Red Hat has recently released the findings of a performance evaluation of encrypted communication channels utilizing the IPSEC protocol on modern hardware. The company compared IPSEC throughput based on AES-GCM and AES-SHA1 authenticated encryption algorithms.
The testing was conducted on a server running RHEL 9.4 with two fourth-generation Intel Xeon Scalable processors, each equipped with 28 cores and 56 logical cores. The server was connected to the network via a 100-gigabit Intel E810 network adapter. Hardware acceleration for IPSEC was disabled in order to assess the performance of the software stack. System settings were configured using the “ThroughPut-PERFORMANCE” profile, with the Firewall and IPERF3 processes turned off. Additionally, network card interrupts were directed to the first CPU core to prevent performance degradation from interruptions being migrated to other NUMA nodes.
In single-threaded IPSEC tests for both IPV4 and IPV6, AES-GCM achieved a performance of 6 Gbit/s, while AES-SHA1 achieved 3.75 Gbit/s. This indicated that AES-SHA1 was around 40% slower than AES-GCM. When testing multiple parallel flows, each utilizing a separate CPU core, the peak bandwidth for AES-GCM reached 50 Gbit/s for both IPV4 and IPV6. These results demonstrate the potential to fully utilize available throughput in a standard RHEL configuration on a typical server without requiring hardware acceleration.