-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: also account for tunnel overhead #30329
wireguard: also account for tunnel overhead #30329
Conversation
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
4d8bf5c
to
e877d82
Compare
cc @brb -- this fixes your commit. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've added the backport label since the underlying change has also been backported to v1.15. This probably also needs a custom backport to v1.14, where additional encapsulation is possible, but disabled by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! In v1.14 we need to accommodate the overhead only if --wireguard-encapsulate
is set.
Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account.
This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec.
This is related to #28413. But this does not fix all issues, see: #28413 (comment).
Fixes: b67291f