Subject: Re: IPsec performance
To: None <firstname.lastname@example.org>
From: Simon Burge <email@example.com>
Date: 07/20/2000 22:22:30
Bill Sommerfeld wrote:
> The expanded blowfish key is large and takes a while to compute;
> recomputing it for every packet is almost certainly what kills
> performance -- expanding the key takes ~520 blowfish block
> encryptions, equivalent to encrypting a bit over 4kb of data.
> The solaris implementation of blowfish for ESP (which is in
> "solaris-current", not yet in any product) just caches the expanded
> key in per-SA state; netbsd should do likewise.
> Something more sophisticated might be appropriate -- perhaps a
> *drain()-like routine to reclaim the memory for idle SA's -- but
> redoing the BF_set_key() on every packet is definitely a bad idea.
Idle question - since blowfish isn't an AES candidate, will its life be
long enough (in IPsec) to justify the work? I also don't know off the
top of my head if any of the AES candidate ciphers have large key setup