[ovs-discuss] Is it possible to protect CAPWAP tunnel through IPSec?

Jesse Gross jesse at nicira.com
Thu May 5 18:45:06 UTC 2011

On Thu, May 5, 2011 at 11:21 AM, Rajesh Kumar G <crimsonbloat at gmail.com> wrote:
> Hi Jesse,
> I was trying to see if the performance degrade that is observed with
> GRE+IPSec as mentioned in this mail thread
> http://www.mail-archive.com/discuss@openvswitch.org/msg00915.html
> can be overcome by trying CAPWAP tunnel instead. Is there any fix for the
> GRE+IPSec performance degrade yet? I observed the degrade in
> openvswitch-1.1.0 released code also.

IPsec is the expensive operation here, not the tunneling.  You won't
see any substantial difference between GRE and CAPWAP.

This has more to do with the Linux kernel than OVS.  We have seen some
improved results with 2.6.38.

In addition, your choice of processor and cipher can make a large
difference.  The newest generation of Intel processors have support
for AES instructions and the triple DES cipher that you have chosen is
extremely slow.

More information about the discuss mailing list