[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Over head using IPSECV6

To: "Terry Burnell" <tburnell@winstar.com>
Subject: Re: FW: Over head using IPSECV6
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 22 Feb 2000 21:08:51 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <NDBBLIPDKMMHHNJKBFNDOEBCCDAA.tburnell@winstar.com>, "Terry Burnell"
 writes:

> 
> >>What is the average overhead in terms of bandwidth when using IPSECv6 with
> >>triple DES.
> >>

By "overhead in terms of bandwidth", do you mean "how many bytes extra does 
IPsec consume in a v6 packet?"

Triple vs. single DES is irrelevant here; the blocks, packet formats, etc., 
are the same.  I don't know of any calculations for IPv6; I calculated a while 
back that for v4, the overhead was about 12-15%.  (Disclaimer:  my 
calculations were quite some time ago, and I don't even remember if they were 
for 1825-style IPsec vs. the current 2401-style.)  Briefly, I took some of 
NLANR's packet size distribution data, and calculated a weighted average of 
the exact same set of packets if all were IPsec-protected.  That is clearly 
questionable, since most http won't be protected for the forseeable future.

To answer your question, I'd do the same thing, except that I'd take the 512 
and 576 byte packets, and scale the count by assuming that that amount of data 
was carried in 1500-byte packets.  v6 mandates Path MTU, and 1500 bytes is 
more or less standard these days.

		--Steve Bellovin

Prev by Date: Re: IPSec Complexity
Next by Date: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Prev by thread: FW: Over head using IPSECV6
Next by thread: Packet Interceptors
Index(es):
- Main
- Thread