Subject: Re: IPsec performance
To: Ignatios Souvatzis <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 07/20/2000 08:12:56
The expanded blowfish key is large and takes a while to compute;
recomputing it for every packet is almost certainly what kills
performance -- expanding the key takes ~520 blowfish block
encryptions, equivalent to encrypting a bit over 4kb of data.
The solaris implementation of blowfish for ESP (which is in
"solaris-current", not yet in any product) just caches the expanded
key in per-SA state; netbsd should do likewise.
Something more sophisticated might be appropriate -- perhaps a
*drain()-like routine to reclaim the memory for idle SA's -- but
redoing the BF_set_key() on every packet is definitely a bad idea.