[bbjnicklin]

Michaelg,

Regarding the network, the paths are different in a meaningful way, you might want to trace the paths for yourself to see how: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilte.... Specifically, with IPSec, you make another pass through the network layer, after hitting XFRM in the protocol layer. This is not the case for a normal flow. This “loop” is significant because of the frequency with which it happens. Also, as the post states, random memory accesses are the killer. This additional loop and the logic within exacerbate the problem.

Also, If you’ve been using IPsec in production for multiple years, it’s possible that you using non-AESNI optimized ciphers, so the speedup could in fact be MUCH greater. If you can share a bit about your specific deployment, we would be happy to provide guidance.