[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSec performance statistics
Don't forget that IP tunneling + ESP adds around 52 bytes overhead. This is
almost 50% overhead on small packet. So wire speed is a dream.
At 10:18 31/07/01 -0700, Michael Choung Shieh wrote:
>
>The performance lost of ipsec processing depends on the architecture of the
>design and the size of packets. Some vendors can achieve wire-speed while
>the others only improve a little even with hardware acceleration. It's also
>easier to boost the performance for large size packets(1500bytes) than small
>size (64bytes).
>
>Hardware accelaration does reduce the difference of processing time between
>encryption algorithms. The differences between DES and 3DES processing may
>be less than 10%.
>
>I would say the performance really depends on the gateway you used. There
>are many reports and comparisons out there.
>
>--------------------------------------------
>Michael Shieh
>NetScreen Technologies, Inc
>350 Oakmead Parkway
>Sunnyvale, CA 94085
>TEL: (408)730-6060
>FAX: (408)730-6050
>Email: mshieh@netscreen.com
>--------------------------------------------
>
>-----Original Message-----
>From: Kopeikin, Roy A (Roy) [mailto:rkopeikin@lucent.com]
>Sent: Tuesday, July 31, 2001 9:26 AM
>To: Marc Solsona-Palomar
>Cc: Parijat Mishra; awank@future.futsoft.com; ipsec@lists.tislabs.com
>Subject: RE: IPSec performance statistics
>
>
>Marc,
>Do you think these cycles lost can bd quantified into performanc statistics?
>roy
>
>-----Original Message-----
>From: Marc Solsona-Palomar [mailto:marc@iprg.nokia.com]
>Sent: Tuesday, July 31, 2001 4:22 AM
>To: Kopeikin, Roy A (Roy)
>Cc: Parijat Mishra; awank@future.futsoft.com; ipsec@lists.tislabs.com
>Subject: Re: IPSec performance statistics
>
>
>IPsec processing implies an overhead. Even the fact to send the packet
>somewhere else (like to an accelerator card) means cycles lost. What an
>accelerator will provide is more unified results across different algorithms
>as the chips have been optimized for this type of processing.
>
>marc
>
>"Kopeikin, Roy A (Roy)" wrote:
>
>> Correct me if I'm wrong but I think this is a non-issue for corporate VPNs
>> since accelerator boards are typically integrated to handle the encryption
>> and decryption functions. It is unacceptable for VPNs to degrade
>> router/internework performance.
>> Roy
>>
>> -----Original Message-----
>> From: Parijat Mishra [mailto:mishrap@cwc.nus.edu.sg]
>> Sent: Monday, July 30, 2001 9:26 PM
>> To: awank@future.futsoft.com; ipsec@lists.tislabs.com
>> Subject: Re: IPSec performance statistics
>>
>> There will be lots of statistics, but they'll depend on the machines
>> used, and the packet size. However, my observation is that with
>> ESP-3DES, the time taken to process packets is almost doubled.
>>
>> It should be easy to run performance tests for your own setup.
>>
>> Parijat
>> ----- Original Message -----
>> From: "Awan Kumar" <awank@future.futsoft.com>
>> To: <ipsec@lists.tislabs.com>
>> Sent: Monday, July 30, 2001 12:26 PM
>> Subject: IPSec performance statistics
>>
>> | Hi,
>> | Can anybody provide some statistics on the percentage of change in
>> | performance (throughtput) due to the inclusion of IPsec in the IP
>> stack. Are
>> | there any statistics available which shows the reduction in
>> performance due
>> | to the use of DES or 3DES for ESP.
>> |
>> | Thanks in advance.
>> |
>> | Regards,
>> | Awan
>> |
>> | ----------------------------
>> | Awan Kumar Sharma
>> | Sr. Software Engg.,
>> | Future Software Ltd.,
>> | Chennai, India.
>> | Ph: 4330 550 Extn: 437
>> | (www.futsoft.com)
>> | ------------------------------
>> |
>> |
>
Jean-Rene Peulve
Les Tilleuls
Chemin de Vermillère
84.160 Cadenet
France
Tel: (33)4.90.68.36.86
Fax: (33)4.90.68.36.87
Email: jr.peulve@wanadoo.fr