[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More Son-of-IKE Performance

To: ipsec@lists.tislabs.com
Subject: More Son-of-IKE Performance
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Dec 2001 20:55:57 -0800
Sender: owner-ipsec@lists.tislabs.com

I've made another pass through the verious son-of-IKE contenders
and generated a more complete performance table. This version 
includes latency estimates from the perspective of the initiator
and responder. In general, these protocols all have the property
that the responder has a completed SA before the initiator.

Protocol     Initiator     Responder     Init. Latency       Resp. Latency
-----------------------------------------------------------------------------
IKEv2	     1 signature   1 signature	 2 RTT               1 RTT
	     1 verify	   1 verify	 1 DH agree 	     1 DH agree
	     1 DH agree	   1 DH agree	 2 signs	     1 sign
					 2 verify	     1 verify

IKEv2	     1 signature   1 signature	 3 RTT               2 RTT
(DoS mode)   1 verify	   1 verify      1 DH agree 	     1 DH agree
	     1 DH agree	   1 DH agree	 2 signs	     1 sign
					 2 verify	     1 verify

SIGMA [1]    1 signature   1 signature	 2 RTT		     1 RTT
	     1 verify	   1 verify	 2 sign		     2 verify
	     1 DH agree	   1 DH agree	 2 DH key agree	     2 DH key agree

SIGMA [1]    1 signature   1 signature	 3 RTT		     2 RTT
(DoS mode)   1 verify	   1 verify	 2 sign		     2 verify
	     1 DH agree	   1 DH agree	 2 DH key agree	     2 DH key agree

JFK(normal)  1 signature   1 signature	 2 RTT		     1 RTT
	     2 verifies	   1 verify	 2 DH agree	     2 DH agree
	     1 DH agree	   1 DH agree	 2 sign		     1 verify
					 2 verify
	
JFK(PFS) [2] 1 signature   2 signature	 2 RTT		     1 RTT
	     2 verifies	   1 verify	 2 DH agree	     2 DH agree
	     1 DH agree	   1 DH agree	 3 sign		     1 sign
					 2 verify	     1 verify

XKASS        1 RSA enc.    1 RSA enc.    1 RTT		     0 RTT
(encryption) 1 RSA dec.	   1 RSA dec.	 2 RSA enc.	     1 RSA enc.
					 2 RSA dec.	     1 RSA dec.

XKASS        1 signature   1 signature   1 RTT		     0 RTT
	     1 verify      1 verify      2 sign              1 DH agree
					 2 verify	     1 verify
					 1 DH agree

Notes:
[0] I'm ignoring the following computational costs since
they're more or less constant across protocols and are
usually cheap.

    Digests, symmetric encryption, and PRFs.
    Certificate verification (not cheap if DSS)
    All of the PFS modes require an additional g^x mod p.

[1] I'm assuming a SIGMA variant with an essentially empty
ACK as the fourth message.

[2] In JFK, PFS mode is incompatible with DoS protection.

[3] Here are some approximate timings for the various operations
(measured on a Celeron 300). All moduli are 1024-bit.

RSA private key op	     30 ms
RSA public key op	      2 ms
DH key agree (1024-bit X)   100 ms
             (256-bit X)     25 ms
DSA signature		     17 ms
DSA verify		     21 ms
 
[4] IKEv2 can perform the key exchange operation in parallel and the 
client and server. It's a little hard to figure whether XKASS as written
can but it could certainly be made to do so. The table above assumes
it does.

-Ekr

Prev by Date: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
Next by Date: rushed comments on IKEv2 draft
Prev by thread: Re: suggestion for JFK
Next by thread: rushed comments on IKEv2 draft
Index(es):
- Main
- Thread