[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec performance statistics

To: "Kopeikin, Roy A (Roy)" <rkopeikin@lucent.com>, Parijat Mishra <parijat@cwc.nus.edu.sg>, awank@future.futsoft.com, ipsec@lists.tislabs.com
Subject: RE: IPSec performance statistics
From: Mike Fratto <mfratto@nwc.syr.edu>
Date: Tue, 31 Jul 2001 13:01:13 -0400
In-Reply-To: <80B684C5E29FD211AA8000A0C9CDD91908FCE8DB@il0015exch005u.ih.lucent.com>
Sender: owner-ipsec@lists.tislabs.com

My once every three year post begins:

Depends on what kind of performance statistics you are looking for: raw 
througput, pps, or latency. And and what packet size.

In general, IPsec VPN using tunnel mode ESP, 3DES, HMAC-MD5:
1) will degrade performance over non-VPN traffic. How much is quantifiable. 
At larger packet sizes, software only crypto will get you about 6-10 Mb/s. 
Accelerated VPN (using an accelerator card in a general purpose computer) 
will boost you to about 30 Mb/s. Optimized hardware and software can get 
you over 100 Mb/s full duplex.
2) processing larger packet sizes tends to be more efficient and thus 
provide increased performance.
3) smaller packet sizes tends to decrease performance.

Using DES doesn't help much.

There have been several performance reviews published over the last several 
years. For more detailed information, read the test bed scenario and if you 
have specific questions about the testing, contact the author for details.

mike

At 10:31 AM 7/31/2001 -0500, Kopeikin, Roy A (Roy) wrote:
>Correct me if I'm wrong but I think this is a non-issue for corporate VPNs
>since accelerator boards are typically integrated to handle the encryption
>and decryption functions. It is unacceptable for VPNs to degrade
>router/internework performance.
>Roy
>
>-----Original Message-----
>From: Parijat Mishra [mailto:mishrap@cwc.nus.edu.sg]
>Sent: Monday, July 30, 2001 9:26 PM
>To: awank@future.futsoft.com; ipsec@lists.tislabs.com
>Subject: Re: IPSec performance statistics
>
>
>There will be lots of statistics, but they'll depend on the machines
>used, and the packet size. However, my observation is that with
>ESP-3DES, the time taken to process packets is almost doubled.
>
>It should be easy to run performance tests for your own setup.
>
>Parijat
>----- Original Message -----
>From: "Awan Kumar" <awank@future.futsoft.com>
>To: <ipsec@lists.tislabs.com>
>Sent: Monday, July 30, 2001 12:26 PM
>Subject: IPSec performance statistics
>
>
>| Hi,
>|   Can anybody provide some statistics on the percentage of change in
>| performance (throughtput) due to the inclusion of IPsec in the IP
>stack. Are
>| there any statistics available which shows the reduction in
>performance due
>| to the use of DES or 3DES for ESP.
>|
>| Thanks in advance.
>|
>| Regards,
>| Awan
>|
>| ----------------------------
>| Awan Kumar Sharma
>| Sr. Software Engg.,
>| Future Software Ltd.,
>| Chennai, India.
>| Ph: 4330 550 Extn: 437
>|   (www.futsoft.com)
>| ------------------------------
>|
>|

___________________

Mike Fratto
Senior Technology Editor
Network Computing
001 Machinery Hall
Syracuse University
Syracuse, NY  13244
___________________

References:

RE: IPSec performance statistics

From: "Kopeikin, Roy A (Roy)" <rkopeikin@lucent.com>

Prev by Date: RE: IPSec performance statistics
Next by Date: RE: IPSec performance statistics
Prev by thread: Re: IPSec performance statistics
Next by thread: RE: IPSec performance statistics
Index(es):
- Main
- Thread