[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Son-of-IKE Performance



Eric,

Please add


 XKASS(Encrypt)  
           1 encrypt       1 encrypt      	 1 RTT	
 	     1 decrypt	   1 decrypt
 
 XKASS(Sign+PFS)  
           1 signature     1 signature           1 RTT	
 	     1 verify	   1 verify
 	     1 DH agree	   1 DH agree 

And if you must:

 XKASS(ID-Conceal) [as described on the list]
           1 encrypt       1 encrypt      	 1 RTT	
 	     1 decrypt	   1 decrypt 
           1 signature     1 signature           2 RTT	
 	     1 verify	   1 verify
 	     1 DH agree	   1 DH agree 


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@rtfm.com]
> Sent: Wednesday, December 05, 2001 5:33 PM
> To: ipsec@lists.tislabs.com
> Subject: Son-of-IKE Performance
> 
> 
> As background to the discussion, I thought it might be worth
> looking at performance of the various IKE replacements.
> The following table summarizes the performance behavior of
> the major proposals as far as I can make out.
> I've also added TLS for comparison.
> 
> Protocol     Initiator     Responder     Latency
> ------------------------------------------------
> IKEv2	     1 signature   1 signature	 2 RTT	
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree 
> 
> IKEv2	     1 signature   1 signature	 3 RTT	
> (DoS mode)   1 verify	   1 verify
> 	     1 DH agree	   1 DH agree 
> 	     
> SIGMA	     1 signature   1 signature	 1.5 RTT [1]
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> SIGMA	     1 signature   1 signature	 2.5 RTT [1]
> (DoS mode)   1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> JFK(normal)  1 signature   1 signature	 2 RTT	
> 	     2 verifies	   1 verify
> 	     1 DH agree	   1 DH agree 
> 
> JFK(PFS)[2]  1 signature   2 signatures	 2 RTT	
> 	     2 verifies	   1 verify
> 	     1 DH agree	   1 DH agree 
> 
> TLS (RSA)[3] 1 signature   1 decryption  2 RTT
> 	     1 RSA encrypt 1 verify
> 
> TLS (PFS)[3] 1 signature   1 signature	 2 RTT
> 	     1 verify	   1 verify
> 	     1 DH agree	   1 DH agree
> 
> Notes:
> [0] I'm ignoring the following computational costs since
> they're more or less constant across protocols and are
> usually cheap.
> 
>     Digests, symmetric encryption, and PRFs.
>     Certificate verification (not cheap if DSS)
>     All of the PFS modes require an additional g^x mod p.
> 
> [1] I'm dubious about the value of this. As Phill Hallam-Baker
> argues, you'd probably want to use a 4-message handshake anyway.
> 
> [2] In JFK, PFS mode is incompatible with DoS protection.
> 
> [3] Note that TLS has an anonymous client mode which is even 
> faster: 1 RSA encrypt on the client and 1 RSA decrypt
> on the server.
> 
> [4] Here are some approximate timings for the various operations
> (measured on a Celeron 300). All moduli are 1024-bit.
> 
> RSA private key op	     30 ms
> RSA public key op	      2 ms
> DH key agree (1024-bit X)   100 ms
>              (256-bit X)     25 ms
> DSA signature		     17 ms
> DSA verify		     21 ms
> 
> 
> 
> -Ekr
> 
> --
> [Eric Rescorla                                   ekr@rtfm.com]
>                   http://www.rtfm.com/
> 

Phillip