[ovs-discuss] IPSec + openvswitch poor performance

Maciej Gałkiewicz maciejgalkiewicz at ragnarson.com
Fri Oct 15 12:00:29 UTC 2010


I have two machines with Debian squeeze (kernel 2.6.32-5-amd64) connected
via openvswitch (Ethernet over GRE) on top of IPSec transport mode
(openswan) with 3des encryption.

|m1|-eth0------------------|cloud|------------------eth0-|m2|
   |                                                                 |
   |--gre0-----------------IPSec + GRE-------------gre0-|
                         192.168.1.0/24

Both eth0 interfaces are 100Mbit Ethernet.

I have made some test with scp and iperf tools:
1. Connection without IPSec via eth0

#time scp file m2:
file                 100%  271MB  11.3MB/s   00:24

real    0m27.425s
user    0m3.052s
sys     0m0.392s

# iperf -c m2 -p 6666
------------------------------------------------------------
Client connecting to m2, TCP port 6666
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  3] local m1 port 51003 connected with m2 port 6666
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec    112 MBytes  94.0 Mbits/sec

2. Connection without IPSec via GRE tunnel

#time scp file m2:
file                 100%  271MB  10.1MB/s   00:27

real    0m34.369s
user    0m3.032s
sys     0m0.460s

# iperf -c m2 -p 6666
------------------------------------------------------------
Client connecting to m2, TCP port 6666
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  3] local m1 port 51003 connected with m2 port 6666
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec    109 MBytes  91.1 Mbits/sec

3. Connection with IPSec via eth0

#time scp file m2:
file                 100%  271MB  10.9MB/s   00:25

real    0m28.075s
user    0m3.064s
sys     0m1.952s

# iperf -c m2 -p 6666
------------------------------------------------------------
Client connecting to m2, TCP port 6666
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  3] local m1 port 51003 connected with m2 port 6666
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec    109 MBytes  91.6 Mbits/sec


4. Connection with IPSec via GRE tunnel

#time scp file m2:
file                 9%   27MB 452.4KB/s   09:13 ETA^C

real    1m1.899s
user    0m0.352s
sys     0m56.400s

# iperf -c m2 -p 6666 -i 10 -t 60
------------------------------------------------------------
Client connecting to m2, TCP port 6666
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  3] local m1 port 37725 connected with m2 port 6666
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  10.4 MBytes  8.71 Mbits/sec
[  3] 10.0-20.0 sec  8.54 MBytes  7.16 Mbits/sec
[  3] 20.0-30.0 sec  7.47 MBytes  6.27 Mbits/sec
[  3] 30.0-40.0 sec  6.75 MBytes  5.66 Mbits/sec
[  3] 40.0-50.0 sec  6.20 MBytes  5.20 Mbits/sec
[  3] 50.0-60.0 sec  5.75 MBytes  4.82 Mbits/sec
[  3]  0.0-60.0 sec  45.1 MBytes  6.30 Mbits/sec

What is wrong with 4th test? Why the connection is so slow? Both tools uses
100% cpu time during only this trial. My servers have i7-920 (2.67GHz). I
have also tried with Linux GRE tunnels (ip_gre). The results were the same.
The last idea which came to my mind was openvpn. I set up openvpn in bridge
mode also on top of IPSec. The results were only a little worse than the
third trial. Any suggestions?

best regards
Maciej Galkiewicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20101015/827c2a89/attachment-0001.html>


More information about the discuss mailing list