" | ||
- | static_arp_receiver=" | + | static_arp_receiver=" |
# IPv6 router | # IPv6 router | ||
Line 121: | Line 130: | ||
ifconfig_cxl1_ipv6=" | ifconfig_cxl1_ipv6=" | ||
ipv6_static_routes=" | ipv6_static_routes=" | ||
- | ipv6_route_generator=" | + | ipv6_route_generator=" |
ipv6_route_receiver=" | ipv6_route_receiver=" | ||
static_ndp_pairs=" | static_ndp_pairs=" | ||
static_ndp_generator=" | static_ndp_generator=" | ||
- | static_ndp_receiver=" | + | static_ndp_receiver=" |
+ | cloned_interfaces=" | ||
+ | create_args_ipsec0=" | ||
+ | ifconfig_ipsec0=" | ||
+ | ifconfig_ipsec0_ipv6=" | ||
- | # Enabling | + | # Enabling |
- | kld_list=" | + | |
ipsec_enable=" | ipsec_enable=" | ||
</ | </ | ||
Line 137: | Line 149: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
- | spdadd 198.18.0.0/ | + | add 198.18.1.208 198.18.1.210 |
- | spdadd 198.19.0.0/ | + | add 198.18.1.210 198.18.1.208 esp 10001 -m tunnel -u 200 -E aes-gcm-16 " |
- | add 198.18.1.208 198.18.1.210 esp 0x1000 | + | |
- | add 198.18.1.210 198.18.1.208 esp 0x1001 | + | |
- | spdadd 2001:2::/49 2001: | + | |
- | spdadd 2001: | + | |
- | add 2001: | + | |
- | add 2001: | + | |
</ | </ | ||
Line 163: | Line 169: | ||
- Offering load = 5000 Mb/s | - Offering load = 5000 Mb/s | ||
- Step = 2500 Mb/s | - Step = 2500 Mb/s | ||
- | - Measured forwarding rate = 1383 Mb/s | + | - Measured forwarding rate = 1598 Mb/s |
- Forwared rate too low, forcing OLOAD=FWRATE and STEP=FWRATE/ | - Forwared rate too low, forcing OLOAD=FWRATE and STEP=FWRATE/ | ||
Iteration 2 | Iteration 2 | ||
- | - Offering load = 1383 Mb/s | + | - Offering load = 1598 Mb/s |
- | - Step = 691 Mb/s | + | - Step = 799 Mb/s |
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 1384 Mb/s | + | - Measured forwarding rate = 1597 Mb/s |
- | - forwarding rate greater than offering load! (forcing FWRATE=OLOAD) | + | |
Iteration 3 | Iteration 3 | ||
- | - Offering load = 1728 Mb/s | + | - Offering load = 1997 Mb/s |
- | - Step = 345 Mb/s | + | - Step = 399 Mb/s |
- Trend = increasing | - Trend = increasing | ||
- | - Measured forwarding rate = 1383 Mb/s | + | - Measured forwarding rate = 1602 Mb/s |
Iteration 4 | Iteration 4 | ||
- | - Offering load = 1556 Mb/s | + | - Offering load = 1798 Mb/s |
- | - Step = 172 Mb/s | + | - Step = 199 Mb/s |
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 1386 Mb/s | + | - Measured forwarding rate = 1599 Mb/s |
Iteration 5 | Iteration 5 | ||
- | - Offering load = 1470 Mb/s | + | - Offering load = 1699 Mb/s |
- | - Step = 86 Mb/s | + | - Step = 99 Mb/s |
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 1384 Mb/s | + | - Measured forwarding rate = 1600 Mb/s |
Iteration 6 | Iteration 6 | ||
- | - Offering load = 1427 Mb/s | + | - Offering load = 1650 Mb/s |
- | - Step = 43 Mb/s | + | - Step = 49 Mb/s |
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 1385 Mb/s | + | - Measured forwarding rate = 1603 Mb/s |
Iteration 7 | Iteration 7 | ||
- | - Offering load = 1406 Mb/s | + | - Offering load = 1626 Mb/s |
- | - Step = 21 Mb/s | + | - Step = 24 Mb/s |
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 1384 Mb/s | + | - Measured forwarding rate = 1604 Mb/s |
- | Estimated Equilibrium Ethernet throughput= | + | Estimated Equilibrium Ethernet throughput= |
</ | </ | ||
- | => We reach about 1.386Gb/s of encrypted traffic (notice the equilibrium script bug at step 2 that could stop here). | + | => We reach about 1.604Gb/s to encrypt 5000 flows. |
==== Encryption algorithms ==== | ==== Encryption algorithms ==== | ||
- | |||
- | TO DO: | ||
- | |||
- | < | ||
- | ~/ | ||
- | </ | ||
+ | {{: | ||
documentation/examples/ipsec_performance_of_a_superserver_5018a-ftn4.1600768167.txt.gz · Last modified: 2020/09/22 11:49 by olivier