Hey,
I posted this to the openswan-users list, and I'm reiterating it here.
On popular request I did some throughput tests using a Linksys WRT54G broadband router as ipsec endpoint.
0) General
The tests are performed with iperf for throughput, and cyclesoak on the WRT54G for CPU load. Cyclesoak is recalibrated for each new algorithm, but not between tests.
- Each test is peformed five times.
- For the CPU load, 11 data points are taken (1/second, for 10 seconds). For the CPU load the average is taken over 9 of these (the minimum and maximum values are taken out).
- The throughput yields one (total) value per test.
To get to the totals the 5 data points for CPU load and throughput are averaged over 3 measurements. As before, the minimum and maximum values are taken out.
1) Test results
1.1) Switching (same subnet)
Network layout:
eth0/10.164.10.200 --- (br0/10.164.10.1) --- eth0/10.164.10.100
iperf -s --- ( cyclesoak ) --- iperf -N -c 10.164.10.200
Average CPU load: N/A %
Average throughput: 93.8 Mbit/s
1.2) Routing (different subnets)
Network layout:
eth0/192.168.1.200 --- (br0:1/192.168.1.1 X br0/10.164.10.1) --- eth0/10.164.10.100
iperf -s --- ( cyclesoak ) --- iperf -N -c 192.168.1.200
1.2.1) Without IPsec
Average CPU load: 52.9 %
Average throughput: 26.1 Mbit/s
1.2.2) With IPsec
The ipsec tunnel is between 192.168.1.200 (left) and 10.164.10.1 (right), with 10.164.10.0/24 as rightsubnet. Measurements are preformed on 10.164.10.100 as client, with 192.168.1.200 as server, having the Linksys device in the middle as router.
Base configs:
left:
CPU: 2x500MHz Intel Celeron
Kernel: 2.6.7 SMP
Openswan: Openswan-2 HEAD userspace (CVS, 27-06-2004)
Memory: 768MB
ipsec.conf:
conn test
left=%defaultroute
right=10.164.10.1
rightsubnet=10.164.10.0/24
authby=secret
auto=ignore
right:
CPU: 200MHz Broadcom BCM3302 V0.7
Kernel: 2.4.20
Openswan: Openswan-2.2.0dr1 ipsec.o module, Openswan-2 HEAD userspace.
Memory: 14MB :-)
ipsec.conf:
conn test
left=192.168.1.200
right=10.164.10.1
rightsubnet=10.164.10.0/24
authby=secret
auto=ignore
1.2.2.1) Test results IPsec (3Des)
Added esp=aes to the ipsec.conf snippets above on both sides.
Average CPU load: 83.5 %
Average throughput: 1.51 Mbit/s
1.2.2.2) Test results IPsec (AES)
Added esp=aes to the ipsec.conf snippets above on both sides.
Average CPU load: 82.9 %
Average throughput: 2.65 Mbit/s
2) Discussion
I didn't have the chance to test IPsec with NULL encryption as the openswan KLIPS module I used on the WRT54G didn't seem to support this mode. Shame, but when I get a chance I will rerun these tests, but with NULL taken into the results too.
I think the general conclusion can be drawn that indeed AES is better to use for IPsec on resource starved devices. I don't think that comes as a
surprise to anyone :-) I am amazed by the large amount of load which simple routing puts on the CPU though, especially as simple switching didn't have any measurable effect on the CPU load (I guess that's done purely in hardware). Imagine how much throughput you'd be able to get when that area is optimized. Admittedly though, I didn't disable the
iptables ruleset when I preformed these tests. Maybe I should have. When I rerun the tests with NULL encryption for IPsec, I'll be sure to also
not have any netfilter in the way too. If in the meantime anyone has any suggestions on better tests or test methods, please let me know, and I'll take your suggestions into account on the next test run.
PS: I don't know how the layout of this piece will come over in your mail client, and the ascii art might not look that good either. Use your imagination :-)