Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
c0l0 19 hours ago

Very cool project - hoping to see follow-up designs that can do more than 1Gbps per port!

I recently built a fully Layer2-transparent 25Gbps+ capable wireguard-based solution for LR fiber links at work based on Debian with COTS Zen4 machines and a purpose-tailored Linux kernel build - I'd be curious to know what an optimized FPGA can do compared to that.

dpeckett 9 hours ago | parent | next [-]

How did you work around WireGuard's encryption and multiqueue bottlenecks? Jumbo frames?

25G is a lot for WireGuard [1].

1. https://www.youtube.com/watch?v=oXhNVj80Z8A

c0l0 9 hours ago | parent | next [-]

Yes, Jumbo frames unlock a LOT of additional performance - which is exactly what we have and need on those links. Using a vanilla wg-bench[0] loopback-esque (really veths across network namespaces) setup on the machine, I get slightly more than 15Gbps sustained throughput.

[0]: https://github.com/cyyself/wg-bench

superxpro12 9 hours ago | parent | prev [-]

Its probably a 48port switch and that's a backplane claim.

Hikikomori 19 hours ago | parent | prev | next [-]

When macsec exists?

bc569a80a344f9c 18 hours ago | parent | next [-]

No kidding.

Just to elaborate for others, MACSec is a standard (802.1ae) and runs at line rate. Something like a Juniper PTX10008 can run it at 400Gbps, and it’s just a feature you turn on for the port you’d be using for the link you want to protect anyway (PTXs are routers/switches, not security devices).

If I need to provide encryption on a DCI, I’m at least somewhat likely to have gear that can just do this with vendor support instead of needing to slap together some Linux based solution.

Unless, I suppose, there’s various layer 2 domains you’re stitching together with multiple L2 hops and you don’t control the ones in the middle. In which case I’d just get a different link where that isn’t true.

tecleandor 5 hours ago | parent [-]

I have at least one switch that's MACSec compatible at line speed but I haven't had time to take a look. I guess this is confined to LAN and cannot do a MACSec link through the internet, isn't it?

bc569a80a344f9c 3 hours ago | parent [-]

It’s port to port. It protects a link.

tecleandor 8 minutes ago | parent [-]

Thanks!

c0l0 8 hours ago | parent | prev | next [-]

Yeah that would have been great, but it's not available on our existing core switches (Dell PowerSwitch S5200 series).

ur-whale 16 hours ago | parent | prev [-]

> When macsec exists?

When you say "exists" ... is there an OpenSource high-quality implementation ?

Hikikomori 16 hours ago | parent [-]

https://man7.org/linux/man-pages/man8/ip-macsec.8.html

Generally its used when you have links going between two of your sites, so you typically only need it on your switch or router that terminate that link.

esbeeb 15 hours ago | parent | prev [-]

This is a flex!