[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Performance

To: Eric Rescorla <ekr@rtfm.com>
Subject: Re: Son-of-IKE Performance
From: Dan Harkins <dharkins@tibernian.com>
Date: Thu, 06 Dec 2001 10:07:55 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Wed, 05 Dec 2001 14:33:11 PST." <200112052233.fB5MXB571034@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

  Actually to compare apples-to-apples you should note that
JFK only produces a single key, Kir, for a single IPsec SA 
(I'm assuming it's the initiator's outbound although it's
not specified). To end up with a pair of IPsec SAs, one in
each direction, you'd need:

  Protocol     Initiator     Responder     Latency
  ------------------------------------------------
  JFK(normal)  2 signature   2 signature    4 RTT	
  	       4 verifies    2 verify
 	       2 DH agree    2 DH agree 
 
  JFK(PFS)[2]  2 signature   4 signatures   4 RTT	
 	       4 verifies    2 verify
 	       2 DH agree    2 DH agree 

  Dan.

On Wed, 05 Dec 2001 14:33:11 PST <ekr@rtfm.com> wrote
> As background to the discussion, I thought it might be worth
> looking at performance of the various IKE replacements.
> The following table summarizes the performance behavior of
> the major proposals as far as I can make out.
> I've also added TLS for comparison.
> 
> Protocol     Initiator     Responder     Latency
> ------------------------------------------------
> IKEv2	     1 signature   1 signature	 2 RTT	
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree 
> 
> IKEv2	     1 signature   1 signature	 3 RTT	
> (DoS mode)   1 verify	   1 verify
> 	     1 DH agree	   1 DH agree 
> 	     
> SIGMA	     1 signature   1 signature	 1.5 RTT [1]
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> SIGMA	     1 signature   1 signature	 2.5 RTT [1]
> (DoS mode)   1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> JFK(normal)  1 signature   1 signature	 2 RTT	
> 	     2 verifies	   1 verify
> 	     1 DH agree	   1 DH agree 
> 
> JFK(PFS)[2]  1 signature   2 signatures	 2 RTT	
> 	     2 verifies	   1 verify
> 	     1 DH agree	   1 DH agree 

> TLS (RSA)[3] 1 signature   1 decryption  2 RTT
> 	     1 RSA encrypt 1 verify
> 
> TLS (PFS)[3] 1 signature   1 signature	 2 RTT
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> Notes:
> [0] I'm ignoring the following computational costs since
> they're more or less constant across protocols and are
> usually cheap.
> 
>     Digests, symmetric encryption, and PRFs.
>     Certificate verification (not cheap if DSS)
>     All of the PFS modes require an additional g^x mod p.
> 
> [1] I'm dubious about the value of this. As Phill Hallam-Baker
> argues, you'd probably want to use a 4-message handshake anyway.
> 
> [2] In JFK, PFS mode is incompatible with DoS protection.
> 
> [3] Note that TLS has an anonymous client mode which is even 
> faster: 1 RSA encrypt on the client and 1 RSA decrypt
> on the server.
> 
> [4] Here are some approximate timings for the various operations
> (measured on a Celeron 300). All moduli are 1024-bit.
> 
> RSA private key op	     30 ms
> RSA public key op	      2 ms
> DH key agree (1024-bit X)   100 ms
>              (256-bit X)     25 ms
> DSA signature		     17 ms
> DSA verify		     21 ms
> 
> 
> 
> -Ekr
> 
> --
> [Eric Rescorla                                   ekr@rtfm.com]
>                   http://www.rtfm.com/

Follow-Ups:

Re: Son-of-IKE Performance

From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

References:

Son-of-IKE Performance

From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: IKEv2 & DoS protection (whoops. resend)
Next by Date: RE: Please save the pre-shared key mode
Prev by thread: Re: Son-of-IKE Performance
Next by thread: Re: Son-of-IKE Performance
Index(es):
- Main
- Thread