Subject: Re: IPsec performance
To: Ignatios Souvatzis <>
From: Steven M. Bellovin <>
List: tech-security
Date: 07/20/2000 03:10:33
  by with SMTP; 20 Jul 2000 08:23:53 -0000
	by (Postfix) with ESMTP
	id 5C72E1E007; Thu, 20 Jul 2000 04:23:52 -0400 (EDT)
	by (8.8.7/8.8.7) with ESMTP id EAA08531;
	Thu, 20 Jul 2000 04:23:30 -0400 (EDT)
	by (Postfix) with ESMTP
	id A83BB35DC3; Thu, 20 Jul 2000 03:10:33 -0400 (EDT)
From: "Steven M. Bellovin" <>
To: Ignatios Souvatzis <>
Subject: Re: IPsec performance 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 20 Jul 2000 03:10:33 -0400
Message-Id: <>

In message <>, Ignatios Souvatzis wr
>On Wed, Jul 19, 2000 at 06:24:05AM +0900, wrote:
>> >With 466MHz Celeron CPUs and decent network hardware (3c905B) the most
>> >throughput I seem to be able to force through our IPsec is about 1.5MB/sec
>> >(that's mega *bytes*, not bits).  Though I'm told by several people that
>> >this is not atypical for a software-only IPsec implementation, I don't
>> >understand _why_.
>> 	see KAME PR 229.
>> 	basically, blowfish uses very big intermediate data and we cant
>> 	hold it on the stack.  we endup using static memory pool and
>> 	hence we need spl locks.  we'll try to correct it.
>Thats specific to blowfish? What should we used on underpowered machines

It would be very interesting for someone to implement Rijndael or 
Twofish -- both are AES candidates, and both are pretty fast in 
software, especially Rijndael.  (AES is the Advanced Encryption 
Standard.  There are five finalists; the winner is supposed to be 
selected in the next few months.  See, I believe.)

		--Steve Bellovin