Bug 132622 - [glxsb] [patch] glxsb(4) performs badly with ipsec
Summary: [glxsb] [patch] glxsb(4) performs badly with ipsec
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.0-CURRENT
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2009-03-14 11:40 UTC by patfbsd
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:

file.diff (7.07 KB, patch)
2009-03-14 11:40 UTC, patfbsd
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description patfbsd 2009-03-14 11:40:00 UTC
The glxsb(4) driver performs badly when using it with ipsec.

With an ipsec tunnel using aes-128-cbc encryption and no hmac authentication the throughput is around 15 Mbits. The cryptosoft driver performs better!

The problem is that glxsb(4) processes only one encryption request at a time.
When it is busy, it blocks the Open Crypto Framework (OCF) and unblocks it when the previous request is completed. Then the OCF has to wake up and to resubmit the crypto request. This performs very badly with ipsec (tests show that there are a number of block/unblock occuring).

The attached patch makes glxsb to not block the OCF, instead it queues the crypto requests into the driver. This performs a lot of better, the throughput is around 50 Mbits with ipsec.

Another solution could be to perform the crypto request synchronously in the function glxsb_crypto_process() (ie without the use of a taskqueue). Let me know if you think that will be better, I will submit another patch.

Fix: See the attached patch 

Patch attached with submission follows:
How-To-Repeat: 3 machines:
PC1 <---(ipsec)----> Soekris box (glxsb) <-------> PC2

Soekris: and

Netperf TCP tests between PC1 and PC2

setkey file on PC1
add esp 1011
        -E rijndael-cbc "0123456789012345";
add esp 1012
        -E rijndael-cbc "0123456789012345";
spdadd  any -P in ipsec
spdadd any -P out ipsec

setkey file on the Soekris
add esp 1011
        -E rijndael-cbc "0123456789012345";
add esp 1012
        -E rijndael-cbc "0123456789012345";
spdadd  any -P out ipsec
        esp/tunnel/ /require;
spdadd any -P in ipsec
Comment 1 Philip Paeps freebsd_committer 2009-03-15 06:11:54 UTC
Responsible Changed
From-To: freebsd-bugs->philip

I'll take it.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:31 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped