[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and TCP

To: gnu@toad.com (John Gilmore)
Subject: Re: IPsec and TCP
From: andrade@netcom.com (Andrade Software Andrade Networking)
Date: Sat, 18 Jan 1997 22:40:08 -0800 (PST)
Cc: andrade@netcom.com, karn@qualcomm.com, gnu@toad.com, ipsec@tis.com
In-Reply-To: <199701161334.FAA20529@toad.com> from "John Gilmore" at Jan 16, 97 05:34:03 am
Sender: owner-ipsec@ex.tis.com

Andrade Software & Networking
Andrad@Netcom.Com
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1783      

John,

> 
> What's slow about 1 to 2 Mbytes/second?  That's faster than Ethernet,
> and faster by an order of magnitude than almost everyone's connection
> to the Internet (1.5Mbits/sec T1 is the highest common speed).  If 
> you were DES-encrypting main memory accesses, it would be slow; but 
> if you're DES-encrypting an Ethernet, it's plenty fast.

It is slow.  10 Mbit/s Ethernet tops out at around 1.2 Megabytes
per second using TCP/IP (assuming no collisions).  That 1-2 
Megabytes encryption speed means that you are using about 100% 
of a Pentium's 200 Mhz CPU cycles.  Not much room for other 
processing.  On top of that 100 Mbit/s Ethernet is starting to 
become common.  It's will be at least 5 years, assuming Moore's law, 
before the top Intel chips will be fast enough to keep up with it
doing DES.

> 
> Optional hardware assists are quite common on Wintel platforms.  The
> shrinkwrap software simply probes for the hardware (or its driver).
> If it's there, it uses it; if not, it runs slower in software.  This
> gives individual customers the option to buy the hardware if they
> desire more speed.  Just like the original poster said.
> 
DES was designed a long time ago to optimize memory over speed.  This
made a lot of economic sense at the time.  Today it doesn't and we are
now struggling with it trying to retrofit it into modern high-speed
networks.  Saying you can throw hardware at it to speed it up doesn't
make very much economic sense for most of the hosts on the Internet.  
Could you imagine how popular TCP/IP would be today if 15 years ago 
the original designers said that you had to use hardware to get it
to operate fast enough?

- Alex

-- 

Alex Alten
PO Box 11406
Pleasanton, CA  94588
USA

Andrade@Netcom.Com
(510) 417-0159   Fax/Voice

Follow-Ups:

Re: IPsec and TCP

From: Phil Karn <karn@laptop.ka9q.ampr.org>

Re: IPsec and TCP

From: "Terry L. Davis, Boeing Information & Support Services, Bellevue, WA" <tld5032@commanche.ca.boeing.com>

Prev by Date: dido for transform ID
Next by Date: Re: IPsec and TCP
Prev by thread: Re: IPsec and TCP
Next by thread: Re: IPsec and TCP
Index(es):
- Main
- Thread