Subject: Re: IPsec performance
To: Ignatios Souvatzis <>
From: Bill Sommerfeld <>
List: tech-security
Date: 07/20/2000 08:12:56
  by with SMTP; 20 Jul 2000 12:13:04 -0000
	id EE5E82A1B; Thu, 20 Jul 2000 08:13:01 -0400 (EDT)
	by (Postfix) with ESMTP
	id BBF581F98; Thu, 20 Jul 2000 08:13:01 -0400 (EDT)
To: Ignatios Souvatzis <>
Subject: Re: IPsec performance 
In-Reply-To: Message from Ignatios Souvatzis <> 
   of "Wed, 19 Jul 2000 10:34:07 +0200." <> 
Date: Thu, 20 Jul 2000 08:12:56 -0400
From: Bill Sommerfeld <>
Message-Id: <>

The expanded blowfish key is large and takes a while to compute;
recomputing it for every packet is almost certainly what kills
performance -- expanding the key takes ~520 blowfish block
encryptions, equivalent to encrypting a bit over 4kb of data.

The solaris implementation of blowfish for ESP (which is in
"solaris-current", not yet in any product) just caches the expanded
key in per-SA state; netbsd should do likewise.

Something more sophisticated might be appropriate -- perhaps a
*drain()-like routine to reclaim the memory for idle SA's -- but
redoing the BF_set_key() on every packet is definitely a bad idea.

					- Bill