[Openswan Users] [Ocf-linux-users] IPSec L2tpv3 throughput low using Netkey kernel stack

Kim Phillips kim.phillips at freescale.com
Tue May 24 14:02:45 EDT 2011


On Mon, 23 May 2011 16:46:34 +0800
Vasanth Ragavendran <ragavendrapec at gmail.com> wrote:

> On Fri, May 20, 2011 at 12:20 PM, Kim Phillips
> <kim.phillips at freescale.com>wrote:
> 
> > On Thu, 19 May 2011 20:18:40 -0700
> > Vasanth Ragavendran <ragavendrapec at gmail.com> wrote:
> >
> > > On Wed, May 18, 2011 at 7:02 PM, David McCullough <
> > > david_mccullough at mcafee.com> wrote:
> > > > Jivin Paul Wouters lays it down ...
> > > > > On Tue, 17 May 2011, Kim Phillips wrote:
> > > > >
> > > > > > Known working (to me at least) IPsec offload configuration for the
> > > > > > 8315 should be NETKEY with CONFIG_CRYPTO_DEV_TALITOS configured in
> > > > > > a vanilla kernel.  To be able to tell whether h/w crypto offload is
> > > > > > in operation, see 'grep talitos /proc/interrupts' run.
> > > >
> > > As Kim had mentioned I had loaded the CONFIG_CRYPTO_DEV_TALITOS as a
> > module
> > > with the module in the kernel i am getting a lower throughput! I am
> > getting
> > > only 13.4Mbps however without the module inserted i get 14.7Mbps how
> > could
> > > this be possible and the results sounds really ridiculous to me! And when
> > > the CONFIG_CRYPTO_DEV_TALITOS is loaded i am able to view it using grep
> > > talitos /proc/interrupts. so the hardware accelerator is getting used
> > > however resulting in a lower throughput! That's absurd am I missing
> > > something here?
> >
> > Is this a *vanilla* kernel CONFIG_CRYPTO_DEV_TALITOS driver, or is
> > it from the freescale BSP?  If the latter, please forward your
> > inquiry to the standard freescale BSP support channels.
> >
> > No this is the vanilla kernel's and not from the freescale.

ok, so some version of the kernel.org kernel + klips + ocf patches.
What version?

> > Otherwise (vanilla kernel), sounds like too little crypto
> > payload and/or rate - so little that sending it to the accelerator
> > and waiting for results takes longer than s/w crypto on the core.
> > Can you benchmark using the 'null' cipher algorithm to make sure
> > this is the case?
> >
> Will check on the 'null' cipher part. But why is the thruput lower when
> using Klips, ocf and cryptodev and the rest of the settings being the same i

OCF_CRYPTODEV=y?  shouldn't be relevant.

> achieve only around 11Mbps. Thank u so much and sorry for the late reply.

so, given the following configuration settings:

CRYPTO_DEV_TALITOS=y
OCF_CRYPTOSOFT=y
#OCF_TALITOS is not set

and

grep talitos /proc/interrupts

indeed shows numbers incrementing with traffic - i.e., the
algorithms chosen for the tunnel are implemented in the driver -
then there's some performance bottleneck between the klips and/or
ocf code and the kernel's cryptoAPI.  How does a pure vanilla kernel
perform? i.e, without klips & ocf patches.

Kim



More information about the Users mailing list