Comment by c0l0
21 hours ago
Very cool project - hoping to see follow-up designs that can do more than 1Gbps per port!
I recently built a fully Layer2-transparent 25Gbps+ capable wireguard-based solution for LR fiber links at work based on Debian with COTS Zen4 machines and a purpose-tailored Linux kernel build - I'd be curious to know what an optimized FPGA can do compared to that.
How did you work around WireGuard's encryption and multiqueue bottlenecks? Jumbo frames?
25G is a lot for WireGuard [1].
1. https://www.youtube.com/watch?v=oXhNVj80Z8A
Yes, Jumbo frames unlock a LOT of additional performance - which is exactly what we have and need on those links. Using a vanilla wg-bench[0] loopback-esque (really veths across network namespaces) setup on the machine, I get slightly more than 15Gbps sustained throughput.
[0]: https://github.com/cyyself/wg-bench
Its probably a 48port switch and that's a backplane claim.
When macsec exists?
No kidding.
Just to elaborate for others, MACSec is a standard (802.1ae) and runs at line rate. Something like a Juniper PTX10008 can run it at 400Gbps, and it’s just a feature you turn on for the port you’d be using for the link you want to protect anyway (PTXs are routers/switches, not security devices).
If I need to provide encryption on a DCI, I’m at least somewhat likely to have gear that can just do this with vendor support instead of needing to slap together some Linux based solution.
Unless, I suppose, there’s various layer 2 domains you’re stitching together with multiple L2 hops and you don’t control the ones in the middle. In which case I’d just get a different link where that isn’t true.
I have at least one switch that's MACSec compatible at line speed but I haven't had time to take a look. I guess this is confined to LAN and cannot do a MACSec link through the internet, isn't it?
2 replies →
Yeah that would have been great, but it's not available on our existing core switches (Dell PowerSwitch S5200 series).
> When macsec exists?
When you say "exists" ... is there an OpenSource high-quality implementation ?
https://man7.org/linux/man-pages/man8/ip-macsec.8.html
Generally its used when you have links going between two of your sites, so you typically only need it on your switch or router that terminate that link.
This is a flex!