You may be misinterpreting those numbers. The slow-down ONLY occurred with the Microsoft product. I didn't test all the other products with that many SAs, but I have done testing with Cisco, Nokia, and NetScreen which shows very low slow-down as the number of SAs rises. None of this solves the fragementation problem, of course, which will dramatically affect 'real world' performance. The numbers you see below are all using 1440 octet packets. jms Alex Alten wrote: > > Does anyone have any real-world numbers for IPSec performance? > > I just saw an article up on Network World Fusion that states > the performance drops off dramatically with large numbers of > SA's (500 in this case), basically down to simple Ethernet II > speeds (<10Mbps). Even with 6 SA's full duplex fast Ethernet > doesn't seem possible yet (at least not cheaply, under $200/NIC). > > Here's the URL for the latest Network Fusion IPSec VPN review. > http://www.nwfusion.com/reviews/2001/1001rev.html > > I excerpted the preformance part of the review below. > > - Alex > > > We ran three sets of performance numbers, evaluating behavior > > in best-case and worst-case packet flows, as well as with a > > typical Internet mix (see graphic, page 47). For the Internet > > mix, we used data collected from an Internet backbone to build > > a profile of approximately 50% small packets (96 octets or less), > > 10% large packets (1,518 octets, the Ethernet maximum transmission > > unit), 20% 576 octets (a common WAN MTU) and 20% assorted between > > 192 and 1,024 octets. > > > > We discovered that for line speeds of up to 10M bit/sec (full duplex, > > about a quarter of a DS-3/T-3 circuit), any of the products can keep > > up - but Avaya, Nortel, RapidStream and Microsoft give you excellent > > price/performance ratios. > > > > If you want to push to a full DS-3 circuit (45M bit/sec, full duplex), > > again using "real world" packet sizes, only Lucent's Access Point with > > dual cryptographic accelerators and the one-two punch of Win 2000 > > combined with Intel's Pro/100S cryptographic network interface cards > > (NIC) beat the 90M bit/sec needed to handle that circuit. By adding less > > than $200 worth of hardware to our system, we drove total IPSec performance > > of Win 2000 up to more than 160M bit/sec in the best case (large packets). > > Given the low cost of Pentium-based PCs, Win 2000 Server software and the > > Intel NICs, this particular packaging achieved price/performance ratios > > between 10 and 20 times better than the other vendors'. However, we note > > that our performance tests were done with only six IPSec security > associations. > > As a central site system with 500 security associations, we saw total > > performance of our Win 2000 system drop dramatically to less than 8M bit/sec > > for the Internet mix. > > -- > > Alex Alten > > Alten@Home.Com
S/MIME Cryptographic Signature