FYI: AES-256 vs. 3DES performance on PIX 515/520

Discussion in 'Cisco' started by John Caruso, Apr 29, 2004.

  1. John Caruso

    John Caruso Guest

    I've recently been informally testing the performance of PIX IPSEC tunnels
    using both 3DES and AES-256 between a PIX 515 and a PIX 520 (both running
    6.3(3)), and I thought I'd share the (informal) results with everyone else,
    since there appears to be a lot of interest in this but not a lot of
    information out there.

    We're performing large transfers over an IPSEC connection (namely,
    snapmirror transfers being initiated by a Netapp filer). The transfer
    speed was throttled to 1.5Mbps by virtue of traversing a T1, and the T1
    was fully saturated during the transfers. Here are the figures for CPU
    utilization during extended transfers:

    PIX 515/3DES: 20-22%
    PIX 515/AES: 17-18%

    PIX 520/3DES: 9-11%
    PIX 520/AES: 5-7%

    As you can see, AES-256 consistently showed slightly lower CPU impact
    than 3DES, on both of the PIXes. It's not clear how this would scale at
    higher bandwidths, but the implication does seem to be that AES is a
    slight performance win over 3DES on these PIX models.

    Also FYI, it appeared that we were able to send about 560MB/hour worth of
    unencrypted data (i.e., 560MB worth of actual data from the filer had been
    sent over the IPSEC link in an hour of full T1 utilization). I don't have
    hard figures, but I believe we were previously achieving in the range of
    600-630MB/hour over a dedicated T1 without any encryption. So it appears
    there's around 10% or more worth of overhead for the encryption (these
    figures are for 3DES; I haven't analyzed AES-256 yet to see what the
    overhead is like, though I'm assuming it'll be similar).

    If anyone else has done any similar testing, I'd like to hear your results.

    - John
     
    John Caruso, Apr 29, 2004
    #1
    1. Advertising

  2. John Caruso

    joe Guest

    When AES came out for the vpn 3000 series (3.6, august 2002)

    I did some test.
    AES-128, AES-192, AES-256 all doubled the Mbps of 3DES.
    The 3005, 3015 is stated to run about 4Mbps by Cisco. (this is like
    a hub, shared by in/out current levels).

    AES 128 especially took it to 12Mbps+

    AES really is more cpu friendly !



    John Caruso <> wrote in message news:<>...
    > I've recently been informally testing the performance of PIX IPSEC tunnels
    > using both 3DES and AES-256 between a PIX 515 and a PIX 520 (both running
    > 6.3(3)), and I thought I'd share the (informal) results with everyone else,
    > since there appears to be a lot of interest in this but not a lot of
    > information out there.
    >
    > We're performing large transfers over an IPSEC connection (namely,
    > snapmirror transfers being initiated by a Netapp filer). The transfer
    > speed was throttled to 1.5Mbps by virtue of traversing a T1, and the T1
    > was fully saturated during the transfers. Here are the figures for CPU
    > utilization during extended transfers:
    >
    > PIX 515/3DES: 20-22%
    > PIX 515/AES: 17-18%
    >
    > PIX 520/3DES: 9-11%
    > PIX 520/AES: 5-7%
    >
    > As you can see, AES-256 consistently showed slightly lower CPU impact
    > than 3DES, on both of the PIXes. It's not clear how this would scale at
    > higher bandwidths, but the implication does seem to be that AES is a
    > slight performance win over 3DES on these PIX models.
    >
    > Also FYI, it appeared that we were able to send about 560MB/hour worth of
    > unencrypted data (i.e., 560MB worth of actual data from the filer had been
    > sent over the IPSEC link in an hour of full T1 utilization). I don't have
    > hard figures, but I believe we were previously achieving in the range of
    > 600-630MB/hour over a dedicated T1 without any encryption. So it appears
    > there's around 10% or more worth of overhead for the encryption (these
    > figures are for 3DES; I haven't analyzed AES-256 yet to see what the
    > overhead is like, though I'm assuming it'll be similar).
    >
    > If anyone else has done any similar testing, I'd like to hear your results.
    >
    > - John
     
    joe, Apr 29, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    2
    Views:
    666
  2. Got
    Replies:
    1
    Views:
    1,480
  3. Chris
    Replies:
    8
    Views:
    1,516
    Chris
    Feb 28, 2006
  4. max

    WPA AES & WPA2 AES

    max, Feb 13, 2007, in forum: Wireless Networking
    Replies:
    3
    Views:
    9,975
    Jack \(MVP-Networking\).
    Feb 14, 2007
  5. andrew_grafik

    PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES:

    andrew_grafik, Oct 10, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,990
    andrew_grafik
    Oct 10, 2009
Loading...

Share This Page