Tom Dunigan's VPN performance
Virtual Private Network Performance
Starting in the summer of 1996, we conducted a number of evaluations
of VPN hardware and software. Several of the hardware solutions
had problems tunneling UDP packets that were bigger than the
local network MTU (IP fragmentation). The PIX unit was corrected,
but the NetFortress box still (10/1/96)
and the Compatible box (5/99) fails to tunnel UDP larger
than the Ethernet MTU when using 3DES, ok with DES.
Tunneling throughput was measured over
a range of packet sizes with TCP and UDP.
Test environment
<![CDATA[
Test generators (ttcp, 1K packets, TCP, isolated Ethernet) (Revised 9/18/96)
mist 90MHz Pentium Linux 1.2.13
charade 120MHz Pentium Linux 1.2.13 (or NetBSD) (md5: 6.1 MBs des-cbc 970 KBs)
puffin 166MHz Pentium NetBSD +NRL ipv6 (md5: 8.5MBs, des-cbc 1.3 MBs)
maya 166MHz Pentium Linux 1.2.13
ISAKMP key exchange: 2.3 seconds (ikmpd jul196 + 8/6/96 mods)
PIX Version 2.7.10 with Newbridge ISA DES board CA95C68-16CP
host -- PIX ---ether --- PIX -- host (same for NetFortress) IPv4
We also did encrypted-tunnel testing between two Cisco routers (IOS software
encryption), but Cisco requests that we not publish those performance numbers
(4/97).
]]>
Througput
<![CDATA[
HARDWARE throughput KBs
mist-charade 893
PIX no encryption 626
PIX encrypted 309
Netfortress 181
SOFTWARE
IPv4/6 crypto (ttcp -A2 and/or -T2)
charade-puffin
v4 clear 884
v4 A2 765
v4 T2 505
v4 T2+A2 421
v6 clear 822
v6 A2 690
v6 T2 472
v6 A2+T2 393
Application-level crypto
charade-maya ttcp with des/md5 (contention) nuance/thistle (200MHz) idle
clear 850 998
md5 714 965
des-cbc 572 953
md5+des 495 961
SSH crypto (ttcp tunneled through ssh )
charade->puffin
clear (no tunnel) 925
none (no encryption) 794
RC4 685
TSS (MD5 stream cipher) 676
DES 437
IDEA 369
3DES 222
SunSkip Win95 (charade/mist) 12/97
clear 800
encrypt (RC2-40) 200
pptp tests (200 MHz Pentiums, NT) 6/98 a===B---c
direct 1037 KBs
pptp-clear 812
pptp-RC4 811
Checkpoint Firewall1/Securemote v3 tests a==NT--b (7/98)
NT 200 MHz dual pentium pro, NT 4/sp3 with hotfixes,
a-b clear 953
FWZ1 400
DES 280
Cylink a -- cy ==== cy -- b (7/98)
a-b clear 1005
DES 1005
Compatible VPN a====V---b 5/99 a/b 200 MHz/linux
a-b direct 1087
DES 774
3DES 430
Linux Free/SWAN a--X====Y--b X/Y 450 MHz 100 Mbs 6/99
a-b clear 1185 KBs
3DES 1375 KBs go figure?
using an ssh-3des tunnel: 821 KBS
Linux NIST's IPsec a===b a 450 MHz b 300 MHz 10 Mbs (7/99)
a-b clear 850 KBs
3DES/md5 tunnel 758
ttcp3des-md5 857
]]>
Latency
<![CDATA[
8 byte UDP echo, minimum rd trip time (microseconds)
direct Ether (charade <--> nimbus linux/166 4/29/97)
microseconds
clear 450
md5 467
des/cbc 494
md5+des 525
charade <-> puffin NetBSD NRL ipv6
microseconds
PIX-clear 784
PIX-enc 2084
NetFortress 2729
v6 733
v6 A2 1292
v6 T2 1517
v6 A2+T2 2145
v4 593
v4 A2 1256
v4 T2 1265
v4 A2+T2 2001
sunskip charade->mist win95
clear 1519
encrypt 4205
pptp tests (200 MHz Pentiums, NT)
direct 325
pptp-clear 628
ppt-rc4 633
Firewall1/securemote a==NT--b
a-b clear 902
FWZ1 1650
DES 1650
Cylink a -- cy ==== cy -- b (200 and 166 MHz pentiums)
clear 560 (a-b)
DES 1763 streaming rate (4300 pps, clear direct: 14000 pps)
Compatible (several router hops)
des 3166
3des 3243
Linux Free/SWAN a--X==Y--b
clear 421
3des 678
Linux NIST IPsec
clear 284
3des 677
]]>
The effect of encryption on network performance may be worse
for modems that do compression.
The encrypted packets will not compress and so effective throughput
will be further reduced unless the application has done compression
before encryption.
Last Modified thd@ornl.gov
(touches: )
Back to VPN page
also see USDA
Cisco tunnel performance
Other security related links can be found
here.