[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
More Son-of-IKE Performance
I've made another pass through the verious son-of-IKE contenders
and generated a more complete performance table. This version
includes latency estimates from the perspective of the initiator
and responder. In general, these protocols all have the property
that the responder has a completed SA before the initiator.
Protocol Initiator Responder Init. Latency Resp. Latency
-----------------------------------------------------------------------------
IKEv2 1 signature 1 signature 2 RTT 1 RTT
1 verify 1 verify 1 DH agree 1 DH agree
1 DH agree 1 DH agree 2 signs 1 sign
2 verify 1 verify
IKEv2 1 signature 1 signature 3 RTT 2 RTT
(DoS mode) 1 verify 1 verify 1 DH agree 1 DH agree
1 DH agree 1 DH agree 2 signs 1 sign
2 verify 1 verify
SIGMA [1] 1 signature 1 signature 2 RTT 1 RTT
1 verify 1 verify 2 sign 2 verify
1 DH agree 1 DH agree 2 DH key agree 2 DH key agree
SIGMA [1] 1 signature 1 signature 3 RTT 2 RTT
(DoS mode) 1 verify 1 verify 2 sign 2 verify
1 DH agree 1 DH agree 2 DH key agree 2 DH key agree
JFK(normal) 1 signature 1 signature 2 RTT 1 RTT
2 verifies 1 verify 2 DH agree 2 DH agree
1 DH agree 1 DH agree 2 sign 1 verify
2 verify
JFK(PFS) [2] 1 signature 2 signature 2 RTT 1 RTT
2 verifies 1 verify 2 DH agree 2 DH agree
1 DH agree 1 DH agree 3 sign 1 sign
2 verify 1 verify
XKASS 1 RSA enc. 1 RSA enc. 1 RTT 0 RTT
(encryption) 1 RSA dec. 1 RSA dec. 2 RSA enc. 1 RSA enc.
2 RSA dec. 1 RSA dec.
XKASS 1 signature 1 signature 1 RTT 0 RTT
1 verify 1 verify 2 sign 1 DH agree
2 verify 1 verify
1 DH agree
Notes:
[0] I'm ignoring the following computational costs since
they're more or less constant across protocols and are
usually cheap.
Digests, symmetric encryption, and PRFs.
Certificate verification (not cheap if DSS)
All of the PFS modes require an additional g^x mod p.
[1] I'm assuming a SIGMA variant with an essentially empty
ACK as the fourth message.
[2] In JFK, PFS mode is incompatible with DoS protection.
[3] Here are some approximate timings for the various operations
(measured on a Celeron 300). All moduli are 1024-bit.
RSA private key op 30 ms
RSA public key op 2 ms
DH key agree (1024-bit X) 100 ms
(256-bit X) 25 ms
DSA signature 17 ms
DSA verify 21 ms
[4] IKEv2 can perform the key exchange operation in parallel and the
client and server. It's a little hard to figure whether XKASS as written
can but it could certainly be made to do so. The table above assumes
it does.
-Ekr