NEPacketTunnelProvider performance issues

App & System Services Networking
chapo213 OP
Created 2w
Replies 1
Boosts 0
Views 74
Participants 2

Following previous question here :https://developer.apple.com/forums/thread/801397, I've decided to move my VPN implementation using NEPacketTunnelProvider on a dedicated networkExtension.

My extension receives packets using readPacketsWithCompletionHandler and forwards them immediately to a daemon through a shared memory ring buffer with Mach port signaling. The daemon then encapsulates the packets with our VPN protocol and sends them over a UDP socket.

I'm seeing significant throughput degradation, much higher than the tunnel overhead itself. On our side, the IPC path supports parallel handling, but I'm not not sure whether the provider has any internal limitation that prevents packets from being processed in parallel. The tunnel protocol requires packet ordering, but preparation can be done in parallel if the provider allows it.

Is there any inherent constraint in NEPacketTunnelProvider that prevents concurrent packet handling, or any recommended approach to improve throughput in this model? For comparison, when I create a utun interface manually with ifconfig and route traffic through it, I observe performance that is about four times faster.

Answered by DTS Engineer in 866386022

Packet tunnel providers run in user space and that has some some unavoidable performance impact [1]. I don’t have solid number of that because it’s hard to isolate from the performance impact of the tunnel itself.

However, bouncing over to another daemon is obvious not going to improve things, no matter how efficient your IPC is. Is there an overriding reason you don’t do this work in your sysex? It is more-or-less a launchd daemon in its own right.

Even if you can’t make this change in your main product, it’d be worth trying to hack together a prototype, because it would allow you to rule out your IPC as a source of the performance loss.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] At least until we get a direct path from the user-space networking stack to your packet tunnel provider, which isn’t currently a thing.

Replies  1
Boosts  0
Views  74
Participants  2
DTS Engineer OP
Apple
2w
Recommended

Packet tunnel providers run in user space and that has some some unavoidable performance impact [1]. I don’t have solid number of that because it’s hard to isolate from the performance impact of the tunnel itself.

However, bouncing over to another daemon is obvious not going to improve things, no matter how efficient your IPC is. Is there an overriding reason you don’t do this work in your sysex? It is more-or-less a launchd daemon in its own right.

Even if you can’t make this change in your main product, it’d be worth trying to hack together a prototype, because it would allow you to rule out your IPC as a source of the performance loss.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] At least until we get a direct path from the user-space networking stack to your packet tunnel provider, which isn’t currently a thing.

0
NEPacketTunnelProvider performance issues
First post date Last post date
 
 
Q