Changes between Version 10 and Version 11 of Gigabit_Networks_Linux


Ignore:
Timestamp:
05/02/11 13:09:09 (13 years ago)
Author:
JJK
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Gigabit_Networks_Linux

    v10 v11  
    44== Network setup ==
    55For this setup several machines were used, all connected to gigabit switches:
    6  * two servers running CentOS 5.5 64bit, with an Intel E5440 CPU running @ 2.83GHz; the L2 cache size is 6 MB.
    7  * a server running CentOS 5.5 64bit, with an Intel X5660 CPU running @ 2.80GHz; the L2 cache size is 12 MB. This CPU has support for the AES-NI instructions.
     6 * two servers running CentOS 5.5 64bit, with an Intel Xeon E5440 CPU running @ 2.83GHz; the L2 cache size is 6 MB.
     7 * a server running CentOS 5.5 64bit, with an Intel Xeon X5660 CPU running @ 2.80GHz; the L2 cache size is 12 MB. This CPU has support for the AES-NI instructions.
    88 * a laptop running Fedora 14 64bit, with an Intel i5-560M CPU running @ 2.66GHz; the L2 cache size is 3 MB. This CPU also has support for the AES-NI instructions.
    99
     
    7575Testing was done similar to the previous tweak
    7676{{{
    77   openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10
     77  ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10
    7878    --tun-mtu 6000 --fragment 0 --mssfix 0 --cipher aes-256-cbc
    7979}}}
    8080and client
    8181{{{
    82   openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server
     82  ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server
    8383    --tun-mtu 6000 --fragment 0 --mssfix 0  --cipher aes-256-cbc
    8484}}}
     
    101101
    102102=== Explanation ===
     103The AES-NI patch for the OpenSSL 1.0 libraries not only increases performance for AES-NI capable CPUs but also for older CPUs. This can also be seen when running
     104{{{
     105  openssl speed -evp aes-256-cbc
     106}}}
    103107
    104 By increasing the MTU size of the tun adapter '''and''' by disabling OpenVPN's internal fragmentation routines the throughput can be increased quite dramatically. The reason behind this is that by feeding larger packets to the OpenSSL encryption and decryption routines the performance will go up. The second advantage of not internally fragmenting packets is that this is left to the operating system and to the kernel network device drivers. For a LAN-based setup this can work, but when handling various types of remote users (road warriors, cable modem users, etc) this is not always a possibility.
     108== Using OpenSSL 1.0.0 with AES-NI capable hardware ==
     109The real performance gain is expected from the AES-NI capable hardware, such as the Intel Xeon X5660 i5-560M CPUs.
     110Using the exact same setup as above, but now using
     111{{{
     112  engine aesni
     113}}}
     114and by using
     115{{{
     116  ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10
     117    --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher aes-256-cbc --engine aesni
     118}}}
     119for the server and
     120{{{
     121  ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server
     122    --tun-mtu 9000 --fragment 0 --mssfix 0  --cipher aes-256-cbc --engine aesni
     123}}}
     124for the client we obtain the following results:
     125||              || AES128 || AES256 ||
     126||X5660  -> i5-560 || 885 || 878 ||
     127||i5-560 -> X5660  || 748 || 543 ||
    105128
     129(Please note that for all measurement a standard deviation of ~5% applies)
    106130
     131Some initial conclusions:
     132 * the AES-NI capable server CPU clearly shows a huge performance gain: it is nearly capable of saturating the gigabit network.
     133 * it was not possible to run this test with a more capable client CPU. The i5-560M is not capable of keeping up with the X5660, as can be seen from the performance difference between encryption an decryption. In the first entry in the table above the X5660 encrypted all traffic, and the i5-560M decrypted it. The second entry shows the results for the reverse.
     134
     135== For reference: using no encryption ==
     136For reference, the above test was also run with encryption and signing disabled:
     137{{{
     138  openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10
     139    --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher none --auth none
     140}}}
     141and client
     142{{{
     143  openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server
     144    --tun-mtu 9000 --fragment 0 --mssfix 0  --cipher none --auth none
     145}}}
     146Now an '''iperf''' result of '''930 Mbps''' is obtained, which shows that performance is not so much limited by the division between kernel-space and user-space processes, but mostly by the encryption and decryption routines as found in the OpenSSL libraries.
     147
     148== 10 Gigabit networks ==
     149The "plaintext" test (i.e. encryption and signing disabled) was repeated on two machines connected to a 10 Gbps switch.
     150
     151Again, all results were obtained using 'iperf'.
     152
     153||         || speed ||
     154||"raw"    || 8.8 Gbps ||
     155||via tun  || 1.3 Gbps ||
     156
     157This shows the limits of the kernel-space/user-space division that is present in Linux. The performance of OpenVPN over this network
     158