[Openswan Users] IPSec Hardware Acceleration

David McCullough David_Mccullough at securecomputing.com
Tue Mar 24 21:31:09 EDT 2009


Jivin Paul Wouters lays it down ...
> On Fri, 20 Mar 2009, hiren joshi wrote:
> 
> > I am interested in enhancing IPSec thruput of KLIPS stack.
> >
> > Could anyone please share their experiences on this?
> >
> > 1. Which card to prefer which can give plug-and-play kind of
> > integration (I am looking at gigabit thruput rates). My host system
> > runs on linux-2.6.16.13
> > 2. How does it hook up with KLIPS (OCF, non OCF)
> > 3. Any performance data of the accelerated system
> > 4. Any other (pros/cons) of the reference system
> >
> > I am at a very early stage - and am evaluating options of cards that
> > can give me gigabit rates and easily integrate with Openswan/KLIPS.
> 
> Usually acceleration makes more sense with slower systems. If you want
> to go this fast, your best bet is probably to just get some Intel Core 2 Quad
> system.

Especially if you are happy to run AES (which is much more suited to a
SW implementation).  Of course this eats CPU you may need for something
else,  but with a 2+GHz quad core and the right combination of kernels
and stacks you may get close to Gbit performance using AES.

Using openssl/OCF from user space you can get a total throughput of
about 1.6Gits if you are using 10+ threads doing crypto.  A single
thread cannot do that well (don't have the number handy).

Still,  more below.

> I think Intel and HiFN are probably the most tested accelerators (well and
> some of the broadcom stuff for mips, but that won't give you gigabit :)
> 
> Perhaps David can tell you more....

I am assuming you want this solution on a desktop/server machine and not
some custom build embedded solution ?  Just checking :-)

For PC based crypto I know of a few options:

Hifn 7956 (PCI-X) - plugin card

	The best possible in-kernel crypto performance I can get in a
	64bit/66Mhz slot is around 515Mbps.  This goes down once you add
	ipsec + networking etc.

	OCF drivers, native linux drivers.

Cavium NITROX - plugin card

	I am actually working with one of these at the moment, so the jury
	is still deciding what it can do.  In theory it can handle up to
	2.5Gbps in their more expensive versions (~~$125),  its PCIe,  which
	is a bonus ;-)

	They have various linux source/patches to use.  The license for the
	ipsec code is OCF compatible so there may be a driver for that at
	some point.

	Vendor provided drivers.

Safenet 1141/... (maybe a card somewhere)

	Not sure if you can get these on a card,  but they are about the
	same as the hifn above,  except they can also do full crypto
	processing.

	OCF drivers.

VIA CPU+motherboards

	The AES performance on a VIA is mind blowing,  providing the reduced
	bus bandwidth doesn't affect you for other functions you need to do.
	I have had about 600Mbits/s large packet throughput using ipsec+aes128
	on a 1.5GHz via-nab-7500.

	Linux drivers, works with OCF using cryptosoft.

Intel/Tolapai

	More an embedded board,  but you can buy it in pre-assembled boxes.
	For a 1.2GHz system it is pretty good.  Line rate networking and
	very fast crypto (if you get the Quick assist version).  Quite cheap
	really.  Using their patches, openswan-2.4.9 and linux-2.6.18 they
	achieve very good ipsec throughput numbers, check their site for
	details.  There are some performance issues yet to be resolved with
	later kernels/OCF/openswan combos.

	OCF drivers.

The one thing you get with HW crypto cards is reduced CPU.  So if you
have a high load (proxies, AV, anti-spam, deep inspection etc) then it
migh be nice to remove the crypto overhead and give it to a card.  If
however the only task is networking+crypto,  an SMP system may perform
just a well (or better) depending on the algs chosen and the system
speed etc.

All in all,  there can be a lot of experimentation needed before you find
the solution that works best.

Cheers,
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list