Subject: Re: IPsec performance
To: Ignatios Souvatzis <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 07/20/2000 03:10:33
In message <20000719103407.D29090@theory.cs.uni-bonn.de>, Ignatios Souvatzis wr
>On Wed, Jul 19, 2000 at 06:24:05AM +0900, firstname.lastname@example.org wrote:
>> >With 466MHz Celeron CPUs and decent network hardware (3c905B) the most
>> >throughput I seem to be able to force through our IPsec is about 1.5MB/sec
>> >(that's mega *bytes*, not bits). Though I'm told by several people that
>> >this is not atypical for a software-only IPsec implementation, I don't
>> >understand _why_.
>> see KAME PR 229.
>> basically, blowfish uses very big intermediate data and we cant
>> hold it on the stack. we endup using static memory pool and
>> hence we need spl locks. we'll try to correct it.
>Thats specific to blowfish? What should we used on underpowered machines
It would be very interesting for someone to implement Rijndael or
Twofish -- both are AES candidates, and both are pretty fast in
software, especially Rijndael. (AES is the Advanced Encryption
Standard. There are five finalists; the winner is supposed to be
selected in the next few months. See http://www.nist.gov/aes, I believe.)