[Openswan Users] openswan's limitations ?

[Paul Wouters]

On Thu, 25 Nov 2004, albert agusti wrote:

> ? I'd like to know about any BIG success with Linux and IPsec.

I am afraid most of those BIG successes are in those industries that
really don't want to inform of us the success. We have received some
private verbal feedback of large installations.  The only really large
public deployment that I now in the range of thousands is AT&T, but I
am not sure if their receiver end was *swan based as well. But I believe
they had tens of thousands of devices for homeworkers which were
basicly *swan based roadwarriors.

Benchmarks showed that we can setup more then 1500 new tunnels per second
on a single P-4 CPU. provided we switch to using /dev/urandom and have
a UDMA disk for logging fast enough. For crypto operations in the kernel,
cpu is the obvious limiting factor.

Openswan-2 CVS is currently undergoing a major change. It is splitting
some functionality into a crypto_helper thread, which should help when
using Xeon's and hyperthreaded cpu's.

I am not sure how well cryptoapi can offload the crypto, and whether
it can use multiple cpu's and whether it is sync or async. It seems to
depend on whatever patches and versions are used.

Various accelerator cards (safenet, hifn, cavium) either have (unreleased
or NDA needed) patches (usually against obsolete freeswan versions) or
are still wondering if they should invest in making or buying drivers
for Linux.  They seem to prefer no opensource drivers to protect their
IP over people using their hardware in opensource systems.  If anyone is
seriously interested in pushing these vendors, contact me offlist

Paul