![]() ![]() This means that regardless of the number of different payloads we encapsulate within an IPsec tunnel, the decrypt operation will be always processed by one CPU core and any other core available in the system will run idle (cf. This information does not change for a given single IPsec tunnel which leads the RSS algorithm to send all encrypted packet to the same reception queue and thus being processed by the same CPU core. The default load balancing of RSS consists of using a hash based on the 5-tuple of incoming packets and then distributing them to different reception queues.Īs you can imagine, the 5-tuple of encrypted packets are based on the outer tunnel information of the IPsec tunnel. It helps to use multiple cores to poll multiple queues of the same NIC. This load balancing mechanism leverages reception queues that a user can tie to a CPU core. In order to explain the Single IPsec tunnel performance limitation, we have to introduce the load balancing mechanism of Ethernet NICs, taken care of by an algorithm called RSS (Receive Side Scaling). This issue typically affects site-to-site use-cases where a single IPsec tunnel connects both sites. ![]() However, such details do not typically appear on datasheets where performance is based on the aggregated throughput of multiple IPsec tunnels. ![]() It Is sometimes called the “big fat pipe” syndrome. If you take the example of IPsec VPNs, there is a well-known limitation with general-purpose CPUs where a single IPsec tunnel performance will be limited and will not scale no matter the number of CPU cores you try to use. As any engineer will keep telling you, the devil is in the details. If you have ever analyzed a network appliance datasheet, you would recognize very high throughputs for each network processing such as IP forwarding, firewalling or IPsec VPN tunnels. In this blog post, we will focus on the usage of a single IPsec tunnel and the challenge to get higher bandwidth out of it. He mentioned using IPsec as a network protocol to secure existing traffic and highlighted the need for high performance. Single IPsec Tunnel – How to get Higher Bandwidth In a previous blog post, my colleague Jes Nielsen explained how to protect your network traffic during uncertain times. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |