Re: Enabling AESNI by default

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Thu, 31 Dec 2020 14:51:48 -0800
On 12/31/20 12:15 PM, Franco Fichtner wrote:
> https://cgit.freebsd.org/src/commit/sys/crypto/aesni?h=stable/12&id=95b37a4ed741fd116809d0f2cb295c4e9977f5b6
> 
> may have subtly broken a number of IPsec installations by stalling active
> connections after certain amounts of traffic transferred.  We're still
> trying to confirm, but it looks like this had an overall impact on 12.0
> and 12.1 except that only one person in OPNsense traced it back to aesni.ko
> to our knowledge to effective work around an apparent issue there.
> 
> If that is not the actual fix, the problem still exists in 12.2 and onward ;)

We don't support AES-CCM for IPsec, so there is 0 chance that commit has any
effect on IPsec in 12.  There's not much detail in the forum posts though
(e.g. netstat -s output to get ipsec, esp, and ah stats).  Also, at least
one forum post mentioned it happened when doing an upgrade from 11.2 to 12.1
which is a larger set of changes.  I know the pfsense folks had a major
performance regression due to iflib with Intel e1000 devices that might
manifest as this perhaps?  Disabling aseni might just be throttling the
connection slow enough to avoid hitting a bug in a NIC driver for example.
I think netstat -s would be a better place to start to try to debug this.

> https://github.com/opnsense/core/issues/4415

-- 
John Baldwin
Received on Thu Dec 31 2020 - 21:51:50 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC