Benchmarking and Performance testing
The performance of an IPsec system depends on CPU, RAM, NICs, switches, kernel and configuration.
The Alteeve Niche's Anvil RN2-M2 platform
Hardware used for this testing was supplied by Alteeve Niche's.
The platform is based on a set of Fujitsu RX300 S8 servers (specification) The machine has a number of Intel Corporation 82599ES 10-Gigabit cards that are bonded. All NICs are connected to a set of Brocade ICX6610-24 switches. We picked one bonded pair of 10Gbps on interface bond1 for our IPsec tests. The Anvil comes with an 8 core Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz with AES-NI support. The MTU was left at the default 9k setting. The kernel used was 2.6.32-504.1.3.el6.x86_64.
IPsec performance measured with iperf
iperf used with default settings
- 9.78 Gbits/sec unencrypted without IPsec
- 5.25 Gbits/sec IPsec AES_GCM128
- 1.19 Gbits/sec IPsec NULL-AES_XCBC
- 1.78 Gbits/sec IPsec NULL-SHA1
- 1.27 Gbits/sec IPsec AES256-SHA1
- 1.39 Gbits/sec IPsec AES128-SHA1
- 197 Mbits/sec IPsec 3DES-SHA1
We did some additional tests, but those are less accurate. using protoport= we could use multiple IPsec SA's (in the hope that it would distribute better) or have encrypted and unencrypted streams going.
- two streams, one plaintext 8.64 Gbits/sec plaintext plus 1.24 Gbits/sec AES256-SHA1
- two streams AES256-SHA1: 819 Mbits/sec plus 615 Mbits/sec (possibly was aes128)
We are investigating why AES_GCM128 is so much faster than NULL-AES_XCBC |
CPU/crypto performance measured with openssl
(AES-NI disabling done via export OPENSSL_ia32cap=~0x200000200000000)
Without AES-NI, no multi: openssl speed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 241508.56k 266220.03k 273663.06k 276314.11k 275479.81k
With AES-NI, no multi: openssl speed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 502470.66k 528580.69k 532890.45k 535901.87k 536368.47k
Without AES-NI, no multi: openssl speed -evp aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 320425.43k 366515.97k 377561.00k 383643.99k 383777.51k
With AES-NI, no multi: openssl speed -evp aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 688604.26k 732936.83k 742459.28k 748241.92k 748756.99k
With AES-NI, using all cores : openssl speed -multi 8 -evp aes-256-cbc
evp 3729202.24k 4009617.79k 4053305.43k 4065434.97k 4068764.33k
With AES-NI, using all cores : openssl speed -multi 8 -evp aes-128-cbc
evp 5033772.55k 5494390.59k 5632183.30k 5668856.15k 5679707.48k
NIC settigs
#ethtool eth1 Settings for eth1: Supported ports: [ FIBRE ] Supported link modes: 10000baseT/Full Supported pause frame use: No Supports auto-negotiation: No Advertised link modes: 10000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: No Speed: 10000Mb/s Duplex: Full Port: Other PHYAD: 0 Transceiver: external Auto-negotiation: off Supports Wake-on: umbg Wake-on: g Current message level: 0x00000007 (7) drv probe link Link detected: yes # ethtool -k eth1 Features for eth1: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-unneeded: off tx-checksum-ip-generic: off tx-checksum-ipv6: on tx-checksum-fcoe-crc: on [fixed] tx-checksum-sctp: on [fixed] scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: on tx-tcp-segmentation: on tx-tcp-ecn-segmentation: off tx-tcp6-segmentation: on udp-fragmentation-offload: off [fixed] generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: on rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: on receive-hashing: on highdma: on [fixed] rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: on [fixed] tx-gre-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] fcoe-mtu: off [fixed] loopback: off [fixed]