[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSec still too slow?
Alex has misinterpreted what I wrote. The performance drop I
saw was exclusively with the Microsoft implementation. I only
brought that statistic out because they have such incredibly good
performance (with $90 Intel NICs) with small numbers of SAs.
I did not test all the products in that review with hundreds of
SAs, but I have tested Cisco, Nokia, and Netscreen and seen
negligible performance degradation as the size of the SPD/SAD
tables get large. In this case, I think that we're seeing an
implementation issue with the card---it's just not designed to handle
hundreds of SAs (on the other hand, it costs less than $100, so
it's really an incredible solution for some branch office environments).
In general, IPSEC performance in labs looks great because we don't
cause fragmentation. When fragmentation rears its ugly head, performance
can go to hell (or even cause connectivity failure) very quickly. Or not,
depending on the design of your application. Encryption performance is
generally not the problem.
I do get pissed off at people who throw around latency claims, though.
One major firewall vendor (who should remain nameless) claims that one
of the big advantages of co-locating the IPSEC and firewall function
inside of the same box is that two boxes add too much latency. In the
lab, even with the slowest and stupidest of VPN products, I rarely see
more than 1ms latency---completely indistinguishable across the general
purpose Internet.
http://www.nwfusion.com/reviews/2001/1001rev.html
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
jms@Opus1.COM http://www.opus1.com/jms Opus One
Follow-Ups: