You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2009-12-04 22:07:04
- aport
- Member
- From: San Diego
- Registered: 2008-02-20
- Posts: 99
IPsec throttling
I've got an older machine that I'm using for VPN access. Using StrongSwan with MD5-AES. Works great.
I can get about 20mbps of throughput. The only issue is that this completely saturates the CPU and the device becomes unresponsive.
I know that I can use tc to actually limit the bandwidth of ESP traffic, but I was thinking that maybe a better solution would be to limit how much CPU can be used for encryption.
I have no idea if this is even possible... I'd assume it would have something to do with the scheduler? If anyone has any insight on this subject that would be fantastic!
Offline
#2 2009-12-05 00:18:49
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: IPsec throttling
what aes cipher are you using?
aes-256 is not really more secure than aes-128 (due to number of permutations and recent 'shortcuts'..search Schneier for more info), and uses quite a bit more cpu.
Other than that, I don't believe there is any way to 'limit by cpu'.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2009-12-05 22:32:57
- aport
- Member
- From: San Diego
- Registered: 2008-02-20
- Posts: 99
Re: IPsec throttling
what aes cipher are you using?
aes-256 is not really more secure than aes-128 (due to number of permutations and recent 'shortcuts'..search Schneier for more info), and uses quite a bit more cpu.
Other than that, I don't believe there is any way to 'limit by cpu'.
aes128.
It's just annoying that since it's all done in the kernel, it's allowed to use all the resources in the world. There should be a way to limit. That's lame.
Offline
Pages: 1