RE: IPSEC stress tester?

[Joern Sierwald <joern.sierwald@datafellows.com>]

At 10:56 26.2.1999 -0500, you wrote:
>The tests outlined below I would consider IPSEC compliance tests. I believe
>that the Anvil product from Midnight Networks now supports these type of
>tests. However, the original question appeared to address performance
>metrics for various IPSEC solutions. I agree with Paul that these tests fall
>into two main categories, throughput and SAs. Throughput testing is pretty
>straight forward. All you need is something to generate traffic (i.e.
>SmartBits) at various packet sizes and rates through an SA. The results will
>tell you both packet forwarding and bulk encryption limitations. 
>
>The max SA test is the tricky one. I am familiar with some larger vendors
>that have built rooms with over a hundred PCs each running scripts to
>establish 10 to 20 SAs. This is not practical for most organizations.
>Therefore, I am forced to take the word of the vendor that a particular box
>can handle X number of simultaneous SAs. This is becoming an increasingly
>critical issue as service providers look for solutions to support 10s of
>thousands of simultaneous encrypted connections. There must be someone out
>there who has come up with a reasonably elegant solution to this problem.
>

You simply use a host-to-gateway setup, two computers. You generate
a policy that says that behind the gateway there are a lot of networks, say
10.0.0.1/32, 10.0.0.2/32......

Now ping all networks from the client. One pair of IPsec SAs is generated for
each ping.

This generates only one ISAKMP SA, though.

Jörn

---

References:

• RE: IPSEC stress tester?
• From: Jason Devine <jdevine@technicacorp.com>

---

• Prev by Date: RE: IPSEC stress tester?
• Next by Date: Client ID 0.0.0.0 Question
• Prev by thread: RE: IPSEC stress tester?
• Next by thread: RE: IPSEC stress tester?
• Index(es):
  • Main
  • Thread