Making Open Work
May 8–9, 2017: Training & Tutorials
May 10–11, 2017: Conference
Austin, TX

40 Gbps IPsec on commodity hardware

Jim Thompson  (Netgate)
5:05pm5:45pm Thursday, May 11, 2017
Location: Meeting Room 9 A/B
Level: Intermediate

Who is this presentation for?

  • Engineers and those working in information security, operations/production, and network security

Prerequisite knowledge

  • Familiarity with vector packet processing, networking, crypto-offloading, and routing

What you'll learn

  • Learn how Netgate’s novel router approach enables IPsec rates exceeding 10 Gbps using only software and near 40 Gbps when combined with COTS cards


Routers implemented in software are already widely used for home and small office networking. The two main benefits of these routers are that they run on inexpensive commodity hardware and their functionality can be changed in a flexible way, simply by modifying the software. This allows a fast reaction time for changing network needs and adaptation to new technology. Because of these advantages, it is worthwhile to investigate software router implementations in larger networks to determine whether they are able to compete with commercially available hardware routers.

Currently 10 Gbps ethernet is used in server networks, and 40 Gbps ethernet devices have started to appear on the market. As a result, fulfilling the increased packet rate requirements becomes ever more difficult for software routers, as commonly used software routing implementations (such as pfSense), which are often based on the networking stacks of operating systems, succumb to the demands of these new standards.

Jim Thompson offers an overview of Netgate’s router, built from open source components, which can achieve packet rates above 14.6 Mpps on a single CPU core running at 3.2GHz, which allows saturating a 10 Gbps ethernet port with minimum-sized packets to a level of 98%. Jim explains how the router achieves linear scaling with CPU frequency, as well as with the number of CPU cores, allowing the software router to serve multiple 10 Gbps network ports, and how Netgate’s novel approach enables IPsec connections at rates exceeding 10 Gbps using only software and 40 Gbps using off-the-shelf accelerator cards.

Photo of Jim Thompson 

Jim Thompson 


Jim Thompson is CTO of Netgate. Jim has held a variety of technology leadership and executive positions throughout the networking and security industry with particular experience in networking protocols (TCP/IP, Ethernet, 802.11, etc.); primary programming languages (C, assembly for PPC, ARM, MIPS, etc.); interrupt handling, concurrent execution, task synchronization; GNU tools (gcc, binutils, gdb, make, autoconf, CVS); security and cryptography (3DES, AES, RSA, DSA, DH, IPSec, OpenVPN); Unix/Linux/*BSD server and workstation setup and administration; TCP/IP network setup, administration, troubleshooting; Sendmail, BIND, Netfilter/iptables/pf firewall configuration; and Linux/FreeBSD ports to new hardware.