Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > FYI: AES-256 vs. 3DES performance on PIX 515/520

Reply
Thread Tools

FYI: AES-256 vs. 3DES performance on PIX 515/520

 
 
John Caruso
Guest
Posts: n/a
 
      04-29-2004
I've recently been informally testing the performance of PIX IPSEC tunnels
using both 3DES and AES-256 between a PIX 515 and a PIX 520 (both running
6.3(3)), and I thought I'd share the (informal) results with everyone else,
since there appears to be a lot of interest in this but not a lot of
information out there.

We're performing large transfers over an IPSEC connection (namely,
snapmirror transfers being initiated by a Netapp filer). The transfer
speed was throttled to 1.5Mbps by virtue of traversing a T1, and the T1
was fully saturated during the transfers. Here are the figures for CPU
utilization during extended transfers:

PIX 515/3DES: 20-22%
PIX 515/AES: 17-18%

PIX 520/3DES: 9-11%
PIX 520/AES: 5-7%

As you can see, AES-256 consistently showed slightly lower CPU impact
than 3DES, on both of the PIXes. It's not clear how this would scale at
higher bandwidths, but the implication does seem to be that AES is a
slight performance win over 3DES on these PIX models.

Also FYI, it appeared that we were able to send about 560MB/hour worth of
unencrypted data (i.e., 560MB worth of actual data from the filer had been
sent over the IPSEC link in an hour of full T1 utilization). I don't have
hard figures, but I believe we were previously achieving in the range of
600-630MB/hour over a dedicated T1 without any encryption. So it appears
there's around 10% or more worth of overhead for the encryption (these
figures are for 3DES; I haven't analyzed AES-256 yet to see what the
overhead is like, though I'm assuming it'll be similar).

If anyone else has done any similar testing, I'd like to hear your results.

- John
 
Reply With Quote
 
 
 
 
joe
Guest
Posts: n/a
 
      04-29-2004
When AES came out for the vpn 3000 series (3.6, august 2002)

I did some test.
AES-128, AES-192, AES-256 all doubled the Mbps of 3DES.
The 3005, 3015 is stated to run about 4Mbps by Cisco. (this is like
a hub, shared by in/out current levels).

AES 128 especially took it to 12Mbps+

AES really is more cpu friendly !



John Caruso <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) bal.net>...
> I've recently been informally testing the performance of PIX IPSEC tunnels
> using both 3DES and AES-256 between a PIX 515 and a PIX 520 (both running
> 6.3(3)), and I thought I'd share the (informal) results with everyone else,
> since there appears to be a lot of interest in this but not a lot of
> information out there.
>
> We're performing large transfers over an IPSEC connection (namely,
> snapmirror transfers being initiated by a Netapp filer). The transfer
> speed was throttled to 1.5Mbps by virtue of traversing a T1, and the T1
> was fully saturated during the transfers. Here are the figures for CPU
> utilization during extended transfers:
>
> PIX 515/3DES: 20-22%
> PIX 515/AES: 17-18%
>
> PIX 520/3DES: 9-11%
> PIX 520/AES: 5-7%
>
> As you can see, AES-256 consistently showed slightly lower CPU impact
> than 3DES, on both of the PIXes. It's not clear how this would scale at
> higher bandwidths, but the implication does seem to be that AES is a
> slight performance win over 3DES on these PIX models.
>
> Also FYI, it appeared that we were able to send about 560MB/hour worth of
> unencrypted data (i.e., 560MB worth of actual data from the filer had been
> sent over the IPSEC link in an hour of full T1 utilization). I don't have
> hard figures, but I believe we were previously achieving in the range of
> 600-630MB/hour over a dedicated T1 without any encryption. So it appears
> there's around 10% or more worth of overhead for the encryption (these
> figures are for 3DES; I haven't analyzed AES-256 yet to see what the
> overhead is like, though I'm assuming it'll be similar).
>
> If anyone else has done any similar testing, I'd like to hear your results.
>
> - John

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
enable 3des on pix ants Cisco 2 03-11-2005 06:09 PM
pix 515e DMZ - how to re-activate 3des? JohnC Cisco 2 12-01-2004 06:18 AM
PIX Failover and 3DES Gary Cisco 4 11-08-2003 06:41 AM
Re: FS - Cisco Pix 501 - 3DES - 10 user Walter Roberson Cisco 0 07-21-2003 04:05 PM
Re: FS - Cisco Pix 501 - 3DES - 10 user Mike Harrison Cisco 0 07-21-2003 03:10 PM



Advertisments