Subject: Re: IPsec performance
To: Simon Burge <>
From: Steven M. Bellovin <>
List: tech-security
Date: 07/20/2000 15:51:41
  by with SMTP; 20 Jul 2000 19:52:05 -0000
	by (Postfix) with ESMTP
	id A5E894CE31; Thu, 20 Jul 2000 15:52:00 -0400 (EDT)
	by (8.8.7/8.8.7) with ESMTP id PAA22844;
	Thu, 20 Jul 2000 15:51:57 -0400 (EDT)
	by (Postfix) with ESMTP
	id CC68035DC2; Thu, 20 Jul 2000 15:51:56 -0400 (EDT)
From: "Steven M. Bellovin" <>
To: Simon Burge <>
Subject: Re: IPsec performance 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 20 Jul 2000 15:51:41 -0400
Message-Id: <>

In message <>, Simon Bu
rge writes:
>Bill Sommerfeld wrote:
>> The expanded blowfish key is large and takes a while to compute;
>> recomputing it for every packet is almost certainly what kills
>> performance -- expanding the key takes ~520 blowfish block
>> encryptions, equivalent to encrypting a bit over 4kb of data.
>> The solaris implementation of blowfish for ESP (which is in
>> "solaris-current", not yet in any product) just caches the expanded
>> key in per-SA state; netbsd should do likewise.
>> Something more sophisticated might be appropriate -- perhaps a
>> *drain()-like routine to reclaim the memory for idle SA's -- but
>> redoing the BF_set_key() on every packet is definitely a bad idea.
>Idle question - since blowfish isn't an AES candidate, will its life be
>long enough (in IPsec) to justify the work?  I also don't know off the
>top of my head if any of the AES candidate ciphers have large key setup
>times (MARS?)...

In fact, Doug Whiting, Bruce Scheier, and I wrote a short white paper 
on key agility requirements for IPsec for AES -- see

In answer to your specific question -- MARS and RC6 have long key-setup 
times.  Rijndael is fast; Twofish is pretty fast, and gives you a wide 
range of tradeoffs between key setup time and storage requirements.  
Serpent (the fifth finalist) is sufficiently slow in software that I 
don't think that key setup time is an interesting question.

		--Steve Bellovin