Re: [Ipsec] OT: cryptographic parameters - performance data

[Joern Sierwald <joern@f-secure.com>]

At 09:25 11.06.2004 +0000, Bob Arthurs wrote:
>hello again,
>
>in my research on the use of cryptographic parameters for use with ipsec, 
>i have been trying to find some performace data on the various 
>cryptogrpahic algorithms.
>
>any help much appreciated once again.

To post the obvious one: openssl (installed with every linux) has speed 
tests. run them!
"openssl speed ?" will tell you how to do it.

On my computer md5 was exactly twice as fast as sha1.
I was too lazy to run the encryption tests.


>On a second point, could anyone tell me what specific advantages of using 
>the same cryptographic parameters (encryption/hash algorithms) for both 
>IKE and IPSec SAs? instinctively it seems better, but is it fair to say 
>that it will improve performance between peers if the the same algorithms 
>are used, and if so why in particular?

For phase 1, the symmetric encryption algorithm and the hmac do not matter 
at all.
 >90% of the CPU time is consumed by big number math for RSA and 
Diffie-Hellman.

Using the same algorithms for both IKA and IPSec SAs does not provide any 
benefit at all. I can think of only
one academical argument: if they are the same, the other available 
algorithms can be paged out, saving memory.
Also CPU cache hits might be better if they are the same. But in reality... 
Come on. P1 only happens once per hour...

Jörn Sierwald


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec