Hardware for IPSec at 1 GBit/s

  • Hi,

    I'm looking for hardware that willl be able to provide IPSec tunnels with a speeds up to 1 GBit/s.

    I've been googling a bit, and only came up with this http://www.mail-archive.com/support@pfsense.com/msg05536.html

    I have been able to pass 400Mb (TCP @ 16KB packets) on a GigE interface on a 2.4Ghz P4 with 1GB RAM.  I believe that with a $6000 Dual Xeon, I will achieve 2 Gb/s but have not had time to get back in the lab.

    I've been looking at a Nexcom 1043. Have anyone any idea if that will provide the power for 1 Gbit/s IPSec?


  • Note that raw traffic volume is only part of it - the requirements to handle 1 Gb/s of minimum size packets (72 bytes ISTR) vs 1 Gb/s of jumbo packets (up to 9KB) will be rather different (in general a lower number of larger packets is usually less system intensive).  An understanding of the nature of your traffic will be helpful to you.

  • The traffic will be a mix of both and all in between  :)

    So let's say that I don't need 1 GBit/s exactly but I need to be close. Say no less than 850 MBit/s

  • Hardware encryption cards will also help lower the CPU load.

  • I found this guide: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    Feature Considerations - VPN

    ..and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare.

    But it's hard to tell what kind of hw I need for close to 1 Gbit/s IPSec

    I also found this:

    501+ Mbps - server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU.

    That will mean that I at least will need a 3.0 GHz CPU just for traffic. Will a dual or quad core CPU be able to handle 1Gbit/s alone?

    The Hifn 8450 is the only one that is able to provide the speed. But I can't find a reseller i DK. :(

    I could also imagen that a card like that would cost quite a bit. The question is then again: Is it possible to do the en-/decryption and routning in standard server/pc hardware. Perhaps Xeon quad 3.0 GHz?

  • I'm not sure if there exist any buyable/(payable?) cards with this chip: http://www.hifn.com/products.aspx?id=390
    but it seems interresting.

  • That was the chip/card I was talking about.

  • ah.
    But that's not an encryption accelerator.
    Thats a chip which can be integrated into an NIC.
    –> The NIC itself will encrypt the traffic.

    However as you say it seems to be hard to get such a card.
    Also questionable is, if such an encryption is supported under FreeBSD.

    You may have more luck with the addon encryption cards such as the
    hifn 7751, 7951, 7811, 7955, and 7956

  • I'd say that a visit to the freebsd-net mailing list (see the FreeBSD mailing list page) would probably be your best bet.  Ultimately this is a question about the hardware required for FreeBSD 7.0 to push 850 Mb/s to 1 Gb/s of IPSec traffic (you'll never hit 1 Gb/s on a 1 Gb/s link because of overheads).

    You also certainly want quality kit - which means things like the Intel server adapters etc.  I suspect one problem you'll find is that you're probably limited to a single threaded process, which means that extra cores may not help as much as raw processor clock speed (though extra cores will probably still help a bit).  Your choice of encryption algorithm will also matter (DES will have lower overheads, and be less secure, than AES).

  • GruensFroeschli: You're right. I saw that, but after my post :)

    Perry: Interesting. The PESC62 looks like it can do the job. But again it looks like there is no reseller in DK. :(

    Cry Havok: I know that hitting the 1 Gb/s is not possible because of overhead but I wont to get as close as possible.

    I'll try the freebsd mailing lists as well, but keep the posts coming.


    According to their tech specs, the highest throughput they support while
    doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can
    encrypt with RC4 at 2500 Mbps. As an example, this means you can choose
    to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for
    other applications, or just add a second CPU to your system. A 2.2 GHz
    Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to
    3700 Mbps.

    By law and internal IT policy the encryption must be at least AES-256, equivalent or better. Guess  that properly was some good information to put in my first post.

    So a 2.6 GHz Opteron can do 3700 Mbps of RC4. It would be interesting to see what it can do in AES-256, but also interesting to see what a Xeon 3.0 GHz can do.

    Does anyone know how they did those tests?

  • Probably the low tech way - hook up a packet generator and receiver with a pair of hosts to act as VPN routers then turn the speed up until the processors max out ;)  I've done similar things quite a few times.

  • A modern server can easily do 1 Gbps wire speed without crypto, and I would expect it to offer the same performance even with crypto. A quad core box should do fine, though I can't say I've ever tested at that scale.

  • I may be off base here a bit but I would worry more about the throughput of the front side bus and the interface of the network cards.  Out of curiosity, what are you doing to produce that much traffic and what type of connection are you using?

  • My guess is site-to-site VPN connections.  At that speeds sounds like he wants to bridge to two large offices together.

    He may also be thinking about incorporating off-site backups into this VPN scheme.

    He maybe better off just splitting up the site-to-site VPN connections into channels.  This way he'll get the total throughput he wants and added bonus of backup network connection.

Log in to reply