Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IPSec AES vs. DES speed question

Reply
Thread Tools

IPSec AES vs. DES speed question

 
 
Cliff Campbell
Guest
Posts: n/a
 
      11-30-2003
So I've heard/read that AES in software is faster than 3DES in hardware.
But I wonder is the same true about AES in software vs DES in hardware. The
reason I ask is because I am contemplating taking the VPN encryption card
out of my 1700 and switching from DES to AES. My router won't let me
configure AES while the hardware card is in there because the hardware card
does not support AES. Security is not a great concern for me. Just speed.
I would have just setup a GRE tunnel if I didn't have a 3005 concentrator
already. Hope someone knows.
Thanks
Cliff



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-30-2003
In article <rlhyb.10586$dO2.3419@lakeread03>,
Cliff Campbell <(E-Mail Removed)> wrote:
:So I've heard/read that AES in software is faster than 3DES in hardware.
:But I wonder is the same true about AES in software vs DES in hardware.

There isn't any general answer. It depends on the hardware implimentation.

:The
:reason I ask is because I am contemplating taking the VPN encryption card
ut of my 1700 and switching from DES to AES. My router won't let me
:configure AES while the hardware card is in there because the hardware card
:does not support AES. Security is not a great concern for me. Just speed.

All I can suggest is to test.
--
Warhol's Second Law of Usenet: "In the future, everyone will troll
for 15 minutes."
 
Reply With Quote
 
 
 
 
Terry Baranski
Guest
Posts: n/a
 
      11-30-2003
On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
<(E-Mail Removed)> wrote:

>So I've heard/read that AES in software is faster than 3DES in hardware.


Where did you read this?

-Terry
 
Reply With Quote
 
Cliff Campbell
Guest
Posts: n/a
 
      12-01-2003
It seems to be all over. In addition to non-cisco articles on the matter,
there are many cisco related articles. One I could find in a quick search
is the following quote from (CCO login required)
http://www.cisco.com/en/US/customer/...80148723.shtml

Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
"Q. Is there a performance penalty when using AES instead of 3DES?
A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
is very little performance difference between 256-bit AES and 168-bit 3DES."

Another description in cisco docs provides this:

AES-Provides greater security than DES and is computationally more efficient
than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
keys.

Also, The other night when I was originally looking in this, cisco had a
article about their commitment to standards wrt AES and mentioned that it
was expected to be faster that 3DES in hardware but that was dated from
2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
just moved us to AES on our VPN connection for the same reasons.

Cliff



"Terry Baranski" <(E-Mail Removed)0VE> wrote in message
news:(E-Mail Removed)...
> On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
> <(E-Mail Removed)> wrote:
>
> >So I've heard/read that AES in software is faster than 3DES in hardware.

>
> Where did you read this?
>
> -Terry





 
Reply With Quote
 
Patrick Colbeck
Guest
Posts: n/a
 
      12-01-2003
AES should be faster in general as part of the competition criteria for
choosing a DES replacement was that the algorithm should be easy for
computers to err ... compute.

Pat


On Sun, 30 Nov 2003 16:14:50 +0000, Walter Roberson wrote:

> In article <rlhyb.10586$dO2.3419@lakeread03>,
> Cliff Campbell <(E-Mail Removed)> wrote:
> :So I've heard/read that AES in software is faster than 3DES in hardware.
> :But I wonder is the same true about AES in software vs DES in hardware.
>
> There isn't any general answer. It depends on the hardware implimentation.
>
> :The
> :reason I ask is because I am contemplating taking the VPN encryption card
> ut of my 1700 and switching from DES to AES. My router won't let me
> :configure AES while the hardware card is in there because the hardware card
> :does not support AES. Security is not a great concern for me. Just speed.
>
> All I can suggest is to test.


 
Reply With Quote
 
Mike Gallagher
Guest
Posts: n/a
 
      12-01-2003
Cliff - The article/Q&A you read was for the VAC+. So, I don't think
they were referring to 128-bit AES in software being faster than 3DES
in hardware. I'd be really surprised if this were true. But,
depending on what/how much you are encrypting, and what kind of 1700
you have, you may be ok with 128-bit AES in software. A 1700 isn't
exactly a "powerful" router though.

Mike

"Cliff Campbell" <(E-Mail Removed)> wrote in message news:<8Rxyb.10925$dO2.2423@lakeread03>...
> It seems to be all over. In addition to non-cisco articles on the matter,
> there are many cisco related articles. One I could find in a quick search
> is the following quote from (CCO login required)
> http://www.cisco.com/en/US/customer/...80148723.shtml
>
> Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
> "Q. Is there a performance penalty when using AES instead of 3DES?
> A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
> is very little performance difference between 256-bit AES and 168-bit 3DES."
>
> Another description in cisco docs provides this:
>
> AES-Provides greater security than DES and is computationally more efficient
> than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
> keys.
>
> Also, The other night when I was originally looking in this, cisco had a
> article about their commitment to standards wrt AES and mentioned that it
> was expected to be faster that 3DES in hardware but that was dated from
> 2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
> just moved us to AES on our VPN connection for the same reasons.
>
> Cliff
>
>
>
> "Terry Baranski" <(E-Mail Removed)0VE> wrote in message
> news:(E-Mail Removed)...
> > On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
> > <(E-Mail Removed)> wrote:
> >
> > >So I've heard/read that AES in software is faster than 3DES in hardware.

> >
> > Where did you read this?
> >
> > -Terry

>
>
> begin 666 s.gif
> K1TE&.#EA`0`!`( ``)F9F0```"'Y! $`````+ `````!``$```("1 $`.P``
> `
> end

 
Reply With Quote
 
joe
Guest
Posts: n/a
 
      12-01-2003
this from an old message i posted a while back to the vpn group @ yahoo.
with aes i saved big $$$ from needing to purchase a sep card for the 3000.


-----Original Message-----
From: Joseph Brunner [(E-Mail Removed)]
Sent: Sunday, August 18, 2002 1:09 AM
To: http://www.velocityreviews.com/forums/(E-Mail Removed)
Cc: NOC
Subject: [vpn3000] VPN 3015 Encryption Throughput test - DES vs. AES


I have tested the following encryption algorithms / modes for maximum
throughput with a stock VPN 3015. The purpose of this test was to see if AES
increased the maximum throughput over DES (3DES). (AES became available as
of VPN Release 3.6 08/09/2002). Without having to upgrade the 3015 to a 3030
(purchasing SEP), we need to get more than the Cisco Stated 4Mbps 3DES limit
out of a VPN wan (using PPTP or L2TP is not an option). Please note the VPN
Concentrator 3005 Model shares the Cisco stated 3DES encryption speed
of 4Mbps.

The test consisted of having a vpn connected workstation (P4, 1.7 / 256MB /
Win2k Pro)
retrieve a 700MB file from a FTP Server behind the VPN 3015, once connected.
The FTP
server was using the same hardware, running SERV-U FTP (which has tested at
58Mbps during a lan transfer with the same host). Each Test transfer was run
for 10 Minutes, then the
download speed was averaged from both FTP SERV-U program and the VPN
Concentrator
"Monitoring | Sessions | Top Ten Lists | Throughput" page. (The FTP transfer
of a 700MB
file only finished on the Local Lan session, it was otherwise cut off before
completion).

Judging from these results it appears AES 128/192/256 does indeed boost
encryption
throughput enough to Prevent or Delay the need to purchase a SEP (upgrade
the 3015
to 3030). Cisco States the SEP will allow 45Mbps for 3DES tunnels, however
it is a
$8,000 to $10,000 upgrade. Now there seems to be a more cost effective
option for
customers who just need 6Mbps to 10Mbps of Encryption throughput, without
sacrificing
packet confidentiality.

for infomation about AES please see http://csrc.nist.gov/encryption/aes/

Results:

3015 to VPN Client (IPSEC Tunnel Mode)

ESP/3DES/MD5 3.5 Unity Client = 5.005 Mbps
ESP/DES/MD5 3.5 Unity Client = 8.048 Mbps

ESP/AES128 3.6 Unity Client = 14.228 Mbps


3015 to 3005 VPN Concentrator Lan-to-Lan (IPSEC Tunnel Mode)

ESP/3DES/MD5 = 2.948 Mbps
ESP/DES/MD5 = 4.927 Mbps

ESP/AES128/MD5 = 13.315 Mbps
ESP/AES192/MD5 = 12.754 Mbps
ESP/AES256/MD5 = 12.526 Mbps


"Cliff Campbell" <(E-Mail Removed)> wrote in message news:<8Rxyb.10925$dO2.2423@lakeread03>...
> It seems to be all over. In addition to non-cisco articles on the matter,
> there are many cisco related articles. One I could find in a quick search
> is the following quote from (CCO login required)
> http://www.cisco.com/en/US/customer/...80148723.shtml
>
> Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
> "Q. Is there a performance penalty when using AES instead of 3DES?
> A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
> is very little performance difference between 256-bit AES and 168-bit 3DES."
>
> Another description in cisco docs provides this:
>
> AES-Provides greater security than DES and is computationally more efficient
> than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
> keys.
>
> Also, The other night when I was originally looking in this, cisco had a
> article about their commitment to standards wrt AES and mentioned that it
> was expected to be faster that 3DES in hardware but that was dated from
> 2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
> just moved us to AES on our VPN connection for the same reasons.
>
> Cliff
>
>
>
> "Terry Baranski" <(E-Mail Removed)0VE> wrote in message
> news:(E-Mail Removed)...
> > On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
> > <(E-Mail Removed)> wrote:
> >
> > >So I've heard/read that AES in software is faster than 3DES in hardware.

> >
> > Where did you read this?
> >
> > -Terry

>
>
> begin 666 s.gif
> K1TE&.#EA`0`!`( ``)F9F0```"'Y! $`````+ `````!``$```("1 $`.P``
> `
> end

 
Reply With Quote
 
Pat Colbeck
Guest
Posts: n/a
 
      12-02-2003
To clarify this:
AES should be faster than DES all other things been equal, however some
hardware acceleration chips were designed specifically for DES so may not
be so good at AES. A chip designed specifically for AES should be faster
than one for DES given thatthey are they have the same clock speed and
complexity (or should be cheaper and the same speed if less complex). AES
should always be faster than DES if implemented in software.

Pat

Patrick Colbeck wrote:

> AES should be faster in general as part of the competition criteria for
> choosing a DES replacement was that the algorithm should be easy for
> computers to err ... compute.
>
> Pat
>
>
> On Sun, 30 Nov 2003 16:14:50 +0000, Walter Roberson wrote:
>
>> In article <rlhyb.10586$dO2.3419@lakeread03>,
>> Cliff Campbell <(E-Mail Removed)> wrote:
>> :So I've heard/read that AES in software is faster than 3DES in hardware.
>> :But I wonder is the same true about AES in software vs DES in hardware.
>>
>> There isn't any general answer. It depends on the hardware
>> implimentation.
>>
>> :The
>> :reason I ask is because I am contemplating taking the VPN encryption
>> :card
>> ut of my 1700 and switching from DES to AES. My router won't let me
>> :configure AES while the hardware card is in there because the hardware
>> :card
>> :does not support AES. Security is not a great concern for me. Just
>> :speed.
>>
>> All I can suggest is to test.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New AES gem available -- fast-aes Nate Wiger Ruby 3 07-01-2010 04:12 PM
PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES: andrew_grafik General Computer Support 0 10-10-2009 11:01 AM
Config IPSEC for DES and 3DES Encryption mrpao Cisco 0 03-09-2007 04:10 AM
WPA AES & WPA2 AES max Wireless Networking 3 02-14-2007 03:14 PM
speed speed speed a.metselaar Computer Support 14 12-30-2003 03:34 AM



Advertisments