[OpenAFS] Openafs vs Red Hat's Netkey

[Steve Gaarder]

I run a network of machines running Scientific Linux 6 (a Red Hat 
Enterprise clone).  We have both AFS and NFS file servers.  In an effort 
to add some security to NFS, we are using IPSEC.  I have discovered that 
IPSEC, specifically Red Hat's NETKEY protocol stack, sends OpenAFS 
performance through the floor.  To try this on an SL/RHEL/Centos box, 
install Openswan and set it up on an OpenAFS server and client according 
to these instructions:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html

Then try copying a large file from AFS to the client's local storage, e.g. with 
rsync --progress.  You will see performance steadily drop to miserable levels.

If you switch the client to the KLIPS stack (by using the kernel module that 
comes with the Openswan source), things run fine.  It does not seem to matter 
which stack is on the server.

Any ideas about what is going on?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder@math.cornell.edu