by mail.netbsd.org with SMTP; 20 Jul 2000 12:13:04 -0000
	id EE5E82A1B; Thu, 20 Jul 2000 08:13:01 -0400 (EDT)
	by orchard.arlington.ma.us (Postfix) with ESMTP
	id BBF581F98; Thu, 20 Jul 2000 08:13:01 -0400 (EDT)
To: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
Cc: itojun@iijlab.net, tls@rek.tjls.com, tech-security@netbsd.org,
	tech-net@netbsd.org, tech-kern@netbsd.org
Subject: Re: IPsec performance 
In-Reply-To: Message from Ignatios Souvatzis <ignatios@cs.uni-bonn.de> 
   of "Wed, 19 Jul 2000 10:34:07 +0200." <20000719103407.D29090@theory.cs.uni-bonn.de> 
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Thu, 20 Jul 2000 08:12:56 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20000720121301.EE5E82A1B@orchard.arlington.ma.us>

The expanded blowfish key is large and takes a while to compute;
recomputing it for every packet is almost certainly what kills
performance -- expanding the key takes ~520 blowfish block
encryptions, equivalent to encrypting a bit over 4kb of data.

The solaris implementation of blowfish for ESP (which is in
"solaris-current", not yet in any product) just caches the expanded
key in per-SA state; netbsd should do likewise.

Something more sophisticated might be appropriate -- perhaps a
*drain()-like routine to reclaim the memory for idle SA's -- but
redoing the BF_set_key() on every packet is definitely a bad idea.

					- Bill