Monday, June 10, 2019

Re: IPsec bandwidth perf on APU4C4

On 2019-06-10, mabi <mabi@protonmail.ch> wrote:

> Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput which is quite satisfying. The bandwidth throughput over my IPsec tunnel achieves a max of 80 Mbit/s which I was sort of expecting with the default encryption settings (auth hmac-sha2-256 enc aes-256).

It helps to understand that the authentication algorithm can require
as much or more CPU than the encryption. HMAC-SHA2 is expensive.
On hardware that has AES-NI support, like the APU2 family, AES-GCM
is generally the fastest encryption/authentication combo.

> In order to increase bandwidth throughput over my IPsec tunnel I wanted to know what you guys think is a good compromise between performance and security? I was thinking for example of changing the encryption cipher to aes-128 instead of aes-256 and maybe blowfish? What would you recommend?

AES-128 is good enough, although on the APU2 family with AES-NI it
seems to be only marginally faster than AES-256.

Don't use Blowfish. It's obsolete. And its reputation for speed
precedes the introduction of AES.

> Anything else I should be looking at? maybe like a hardware crypto accellerator miniPCI card compatible with the APU4 and OpenBSD?

No, that was 15 years ago.

--
Christian "naddy" Weisgerber naddy@mips.inka.de

No comments:

Post a Comment