Performance considerations for encrypted PE connections

The TLS value that you specify for the transportSecurityType property can impact PE connection performance. Teracloud® Streams supports TLS v 1.2 and later protocols.

Notes: TLS 1.3 or later is recommended for Teracloud® Streams.

For encrypted PE connections, Teracloud® Streams uses OpenSSL, RSA 2K encryption, and the Advanced Encryption Standard (AES) cipher. These operations can consume a large amount of CPU time that might not be consumed if you use TCP connections.

Performance can vary significantly depending on your hardware. You can use the following openssl speed commands to obtain performance information for your specific hardware.
  • For performance information during RSA 2K handshakes, run the following command:
    openssl speed rsa2048
    Example:
    Doing 2048 bit private rsa's for 10s: 4830 2048 bit private RSA's in 10.00s
Doing 2048 bit public rsa's for 10s: 151997 2048 bit public RSA's in 10.00s
OpenSSL 1.1.1k  FIPS 25 Mar 2021
. . .
sign verify sign/s verify/s
rsa 2048 bits 0.002070s 0.000066s 483.0 15199.7
  • For performance information during AES encryption, run the following command: 
    openssl speed aes
    Example:
    Doing aes-128 cbc for 3s on 16 size blocks: 16021714 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 4300801 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1097539 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 1024 size blocks: 275925 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 34471 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 13556034 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 3598405 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 913409 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 229628 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 8192 size blocks: 28710 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 11703042 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 3092630 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 783286 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 196494 aes-256 cbc's in 2.99s
Doing aes-256 cbc for 3s on 8192 size blocks: 24566 aes-256 cbc's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
...
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 85449.14k 91750.42k 93969.89k 94182.40k 94128.81k
aes-192 cbc 72298.85k 76765.97k 77944.23k 78379.69k 78397.44k
aes-256 cbc 62416.22k 65976.11k 66840.41k 67294.27k 67081.56k

If your applications are experiencing reduced throughput with encrypted PE connections, the following suggestions might improve application performance:

  • Use the Teracloud® Streams fusion option for applications to reduce the number of PE-to-PE connections. Fusing PEs can reduce the number of encryption operations needed and allow more data to flow through the PE.

  • Change the application so that it sends fewer or larger tuples. With TLS, there are fixed costs associated with every tuple that is sent. Sending fewer or larger tuples can reduce the processing time for this overhead.

  • Use a hardware accelerator such as an x86 processor with the Intel Advanced Encryption Standard New Instructions (AES-NI) feature. Teracloud® Streams can also use hardware accelerators with the OpenSSL update that adds another decryption engine.
    Note: Not all versions of OpenSSL support AES-NI. If you install the version of the openssl RPM that is required by Teracloud® Streams and checked by the dependency checker script, Teracloud® Streams supports and uses AES-NI.