[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

hardware crypto performance



Hi folks... I thought I'd share my performance numbers for hardware
accelerated IPSec with OpenBSD.  The data below was computed with
netperf running on two machines (k6-3/400 and p3/550) with host-to-host
SAs for each supported algorithm/mode.  Hardware acceleration was with
the new hifn7751 driver in -current.

All units in the first two tables are in Mbits/second generated by netperf's
snapshot_script.

TCPS1 - stream TCP test, 4096 byte packets, 57344 byte socket buffers
TCPS2 - stream TCP test, 4096 byte packets, 32768 byte socket buffers
UDPS1 - stream UDP test, 4096 byte packets, 32768 byte socket buffers
UDPS2 - stream UDP test, 1024 byte packets, 32768 byte socket buffers

                     TCPS1  TCPS2  UDPS1  UDPS2
SOFTWARE ONLY      
ah,md5               67.87  68.12  86.93  74.17
ah,sha1              47.79  47.61  71.93  52.39
ah,rmd160            48.76  49.22  68.31  52.59
esp,des              22.96  22.96  27.44  24.52
esp,3des             10.45  10.46  11.39  10.79
esp,md5              65.41  65.41  86.34  70.80
esp,md5/des          19.56  19.61  22.55  20.55
esp,md5/3des          9.73   9.73  10.64  10.05
esp,md5/blf          28.39  28.36  34.86  30.08
esp,md5/cast         28.09  28.10  34.22  29.64
esp,md5/skipjack     16.85  16.84  19.14  17.54
esp,sha1             45.23  45.39  70.61  47.83
esp,sha1/des         17.16  17.19  20.29  17.95
esp,sha1/3des         9.07   9.06  10.07   9.38
esp,sha1/blf         23.61  23.58  29.78  25.14
esp,sha1/cast        22.92  23.01  28.52  24.28
esp,sha1/skipjack    15.07  15.08  17.56  15.80
esp,rmd160           46.93  46.61  68.34  50.25
esp,rmd160/des       16.70  16.74  19.05  17.42
esp,rmd160/3des       8.96   8.98   9.78   9.25
esp,rmd160/blf       22.80  22.82  27.31  24.05
esp,rmd160/cast      22.50  22.54  26.79  23.70
esp,rmd160/skipjack  14.74  14.73  16.72  15.38

HARDWARE ACCELERATED      
ah,md5               64.67  64.83  88.76  65.97
ah,sha1              66.05  66.52  79.82  65.35
esp,des              63.02  63.77  88.06  65.24
esp,3des             62.22  61.98  75.84  60.62
esp,md5              64.85  64.44  89.98  65.24
esp,md5/des          62.12  63.20  89.12  63.34
esp,md5/3des         63.15  62.89  77.16  61.96
esp,sha1             65.78  66.33  79.95  63.89
esp,sha1/des         62.94  63.79  79.83  62.75
esp,sha1/3des        63.12  62.79  77.55  61.64

PERCENT INCREASE   
ah,md5               -4.71  -4.83   2.11 -11.06
ah,sha1              38.21  39.72  10.97  24.74
esp,des             174.48 177.74 220.92 166.07
esp,3des            495.41 492.54 565.85 461.82
esp,md5              -0.86  -1.48   4.22  -7.85
esp,md5/des         217.59 222.28 295.21 208.22
esp,md5/3des        549.02 546.35 625.19 516.52
esp,sha1             45.43  46.13  13.23  33.58
esp,sha1/des        266.78 271.09 293.45 249.58
esp,sha1/3des       595.92 593.05 670.11 557.14

I'm not surprised that there is a performance decrease in MD5.  hifn requires
a large amount of setup in comparision to just doing the MD5 in software, but
I've still got ideas for improving performance, so expect these numbers to
change as we go along.

The OpenBSD split IPSec stack was written by Angelos D. Keromytis with funding
by NetSec (http://www.netsec.net), and the hifn7751 driver was written by me
(a NetSec employee ;).

If you're curious about obtaining a hifn7751 based board, they can be bought
from GTGI (http://www.powercrypt.com) for ~$300USD.

<shameless plug>
NetSec will also be selling a 7751 based board in the near future (artwork is
going to the manufacturer in the next week, so 2-4 weeks after that).  If
you're interested in buying a board from NetSec, let me know... the higher-ups
are trying to get an idea for demand to decide on production quantity.
</shameless plug>