Subject: kern/22577: Horrible IPsec AH Transport performance on 1.6 branch
To: None <gnats-bugs@gnats.netbsd.org>
From: None <tls@netbsd.org>
List: netbsd-bugs
Date: 08/23/2003 05:17:27
>Number: 22577
>Category: kern
>Synopsis: AH between 1.6-branch hosts gets about 60Kbit/sec maximum
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 23 05:18:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Thor Lancelot Simon
>Release: NetBSD 1.6.1_STABLE as of 2003-07-29 as source; NetBSD 1.6.1_RC2 as of 2003-03-11 as sink
>Organization:
The NetBSD Foundation
>Environment:
System: NetBSD not-yet-cvs.netbsd.org 1.6.1_STABLE NetBSD 1.6.1_STABLE (NBCVS) #1: Tue Jul 29 02:23:13 UTC 2003 root@not-yet-cvs.netbsd.org:/usr/src/sys/arch/i386/compile/NBCVS i386
Architecture: i386
Machine: i386
>Description:
With transport mode AH negotiated between the two hosts described
above, ttcp consistently shows well under 10Kbit/sec on a local
100Mbit/sec link. This is *not* during the IKE negotiation, but rather
after it has completed.
Both network interfaces in question support hardware checksum offload, but
results are the same whether it is turned on or off.
The 204.152.184.161 (sink) host has IPF in its kernel but the results are
the same whether it is turned on or off. The 204.152.184.161 host has
multiple addresses on its primary network interface; results are the same
no matter which is used.
Setkey output from the source end (204.152.184.213):
# /sbin/setkey -D
204.152.185.213 204.152.185.216
ah mode=transport spi=14393734(0x00dba186) reqid=0(0x00000000)
A: hmac-md5 6c69e6e6 09c160bd 1a6f91e9 38657a4b
seq=0x000002d8 replay=4 flags=0x00000000 state=mature
created: Aug 23 04:59:52 2003 current: Aug 23 05:08:43 2003
diff: 531(s) hard: 43200(s) soft: 34560(s)
last: Aug 23 05:03:25 2003 hard: 0(s) soft: 0(s)
current: 1062178(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 728 hard: 0 soft: 0
sadb_seq=1 pid=15411 refcnt=2
204.152.185.216 204.152.185.213
ah mode=transport spi=234218055(0x0df5e247) reqid=0(0x00000000)
A: hmac-md5 9576f901 e5a743a7 ab24599c 12bcc259
seq=0x00000230 replay=4 flags=0x00000000 state=mature
created: Aug 23 04:59:52 2003 current: Aug 23 05:08:43 2003
diff: 531(s) hard: 43200(s) soft: 34560(s)
last: Aug 23 05:03:25 2003 hard: 0(s) soft: 0(s)
current: 29120(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 560 hard: 0 soft: 0
sadb_seq=0 pid=15411 refcnt=1
# /sbin/setkey -D -P
204.152.185.216[9000] 0.0.0.0/0[any] any
in ipsec
ah/transport//require
created: Aug 23 04:59:16 2003 lastused: Aug 23 04:58:29 2003
lifetime: 0(s) validtime: 0(s)
spid=13 seq=3 pid=15412
refcnt=1
204.152.184.161[9000] 0.0.0.0/0[any] any
in ipsec
ah/transport//require
created: Aug 23 04:59:16 2003 lastused: Aug 23 04:59:16 2003
lifetime: 0(s) validtime: 0(s)
spid=15 seq=2 pid=15412
refcnt=1
0.0.0.0/0[any] 204.152.185.216[9000] any
out ipsec
ah/transport//require
created: Aug 23 04:59:16 2003 lastused: Aug 23 04:58:29 2003
lifetime: 0(s) validtime: 0(s)
spid=14 seq=1 pid=15412
refcnt=1
0.0.0.0/0[any] 204.152.184.161[9000] any
out ipsec
ah/transport//require
created: Aug 23 04:59:16 2003 lastused: Aug 23 04:59:16 2003
lifetime: 0(s) validtime: 0(s)
spid=16 seq=0 pid=15412
refcnt=1
ttcp output from the same host, taken *well after* the IKE negotiation
completed:
# ttcp -n 25 -t -s -f m -p 9000 anoncvs.isc.netbsd.org
ttcp-t: buflen=8192, nbuf=25, align=16384/0, port=9000 tcp -> anoncvs.isc.netbsd.org
ttcp-t: socket
ttcp-t: connect
ttcp-t: 204800 bytes in 28.71 real seconds = 0.05 Mbit/sec +++
ttcp-t: 25 I/O calls, msec/call = 1175.77, calls/sec = 0.87
ttcp-t: 0.0user 0.0sys 0:28real 0% 0i+0d 0maxrss 0+2pf 74+0csw
ttcp and setkey output from the sink host are essentially the same (with the
appropriate addresses reversed).
>How-To-Repeat:
Set up AH mode ESP between two 1.6-branch hosts; note that performance is
horrible.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: