[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec performance statistics

To: "David Carman" <dcarman@hw.midatlanticexpress.com>, <ipsec@lists.tislabs.com>
Subject: RE: IPSec performance statistics
From: Alex Alten <Alten@home.com>
Date: Thu, 02 Aug 2001 12:06:38 -0700
Cc: <David_Carman@nai.com>
In-Reply-To: <000001c11afb$c1a6eba0$6501a8c0@na.nai.com>
References: <000001c118af$d0d44440$0702060a@future.futsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Based on your figure 3 and using the 3DES costs from Antoon
Bosselaers URL at http://www.esat.kuleuven.ac.be/~bosselae/fast.html,
I get the following per byte cycle costs on a Pentium.

     IP-Only about 5 cycles/byte
     IPSec w/o crypto about +6 cycles/byte
     HMAC-SHA-1-96 about +13 cycles/byte
     3DES about +14 to +15 cycles/byte (from Bosselaers url)
     --------------------------------------
     Total IPSEC w/SHA1 & 3DES is about 38 to 39 cycles/byte.

So I should see almost an order of magnitude (about 1/8) slow down
when IPSec is used between two hosts versus when just ordinary IP
is running.  Does this correlate with what people are seeing in
actual IPSec deployments?  Or is everyone only using hardware to
get around this problem (but introducing other problems like extra
cost and deployment issues). 

Does anyone have metrics for SA setup costs, with and without IKE?
I've seen claims of about 1 setup (w/out IKE?) per second in hardware.
Any metrics for Pentium class PC's?

- Alex


At 10:35 PM 8/1/2001 -0400, David Carman wrote:
>Awan,
>
>A data point that has a finite chance at usefulness for a Pentium II 400
>MHz, FreeS/WAN (Linux), ESP, authentication only, is located at:
>
>http://www.pgp.com/research/nailabs/cryptographic/adaptive-cryptographic.asp
>
>Check out Figure 3 in our final report at:
>
>http://download.nai.com/products/media/pgp/pdf/acsa_final_report.pdf
>
>Regards - Dave Carman
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>David W. Carman, Principal Cryptographic Engineer
>NAI Labs, The Security Research Division of Network Associates, Inc.
>email: David_Carman@nai.com
>
>> -----Original Message-----
>> From: owner-ipsec@lists.tislabs.com
>> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Awan Kumar
>> Sent: Monday, July 30, 2001 12:27 AM
>> To: ipsec@lists.tislabs.com
>> Subject: IPSec performance statistics
>>
>>
>> Hi,
>>   Can anybody provide some statistics on the percentage of change in
>> performance (throughtput) due to the inclusion of IPsec in
>> the IP stack. Are
>> there any statistics available which shows the reduction in
>> performance due
>> to the use of DES or 3DES for ESP.
>>
>> Thanks in advance.
>>
>> Regards,
>> Awan
>>
>> ----------------------------
>> Awan Kumar Sharma
>> Sr. Software Engg.,
>> Future Software Ltd.,
>> Chennai, India.
>> Ph: 4330 550 Extn: 437
>>   (www.futsoft.com)
>> ------------------------------
>>
>
>
--

Alex Alten

Alten@Home.Com

Follow-Ups:

Re: IPSec performance statistics

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

RE: IPSec performance statistics

From: "David Carman" <dcarman@hw.midatlanticexpress.com>

Prev by Date: Re: SPD Selector (Newbie) Question
Next by Date: Re: IPSec performance statistics
Prev by thread: RE: IPSec performance statistics
Next by thread: Re: IPSec performance statistics
Index(es):
- Main
- Thread