Subject: Re: IPsec performance
To: Ignatios Souvatzis <>
From: Steven M. Bellovin <>
List: tech-kern
Date: 07/20/2000 03:10:33
In message <>, Ignatios Souvatzis wr
>On Wed, Jul 19, 2000 at 06:24:05AM +0900, wrote:
>> >With 466MHz Celeron CPUs and decent network hardware (3c905B) the most
>> >throughput I seem to be able to force through our IPsec is about 1.5MB/sec
>> >(that's mega *bytes*, not bits).  Though I'm told by several people that
>> >this is not atypical for a software-only IPsec implementation, I don't
>> >understand _why_.
>> 	see KAME PR 229.
>> 	basically, blowfish uses very big intermediate data and we cant
>> 	hold it on the stack.  we endup using static memory pool and
>> 	hence we need spl locks.  we'll try to correct it.
>Thats specific to blowfish? What should we used on underpowered machines

It would be very interesting for someone to implement Rijndael or 
Twofish -- both are AES candidates, and both are pretty fast in 
software, especially Rijndael.  (AES is the Advanced Encryption 
Standard.  There are five finalists; the winner is supposed to be 
selected in the next few months.  See, I believe.)

		--Steve Bellovin