Re: [Openvpn-users] Performance Issues with Gigabit Encryption

  Subject: Re: [Openvpn-users] Performance Issues with Gigabit Encryption
  From: Jeff Stearns
  Date: Thu, 9 Mar 2006 11:52:49 -0800

Jim -

There's nothing unusual about 1Gbit throughput. My company builds web servers from generic white-box PC hardware running Linux 2.6. I routinely test their performance, and I would investigate any server whose throughput measures less than 960Mbits/sec under load.

We're talking about real traffic coming from a real web server being delivered to real clients over a real 1Gbit link. At this throughput, the kernel's network driver generally consumes about 20% of CPU cycles.

The traffic is not encrypted, but it is actual content being delivered by a real web server. In fact, the content is being produced by a cgi which does on-the-fly crypto, so every byte gets copied at least 5 times through multiple context switches before it's sent to the NIC. It's inefficient, but the truth is that modern processors and NIC's are so fast that you can get away with this kind of inefficiency.

I rarely do anything with Windows, so it may be true that 200Mbits/ sec is considered "good" on Windows. But a Unix-like operating system running on modern hardware is easily capable of saturating a 1Gbit link.

I used to design routers and other embedded systems. What folks call "firmware" is just software that's hard to change. (So it's not as "soft" as software.) We don't put network protocols into hardware. Modern CPU's are so cheap and have such high throughput that they're much more cost-effective than dedicated hardware except in very unusual cases.

I haven't yet tested openvpn over a 1Gbit link, but I expect that it should be capable of saturating the link. Modern hardware is certainly capable of good performance, so any throughput problems should be fixable with tuning.

-jeff stearns

On Mar 9, 2006, at 10:21 AM, Jim Drash wrote:

I am very surprised to see the 980 Mbps throughput you discribe. Most Operating Systems can do very well at about 200 Mbs in a 1 Gbs network. Why is this? Mostly it is becuase the bulk of the communication stack is implemented is software. How do Switch and router vendors do it. There stack is in firmware and hardware.

I dont' doubt you are seeing 980 but since we don't know what you are using for that measurement, it seems extremely high.

