Red Hat Company published results of assessing the performance of encrypted communication channels organized using the protocol IPsecon modern equipment, and also compared IPsec throughput based on the authenticated encryption algorithms AES-GCM and AES-SHA1.
Testing was carried out in the RHEL 9.4 distribution on a server with two fourth-generation Intel Xeon Scalable processors (28 cores and 56 logical cores in each CPU), connected to the network via a 100-gigabit Intel E810 network adapter. Hardware-based IPsec acceleration with offloading of operations to the network card or Intel QAT was disabled to get an idea of the performance of the software stack. The system settings were set in accordance with the profile “throughput-performance“, the firewalld firewall was disabled, and the traffic-generating iperf3 process and the network card interrupt handler were bound to the first CPU core (to avoid performance degradation due to the migration of interrupt handlers to NUMA nodes not associated with the network card).
In the single-threaded IPsec test for IPv4 and IPv6, using one CPU core for the iperf3 process, performance of 6 Gbit/s for AES-GCM and 3.75 Gbit/s for AES-SHA1 was recorded, i.e. AES-SHA1 turned out to be slower than AES-GCM by about 40%. When testing multiple parallel threads (each iperf3 instance was attached to a separate CPU core), peak throughput using AES-GCM reached 50 Gbit/s for IPv4 and IPv6, which demonstrates the ability to fully utilize the available bandwidth in the standard RHEL configuration on a typical server with two 25-gigabit or one 40-gigabit communication channel without the use of hardware acceleration.
Thanks for reading: