Bug 132622 - [glxsb] [patch] glxsb(4) performs badly with ipsec
Summary: [glxsb] [patch] glxsb(4) performs badly with ipsec
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.0-CURRENT
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-14 11:40 UTC by patfbsd
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:


Attachments
file.diff (7.07 KB, patch)
2009-03-14 11:40 UTC, patfbsd
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description patfbsd 2009-03-14 11:40:00 UTC
The glxsb(4) driver performs badly when using it with ipsec.

With an ipsec tunnel using aes-128-cbc encryption and no hmac authentication the throughput is around 15 Mbits. The cryptosoft driver performs better!

The problem is that glxsb(4) processes only one encryption request at a time.
When it is busy, it blocks the Open Crypto Framework (OCF) and unblocks it when the previous request is completed. Then the OCF has to wake up and to resubmit the crypto request. This performs very badly with ipsec (tests show that there are a number of block/unblock occuring).

The attached patch makes glxsb to not block the OCF, instead it queues the crypto requests into the driver. This performs a lot of better, the throughput is around 50 Mbits with ipsec.

Another solution could be to perform the crypto request synchronously in the function glxsb_crypto_process() (ie without the use of a taskqueue). Let me know if you think that will be better, I will submit another patch.

Fix: See the attached patch 

Patch attached with submission follows:
How-To-Repeat: 3 machines:
PC1 <---(ipsec)----> Soekris box (glxsb) <-------> PC2

PC1: 192.168.1.20
Soekris: 192.168.1.200 and 192.168.2.200
PC2: 192.168.2.97

Netperf TCP tests between PC1 and PC2

setkey file on PC1
flush;
spdflush;
add 192.168.1.20 192.168.1.200 esp 1011
        -E rijndael-cbc "0123456789012345";
add 192.168.1.200 192.168.1.20 esp 1012
        -E rijndael-cbc "0123456789012345";
spdadd 192.168.2.0/24 192.168.1.20  any -P in ipsec
        esp/tunnel/192.168.1.200-192.168.1.20/require;
spdadd 192.168.1.20 192.168.2.0/24 any -P out ipsec
        esp/tunnel/192.168.1.20-192.168.1.200/require;

setkey file on the Soekris
flush;
spdflush;
add 192.168.1.20 192.168.1.200 esp 1011
        -E rijndael-cbc "0123456789012345";
add 192.168.1.200 192.168.1.20 esp 1012
        -E rijndael-cbc "0123456789012345";
spdadd 192.168.2.0/24 192.168.1.20  any -P out ipsec
        esp/tunnel/192.168.1.200-192.168.1.20 /require;
spdadd 192.168.1.20 192.168.2.0/24 any -P in ipsec
        esp/tunnel/192.168.1.20-192.168.1.200/require;
Comment 1 Philip Paeps freebsd_committer 2009-03-15 06:11:54 UTC
Responsible Changed
From-To: freebsd-bugs->philip

I'll take it.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:31 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped