Linux IPsec Performance with a VIA Eden (padlock)

Abstract

In the last article I wrote about the OpenSSL performance <OpenSSL performance for my Via Eden system with the padlock hardware encryption engine. In this article I want to show you some figured I measured for the IPsec performance of this system.

Linux IPsec Performance with a VIA Eden (padlock)

In the last article I wrote about the OpenSSL performance for my Via Eden system with the padlock hardware encryption engine. In this article I want to show you some figures I measured for the IPsec performance of this system.

The Machine

The machine comes in a nice black box that looks kind of cool. A big plus is the fanless setup. So no noise will disturb you playing with the system. After I installed the RAM and a CF disk I could turn it on and install the latest Debian (7.1) in the 64 bit flavour. The installation went smooth and after the reboot I took a deeper look into /proc/cpuinfo:

Linux detected two cores VIA Eden X2 U4200 @ 1.0+ GHz. The command

# lsmod | grep padlock
padlock_sha            13367  2
padlock_aes            13024  2
aes_generic            33026  2 padlock_aes,aes_x86_64

showed that the 3.2.0 kernel already discovered the padlock hardware encryption engine and loaded the modules to use it. Bringing the machine up and running was really easy.

The Setup

I connected my laptop and the Via system with a direct cross cable on the second interface. The installation of strongSwan also was smooth. In the file ipsec.conf I set up the encrypted communication between both machines:

conn test
  left=192.168.90.16
  right=192.168.90.17
  authby=secret
  auto=start

The tunnel was created immediately after the start of the service with the AES_CBC_128/HMAC_SHA1_96 algorithm to encrypt the packets.

The Numbers

I used iperf for a quick and dirty first test. I know that this tool is not the most accurate program to measure the network throughput, but it works to get the impression about the performance of the system. On my laptop with a quad core i5 I started the server:

# iperf -u -s

and on the Via system I ran the client:

# iperf -u -c 192.168.90.16 -b 500M -P 2 -t 30

I used UDP transport to get the maximum throughput since TCP needs some more overhead. I set the bandwith to 500 Mbit/s which is well beyond the capacity of the Via chip. So I could measure the real performance. I also started two processes in parallel to use both cores of the chip. Immediately the processer load shot up to maximum and both cores were working. After the run the program displayed the following numbers:

------------------------------------------------------------
Client connecting to 192.168.90.16, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:  224 KByte (default)
------------------------------------------------------------
[  3] local 192.168.90.17 port 38550 connected with 192.168.90.16 port 5001
[  4] local 192.168.90.17 port 36060 connected with 192.168.90.16 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-30.0 sec   645 MBytes   180 Mbits/sec
[  3] Sent 460206 datagrams
[  4]  0.0-30.0 sec   756 MBytes   211 Mbits/sec
[  4] Sent 539450 datagrams
[SUM]  0.0-30.0 sec  1.37 GBytes   392 Mbits/sec

Nearly 400 Mbit/s is a quite good result for such a small and competitive system. On the other hand a single system does not perform enough to encrypt a Gbit/s line.

If you have any further questions, please mail me ms@sys4.de

Michael Schwartzkopff, 21. September 2013