tech-kern: Re: IPSEC in GENERIC

Subject: Re: IPSEC in GENERIC
To: Garrett D'Amore <garrett_damore@tadpole.com>
From: None <jonathan@dsg.stanford.edu>
List: tech-kern
Date: 02/20/2006 11:16:01
In message <E1FBG9e-0006HT-00@smeg.dsg.stanford.edu>,
jonathan@dsg.stanford.edu writes:

>In message <20060220160305.GA19342@panix.com>,
[..]

>There's a simple test to gauge the impact of IPsec, which I think I've
>described privately to Thor and others. Networking researchers have
>used ttcp-over-UDP *receive* rates for decades as a quick,
>rule-of-thumb estimate of the packet-processing ability of a given
>interface/software/machine combination.  One can use this
>ttcp-over-UDP estimate as a quick measure of IPsec overhead:
>
>
>0. Find two suitable machines, connected via a network link
>   with which the machines can, preferably, _just_ keep up.
>
> 1. Build two kernels, with and with IPsec enabled,
>   but otherwise identical.
>
>2. Find a machine which can run ttcp -u -t fast enough to fill a wire
>   with UDP traffic.
>
>3a. Boot the non-IPsec kernel on a receiving machine.
>    Run the ttcp -u sender at this machine.
>   Record the processed packet rate reported with ttcp -u -r.
>   (In a well-designed experiment, the receiver will not quit keep
>   up with  the offered packet rate).
>
>3b. Boot the IPsec kernel on the same receiving hardware.
>    Repeat the measurement in 3a.  Compare and contrast.

Someone who cares could do a slighly more complicated experiment:
measuring packet rate for:

A.  non-IPsec kernels
B.  IPsec-aware (KAME or FAST_IPsec) kernels with no SAsa
C. IPsec-aware (KAME or FAST_IPsec) kernels with a modest number of SAs.

plus, for the masochistic:

D. IPsec-aware (KAME or FAST_IPsec) kernels with a modest number of SAs,
   say a few hundred each SPD and SADB entries (if KAMe can actually
   handle that many now; it couldn't, until fairly recently).

For most benchmarking purposes, it's A. vs. B. which is of interest.
In my experience, it's A. vs C which is painful, and A vs. D) which is
_really_ painful.

The A vs. B case _should_ be a wash.  (If it isn't, it should be made so).  

If configuring IPsec into the kernel but not configuring any IPsec at
runtime, adds no real penalty over the no-IPsec-configured case, why
not put IPsec into GENERIC?