[AusNOG] Anyone know of VPN's being bandwidth managed (throttled)

Peter Tiggerdine ptiggerdine at gmail.com
Sun Jan 8 12:50:21 EST 2017


I would think most people are using CPU software encryption these
days. How many firewalls come with crypto cards out of the box?

However 1/3 of the bandwidth sounds like lots of RST or drops to the
flow as tcp tries scale (which in turn makes the UDP packet bigger).

I have to admit this is where LRO and LSO make it harder to troubleshoot.


Regards,

Peter Tiggerdine

GPG Fingerprint: 2A3F EA19 F6C2 93C1 411D 5AB2 D5A8 E8A8 0E74 6127


On Sun, Jan 8, 2017 at 11:36 AM, Mark Smith <markzzzsmith at gmail.com> wrote:
> On 6 January 2017 at 13:38, Peter Tiggerdine <ptiggerdine at gmail.com> wrote:
>> My experience is is that PMTUD isn't configured correctly (or not
>> allow to pass along the path).. Also endpoint CPU. encrypting and
>> decrypting is heavy on CPU (assuming you have no offload engine).
>
>
> You might be surprised how much encryption throughput you get these
> days when encrypting/decrypting in software on a CPU.
>
> On platforms that run openssl, you can measure crypto throughput for
> various algorithms using 'openssl speed'.
>
> I've found that CPU software crypto under Linux on a 2009 era Intel
> Q6600 is fast enough that I can encrypt the filesystems on that
> machine and not notice the performance impact. Measuring using
> 'cryptsetup benchmark' shows worst case throughput of 105.1 MiB/s for
> aes-xts, which is what Fedora uses for filesystem crypto. My HDDs (WD
> 2TB Blacks) do 123.58 MB/sec according to 'hdparm -t', so I am
> sacrificing some HDD performance but it isn't noticeable.
>
> I wonder how many people are aware that modern Intel and AMD CPUs have
> hardware AES crypto engines in them (known as 'AES NI' instructions)?
> My 2013 Dell XPS laptop with an Intel Core i5 in it, using 'cryptsetup
> benchmark', does worst case 1040 MiB/s aes-xts encryption/1060.1 MiB/s
> decryption, which is more than twice the 426.53MB/s the SSD can do
> (and around 10 times what my Q6600 does in software), so filesystem
> crypto is not going to be the IO bottleneck.
>
> Using simple 8 bits per byte maths, that means my 2013 laptop could do
> more than 8 Gbps of CPU crypto engine throughput. So if the CPU's AES
> engine is used for VPN crypto, most people aren't going to have any
> crypto throughput problems with a VPN (Peter Löthberg's grandma being
> a possible exception).
>
> (I encrypt all my filesystems these days, not because I'm paranoid and
> think the government is out to get me, but because it is easier to
> know that if any one of my computers is stolen, they've stolen my
> hardware but not my data.)
>
> Regards,
> Mark.


More information about the AusNOG mailing list