IPSec AES vs. DES speed question

Discussion in 'Cisco' started by Cliff Campbell, Nov 30, 2003.

  1. So I've heard/read that AES in software is faster than 3DES in hardware.
    But I wonder is the same true about AES in software vs DES in hardware. The
    reason I ask is because I am contemplating taking the VPN encryption card
    out of my 1700 and switching from DES to AES. My router won't let me
    configure AES while the hardware card is in there because the hardware card
    does not support AES. Security is not a great concern for me. Just speed.
    I would have just setup a GRE tunnel if I didn't have a 3005 concentrator
    already. Hope someone knows.
    Thanks
    Cliff
     
    Cliff Campbell, Nov 30, 2003
    #1
    1. Advertising

  2. In article <rlhyb.10586$dO2.3419@lakeread03>,
    Cliff Campbell <> wrote:
    :So I've heard/read that AES in software is faster than 3DES in hardware.
    :But I wonder is the same true about AES in software vs DES in hardware.

    There isn't any general answer. It depends on the hardware implimentation.

    :The
    :reason I ask is because I am contemplating taking the VPN encryption card
    :eek:ut of my 1700 and switching from DES to AES. My router won't let me
    :configure AES while the hardware card is in there because the hardware card
    :does not support AES. Security is not a great concern for me. Just speed.

    All I can suggest is to test.
    --
    Warhol's Second Law of Usenet: "In the future, everyone will troll
    for 15 minutes."
     
    Walter Roberson, Nov 30, 2003
    #2
    1. Advertising

  3. On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
    <> wrote:

    >So I've heard/read that AES in software is faster than 3DES in hardware.


    Where did you read this?

    -Terry
     
    Terry Baranski, Nov 30, 2003
    #3
  4. It seems to be all over. In addition to non-cisco articles on the matter,
    there are many cisco related articles. One I could find in a quick search
    is the following quote from (CCO login required)
    http://www.cisco.com/en/US/customer...030/products_qanda_item09186a0080148723.shtml

    Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
    "Q. Is there a performance penalty when using AES instead of 3DES?
    A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
    is very little performance difference between 256-bit AES and 168-bit 3DES."

    Another description in cisco docs provides this:

    AES-Provides greater security than DES and is computationally more efficient
    than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
    keys.

    Also, The other night when I was originally looking in this, cisco had a
    article about their commitment to standards wrt AES and mentioned that it
    was expected to be faster that 3DES in hardware but that was dated from
    2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
    just moved us to AES on our VPN connection for the same reasons.

    Cliff



    "Terry Baranski" <0VE> wrote in message
    news:...
    > On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
    > <> wrote:
    >
    > >So I've heard/read that AES in software is faster than 3DES in hardware.

    >
    > Where did you read this?
    >
    > -Terry
     
    Cliff Campbell, Dec 1, 2003
    #4
  5. AES should be faster in general as part of the competition criteria for
    choosing a DES replacement was that the algorithm should be easy for
    computers to err ... compute.

    Pat


    On Sun, 30 Nov 2003 16:14:50 +0000, Walter Roberson wrote:

    > In article <rlhyb.10586$dO2.3419@lakeread03>,
    > Cliff Campbell <> wrote:
    > :So I've heard/read that AES in software is faster than 3DES in hardware.
    > :But I wonder is the same true about AES in software vs DES in hardware.
    >
    > There isn't any general answer. It depends on the hardware implimentation.
    >
    > :The
    > :reason I ask is because I am contemplating taking the VPN encryption card
    > :eek:ut of my 1700 and switching from DES to AES. My router won't let me
    > :configure AES while the hardware card is in there because the hardware card
    > :does not support AES. Security is not a great concern for me. Just speed.
    >
    > All I can suggest is to test.
     
    Patrick Colbeck, Dec 1, 2003
    #5
  6. Cliff - The article/Q&A you read was for the VAC+. So, I don't think
    they were referring to 128-bit AES in software being faster than 3DES
    in hardware. I'd be really surprised if this were true. But,
    depending on what/how much you are encrypting, and what kind of 1700
    you have, you may be ok with 128-bit AES in software. A 1700 isn't
    exactly a "powerful" router though.

    Mike

    "Cliff Campbell" <> wrote in message news:<8Rxyb.10925$dO2.2423@lakeread03>...
    > It seems to be all over. In addition to non-cisco articles on the matter,
    > there are many cisco related articles. One I could find in a quick search
    > is the following quote from (CCO login required)
    > http://www.cisco.com/en/US/customer...030/products_qanda_item09186a0080148723.shtml
    >
    > Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
    > "Q. Is there a performance penalty when using AES instead of 3DES?
    > A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
    > is very little performance difference between 256-bit AES and 168-bit 3DES."
    >
    > Another description in cisco docs provides this:
    >
    > AES-Provides greater security than DES and is computationally more efficient
    > than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
    > keys.
    >
    > Also, The other night when I was originally looking in this, cisco had a
    > article about their commitment to standards wrt AES and mentioned that it
    > was expected to be faster that 3DES in hardware but that was dated from
    > 2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
    > just moved us to AES on our VPN connection for the same reasons.
    >
    > Cliff
    >
    >
    >
    > "Terry Baranski" <0VE> wrote in message
    > news:...
    > > On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
    > > <> wrote:
    > >
    > > >So I've heard/read that AES in software is faster than 3DES in hardware.

    > >
    > > Where did you read this?
    > >
    > > -Terry

    >
    >
    > begin 666 s.gif
    > K1TE&.#EA`0`!`( ``)F9F0```"'Y! $`````+ `````!``$```("1 $`.P``
    > `
    > end
     
    Mike Gallagher, Dec 1, 2003
    #6
  7. Cliff Campbell

    joe Guest

    this from an old message i posted a while back to the vpn group @ yahoo.
    with aes i saved big $$$ from needing to purchase a sep card for the 3000.


    -----Original Message-----
    From: Joseph Brunner [mailto:]
    Sent: Sunday, August 18, 2002 1:09 AM
    To:
    Cc: NOC
    Subject: [vpn3000] VPN 3015 Encryption Throughput test - DES vs. AES


    I have tested the following encryption algorithms / modes for maximum
    throughput with a stock VPN 3015. The purpose of this test was to see if AES
    increased the maximum throughput over DES (3DES). (AES became available as
    of VPN Release 3.6 08/09/2002). Without having to upgrade the 3015 to a 3030
    (purchasing SEP), we need to get more than the Cisco Stated 4Mbps 3DES limit
    out of a VPN wan (using PPTP or L2TP is not an option). Please note the VPN
    Concentrator 3005 Model shares the Cisco stated 3DES encryption speed
    of 4Mbps.

    The test consisted of having a vpn connected workstation (P4, 1.7 / 256MB /
    Win2k Pro)
    retrieve a 700MB file from a FTP Server behind the VPN 3015, once connected.
    The FTP
    server was using the same hardware, running SERV-U FTP (which has tested at
    58Mbps during a lan transfer with the same host). Each Test transfer was run
    for 10 Minutes, then the
    download speed was averaged from both FTP SERV-U program and the VPN
    Concentrator
    "Monitoring | Sessions | Top Ten Lists | Throughput" page. (The FTP transfer
    of a 700MB
    file only finished on the Local Lan session, it was otherwise cut off before
    completion).

    Judging from these results it appears AES 128/192/256 does indeed boost
    encryption
    throughput enough to Prevent or Delay the need to purchase a SEP (upgrade
    the 3015
    to 3030). Cisco States the SEP will allow 45Mbps for 3DES tunnels, however
    it is a
    $8,000 to $10,000 upgrade. Now there seems to be a more cost effective
    option for
    customers who just need 6Mbps to 10Mbps of Encryption throughput, without
    sacrificing
    packet confidentiality.

    for infomation about AES please see http://csrc.nist.gov/encryption/aes/

    Results:

    3015 to VPN Client (IPSEC Tunnel Mode)

    ESP/3DES/MD5 3.5 Unity Client = 5.005 Mbps
    ESP/DES/MD5 3.5 Unity Client = 8.048 Mbps

    ESP/AES128 3.6 Unity Client = 14.228 Mbps


    3015 to 3005 VPN Concentrator Lan-to-Lan (IPSEC Tunnel Mode)

    ESP/3DES/MD5 = 2.948 Mbps
    ESP/DES/MD5 = 4.927 Mbps

    ESP/AES128/MD5 = 13.315 Mbps
    ESP/AES192/MD5 = 12.754 Mbps
    ESP/AES256/MD5 = 12.526 Mbps


    "Cliff Campbell" <> wrote in message news:<8Rxyb.10925$dO2.2423@lakeread03>...
    > It seems to be all over. In addition to non-cisco articles on the matter,
    > there are many cisco related articles. One I could find in a quick search
    > is the following quote from (CCO login required)
    > http://www.cisco.com/en/US/customer...030/products_qanda_item09186a0080148723.shtml
    >
    > Cisco PIX Firewall VPN Accelerator Card Plus (VAC+) QandA
    > "Q. Is there a performance penalty when using AES instead of 3DES?
    > A. No. In fact, 128-bit AES is significantly faster than 168-bit 3DES. There
    > is very little performance difference between 256-bit AES and 168-bit 3DES."
    >
    > Another description in cisco docs provides this:
    >
    > AES-Provides greater security than DES and is computationally more efficient
    > than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit
    > keys.
    >
    > Also, The other night when I was originally looking in this, cisco had a
    > article about their commitment to standards wrt AES and mentioned that it
    > was expected to be faster that 3DES in hardware but that was dated from
    > 2001. Also, our WAN monitoring partner, who is also a cisco Gold reseller
    > just moved us to AES on our VPN connection for the same reasons.
    >
    > Cliff
    >
    >
    >
    > "Terry Baranski" <0VE> wrote in message
    > news:...
    > > On Sun, 30 Nov 2003 00:53:12 -0700, "Cliff Campbell"
    > > <> wrote:
    > >
    > > >So I've heard/read that AES in software is faster than 3DES in hardware.

    > >
    > > Where did you read this?
    > >
    > > -Terry

    >
    >
    > begin 666 s.gif
    > K1TE&.#EA`0`!`( ``)F9F0```"'Y! $`````+ `````!``$```("1 $`.P``
    > `
    > end
     
    joe, Dec 1, 2003
    #7
  8. Cliff Campbell

    Pat Colbeck Guest

    To clarify this:
    AES should be faster than DES all other things been equal, however some
    hardware acceleration chips were designed specifically for DES so may not
    be so good at AES. A chip designed specifically for AES should be faster
    than one for DES given thatthey are they have the same clock speed and
    complexity (or should be cheaper and the same speed if less complex). AES
    should always be faster than DES if implemented in software.

    Pat

    Patrick Colbeck wrote:

    > AES should be faster in general as part of the competition criteria for
    > choosing a DES replacement was that the algorithm should be easy for
    > computers to err ... compute.
    >
    > Pat
    >
    >
    > On Sun, 30 Nov 2003 16:14:50 +0000, Walter Roberson wrote:
    >
    >> In article <rlhyb.10586$dO2.3419@lakeread03>,
    >> Cliff Campbell <> wrote:
    >> :So I've heard/read that AES in software is faster than 3DES in hardware.
    >> :But I wonder is the same true about AES in software vs DES in hardware.
    >>
    >> There isn't any general answer. It depends on the hardware
    >> implimentation.
    >>
    >> :The
    >> :reason I ask is because I am contemplating taking the VPN encryption
    >> :card
    >> :eek:ut of my 1700 and switching from DES to AES. My router won't let me
    >> :configure AES while the hardware card is in there because the hardware
    >> :card
    >> :does not support AES. Security is not a great concern for me. Just
    >> :speed.
    >>
    >> All I can suggest is to test.
     
    Pat Colbeck, Dec 2, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ayoub ahmed

    paser des vacances de reve au sud du Maroc

    ayoub ahmed, Oct 31, 2004, in forum: Microsoft Certification
    Replies:
    0
    Views:
    660
    ayoub ahmed
    Oct 31, 2004
  2. a.metselaar

    speed speed speed

    a.metselaar, Dec 28, 2003, in forum: Computer Support
    Replies:
    14
    Views:
    1,060
    BuffNET Tech Support - MichaelJ
    Dec 30, 2003
  3. max

    WPA AES & WPA2 AES

    max, Feb 13, 2007, in forum: Wireless Networking
    Replies:
    3
    Views:
    10,138
    Jack \(MVP-Networking\).
    Feb 14, 2007
  4. mrpao
    Replies:
    0
    Views:
    468
    mrpao
    Mar 9, 2007
  5. andrew_grafik

    PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES:

    andrew_grafik, Oct 10, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    2,019
    andrew_grafik
    Oct 10, 2009
Loading...

Share This Page