[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] IPSec performance implications / some results

To: ipsec@ietf.org
Subject: Re: [Ipsec] IPSec performance implications / some results
From: Joern Sierwald <joern@f-secure.com>
Date: Wed, 14 Jul 2004 09:11:02 +0200
In-reply-to: <92DDD2D6D65FD3449BAF18FD44729D96EBFE5E@c08870.glos.ac.uk>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

At 14:37 13.07.2004 +0100, you wrote:

>This is with response to Mathias' post about any quantitative work done in 
>the performance area. I would like to share some results that I have 
>obtained very recently for some tests I carried out using IPSec on the 
>Win2k platform.
>
>----------------------------------------------------------
>Here are the results. There are some interesting figures which I wish to 
>seek some help for.
>
>IPSec Processing (kbps)
>
>Encryption      Authentication  Software supported      Hardware 
>supported      Gain(%)
>DES 64-bit      SHA-1 
>160-bit   3154.88                 3568.83                 13.12
>DES 64-bit      MD5 
>128-bit     2635.37                 2978.04                 13.00
>3DES 192-bit    SHA-1 
>160-bit   2348.47                 2548.60                 8.52
>3DES 192-bit    MD5 
>128-bit     2543.63                 2668.04                 4.89
>
>Average improvement (due to dedicated hardware) 9.88
>----------------------------------------------------------
>
>It is interesting to note that MD5 is faster than SHA-1 when used with 
>3DES but not when used with single DES? Comments welcome!
>
>
>Siraj

Yes, some comments.

First of all, the use of dedicated hardware may or even may not boost the 
performance, in turns
of throughput. But. Even if it does not make the throughput faster in your 
special test setup,
it does not mean that it's useless. It may as well be that your CPU load is 
at 100% with
the encryption done in software and at 40% when done with hardware. That 
means that the
CPU has left some processing power to do actual work in a server.

To simulate server load, you might want to burn some fixed CPU time per IP 
packet,
in a seperate thread or process.

I don't like your numbers, because you don't state the speed with no 
encryption at all.
You don't say how many times you tried. Standard deviation?
The speed difference is odd, as you have noticed, but I can't comment if 
you don't say
how often you did the test.

I'd also like to point out that ESP uses 96 bit authentication, with both 
SHA-1 and MD5,
not 128 and 160 bit as you write.

Jörn Sierwald

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] IPSec performance implications / some results
  - From: "SHAIKH, Siraj" <sshaikh@glos.ac.uk>

Prev by Date: [Ipsec] Hidden message
Next by Date: [Ipsec] [OT] Job Opportunity for Embedded Engineering TechnicalLead/Manager
Previous by thread: [Ipsec] IPSec performance implications / some results
Next by thread: RE: [Ipsec] IPSec performance implications / some results
Index(es):
- Date
- Thread