BoF: "IPsec performance" (Steffen Klassert)


IPsec suffers from poor performance compared to non IPsec protocols. This is mostly because the needed crypto operations are cpu intensive, but also the IPsec networking path is not well optimized.

This BoF is to discuss possible improvements of the IPsec networking path.

Here we want to consider pure software improvements as well as hardware support for IPsec.

Possible improvements could be:

  • Avoid copying most of the data frames before doing crypto.
  • Adding a software GRO/GSO codepath for IPsec.
  • Support IPsec offloading to NICs.
  • Change xfrm_policy_lock from rwlock to rcu.

The following people should attend:

  • Network developers with IPsec background.
  • Network driver developers whose hardware supports IPsec.
  • IPsec users.