Changes between Version 19 and Version 20 of Gigabit_Networks_Linux
- Timestamp:
- 06/27/11 15:24:14 (13 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Gigabit_Networks_Linux
v19 v20 20 20 21 21 == Standard setup == 22 The default OpenVPN for CentOS 5 currently is 2.1.4; the system OpenSSL version is 0.9. 7e.22 The default OpenVPN for CentOS 5 currently is 2.1.4; the system OpenSSL version is 0.9.8e-fips. 23 23 24 24 Using a very plain shared secret key setup for both server (listener) … … 72 72 73 73 == Using OpenSSL 1.0.0 with AES-NI patch == 74 The second tweak made was to relink OpenVPN 2.1.4 using the OpenSSL 1.0.0a libraries with the Intel AES-NI patch applied. This patch is included by default in Fedora 12 and higher. The advantage of this patch is that even for CPUs that do not support the native AES-NI instructions the performance of the AES ciphers goes up by a factor of 2. 74 The second tweak made was to relink OpenVPN 2.1.4 using the OpenSSL 1.0.0a libraries with the Intel AES-NI patch applied. This patch is included by default in Fedora 12 and higher. 75 76 Previously it was reported that the Intel AES-NI patch caused the performance on non-AES-NI capable hardware to improve by a factor of 2. Closer investigation showed that the system OpenSSL library 0.9.8e-fips is actually at fault: after recompiling OpenSSL from source, with or without the Intel AES-NI patch, the performance also doubled. The Fedora 12 version of OpenSSL, 1.0.0-fips, and higher do not show this performance penalty. 75 77 76 78 Testing was done similar to the previous tweak … … 97 99 (Please note that for all measurement a standard deviation of ~5% applies) 98 100 99 For the default Blowfish cipher the optimal value for the 'tun-mtu' parameters for a link between these two servers now seems to be '''36000''' bytes, although the difference for higher MTU sizes is minimal. Also note that the performance numbers are nearly identical to those generated using the system OpenSSL 0.9. 7elibrary.101 For the default Blowfish cipher the optimal value for the 'tun-mtu' parameters for a link between these two servers now seems to be '''36000''' bytes, although the difference for higher MTU sizes is minimal. Also note that the performance numbers are nearly identical to those generated using the system OpenSSL 0.9.8e-fips library. 100 102 101 103 When using the AES-256 cipher there is huge performance gain. The optimal MTU value now is '''48000''' bytes, but overall performance increased by a factor of 2 for nearly all MTU sizes.