[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec still too slow?



Those numbers would be vendor implementation specific not related to
IPSec in general.

-----Original Message-----
From: Alex Alten [mailto:Alten@home.com]
Sent: Friday, October 05, 2001 9:50 AM
To: ipsec@lists.tislabs.com
Subject: IPSec still too slow?



Does anyone have any real-world numbers for IPSec performance?

I just saw an article up on Network World Fusion that states 
the performance drops off dramatically with large numbers of
SA's (500 in this case), basically down to simple Ethernet II
speeds (<10Mbps).  Even with 6 SA's full duplex fast Ethernet
doesn't seem possible yet (at least not cheaply, under $200/NIC).

Here's the URL for the latest Network Fusion IPSec VPN review.
http://www.nwfusion.com/reviews/2001/1001rev.html

I excerpted the preformance part of the review below.

- Alex

> We ran three sets of performance numbers, evaluating behavior
> in best-case and worst-case packet flows, as well as with a 
> typical Internet mix (see graphic, page 47). For the Internet
> mix, we used data collected from an Internet backbone to build
> a profile of approximately 50% small packets (96 octets or less),
> 10% large packets (1,518 octets, the Ethernet maximum transmission
> unit), 20% 576 octets (a common WAN MTU) and 20% assorted between
> 192 and 1,024 octets. 
> 
> We discovered that for line speeds of up to 10M bit/sec (full duplex,
> about a quarter of a DS-3/T-3 circuit), any of the products can keep
> up - but Avaya, Nortel, RapidStream and Microsoft give you excellent
> price/performance ratios. 
> 
> If you want to push to a full DS-3 circuit (45M bit/sec, full duplex),
> again using "real world" packet sizes, only Lucent's Access Point with
> dual cryptographic accelerators and the one-two punch of Win 2000 
> combined with Intel's Pro/100S cryptographic network interface cards
> (NIC) beat the 90M bit/sec needed to handle that circuit. By adding
less
> than $200 worth of hardware to our system, we drove total IPSec
performance
> of Win 2000 up to more than 160M bit/sec in the best case (large
packets).
> Given the low cost of Pentium-based PCs, Win 2000 Server software and
the
> Intel NICs, this particular packaging achieved price/performance
ratios 
> between 10 and 20 times better than the other vendors'. However, we
note
> that our performance tests were done with only six IPSec security
associations.
> As a central site system with 500 security associations, we saw total 
> performance of our Win 2000 system drop dramatically to less than 8M
bit/sec
> for the Internet mix. 


--

Alex Alten

Alten@Home.Com




Follow-Ups: