[Soekris] VPN throughput on 5501s

der Mouse mouse at Rodents.Montreal.QC.CA
Tue Sep 18 09:09:03 UTC 2007


> I was doing some quick OpenVPN tests on a pair of 5501-70s back to
> back [...]

> FreeBSD does not support the crypto offload.  Has anyone tried
> something similar with OpenBSD or NetBSD ? They both have drivers for
> AES crypto offload.

My experience isn't with the 5501 - if memory serves, it's the 4801 -
but I have tried crypto "accelerator" hardware with OpenVPN on Soekris
under NetBSD.

I put "accelerator" in quotes because I found that, in those tests,
using the crypto hardware (a 1411, I think it was) actually impaired
throughput.  Apparently the penalty of crossing the kernel/user
boundary outweighed the benefit from the crypto hardware.

Of course, my results should not be extended to cases where large
amounts of data are processed at once (thereby amortizing the syscall
penalty over more bytes and giving the crypto hardware more of a chance
to pull ahead), or where the crypto user is actually in-kernel (such as
IPsec).  Also, using the crypto hardware means that the main CPU is
waiting instead of processing; if you have other, CPU-bound, work to do
at the same time, pushing the crypto to specialized hardware may be
worth it even though it makes the crypto take more wall-clock time.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the Soekris-tech mailing list