Changes between Version 19 and Version 20 of Gigabit_Networks_Linux


Ignore:
Timestamp:
06/27/11 15:24:14 (13 years ago)
Author:
JJK
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Gigabit_Networks_Linux

    v19 v20  
    2020
    2121== Standard setup ==
    22 The default OpenVPN for CentOS 5 currently is 2.1.4; the system OpenSSL version is 0.9.7e.
     22The default OpenVPN for CentOS 5 currently is 2.1.4; the system OpenSSL version is 0.9.8e-fips.
    2323
    2424Using a very plain shared secret key setup for both server (listener)
     
    7272
    7373== Using OpenSSL 1.0.0 with AES-NI patch ==
    74 The second tweak made was to relink OpenVPN 2.1.4 using the OpenSSL 1.0.0a libraries with the Intel AES-NI patch applied. This patch is included by default in Fedora 12 and higher. The advantage of this patch is that even for CPUs that do not support the native AES-NI instructions the performance of the AES ciphers goes up by a factor of 2.
     74The second tweak made was to relink OpenVPN 2.1.4 using the OpenSSL 1.0.0a libraries with the Intel AES-NI patch applied. This patch is included by default in Fedora 12 and higher.
     75
     76Previously it was reported that the Intel AES-NI patch caused the performance on non-AES-NI capable hardware to improve by a factor of 2. Closer investigation showed that the system OpenSSL library 0.9.8e-fips is actually at fault: after recompiling OpenSSL from source, with or without the Intel AES-NI patch, the performance also doubled. The Fedora 12 version of OpenSSL, 1.0.0-fips, and higher do not show this performance penalty.
    7577
    7678Testing was done similar to the previous tweak
     
    9799(Please note that for all measurement a standard deviation of ~5% applies)
    98100
    99 For the default Blowfish cipher the optimal value for the 'tun-mtu' parameters for a link between these two servers now seems to be '''36000''' bytes, although the difference for higher MTU sizes is minimal. Also note that the performance numbers are nearly identical to those generated using the system OpenSSL 0.9.7e library.
     101For the default Blowfish cipher the optimal value for the 'tun-mtu' parameters for a link between these two servers now seems to be '''36000''' bytes, although the difference for higher MTU sizes is minimal. Also note that the performance numbers are nearly identical to those generated using the system OpenSSL 0.9.8e-fips library.
    100102
    101103When using the AES-256 cipher there is huge performance gain. The optimal MTU value now is '''48000''' bytes, but overall performance increased by a factor of 2 for nearly all MTU sizes.