[Openswan dev] Netkey vs OpenSwan OCF

remy.gauguey at mindspeed.com remy.gauguey at mindspeed.com
Tue Aug 29 07:59:34 EDT 2006


I'm currently working on a future ARM (ARM1136) SoC which will provide a
ESP/AH packet level IPsec offload engine.
This completly fits future OCF level 2 approach.
But before jumping into this direction, I wanted to evaluate OpenSwan with
Klips OCF on my current platform.
This platform (ARM920T) also provides a raw crypto hardware accelerator
(but not IPsec packet level).
This platform is currently running on native 2.6 IPsec plus a patch
allowing ESP and AH code to use this hw ressource.

I've just integrated my hw accelerator as an OCF driver to use it with
OpenSwan OCF (with 2.6.17 kernel).
It's working, but I'm facing some performances limitations :

For small packets (64 bytes) processed without interrupts, in a synchronous
way, the number of packet per second is limited to 5Kpps, whereas using
Netkey, I can reach ~20Kpps.
Using the same platform in back to back configuration, I could identify
that the performance drop only appears in IPsec outbound direction.
I can see 17Kpps for inbound traffic but only 5 kpps for outbound.
I'm testing tunnel mode only, and tracing the OpenSwan code, it appears
that the IPIP tunnel is a complete step of the Tx state machine, whereas in
Linux it's part of ESP/AH.
Also it seems to me the routing code (radij code) is called for each packet
and doesn't make usage of any routing cache (like Linux does). I'm right ?

I wanted to know if this performance limitation is a well known problem and
if any patch allowing OpenSwan to use routing caches exists ?
Also I'd like to know where to find performances comparison between Netkey
and OpsenSwan for the same HW ...

Thanks a lot for any suggestion/comments


More information about the Dev mailing list