From owner-freebsd-security  Wed Nov  7  4:31:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22])
	by hub.freebsd.org (Postfix) with ESMTP id C225437B416
	for <freebsd-security@freebsd.org>; Wed,  7 Nov 2001 04:31:51 -0800 (PST)
Received: from gold.internal.blueskyfrog.com ([192.168.121.34])
	by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian))
	id 161Rrx-0001TN-00; Wed, 07 Nov 2001 22:31:49 +1000
Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian))
	id 161Rrx-0008E3-00; Wed, 07 Nov 2001 22:31:49 +1000
Date: Wed, 7 Nov 2001 22:31:49 +1000
From: Nick Slager <ns@BlueSkyFrog.COM>
To: Darren Reed <avalon@cairo.anu.edu.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: KAME IPsec on low-end hardware
Message-ID: <20011107223149.A31603@BlueSkyFrog.COM>
References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200111070830.fA78Uu0W029670@cairo.anu.edu.au>; from avalon@cairo.anu.edu.au on Wed, Nov 07, 2001 at 07:30:56PM +1100
X-Homer: Whoohooooooo!
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Thus spake Darren Reed (avalon@cairo.anu.edu.au):

> > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms
> > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms
> > 
> > With IPsec not active, response times are "normal" (~ 0.5ms)
> 
> That doesn't sound normal to me.
> 
> I've been using IPsec on a OpenBSD/sparc (IPX) box which is
> definately not faster than either the DX4/100 or P90 and my
> ping times are still in the 3-5 ms range to a NetBSD/Celeron-533.
> In the absence of IPsec, ping times are sub-1ms.  These are
> on the same LAN (no router between them), however.  That is
> using DES-MD5.

Hmmm, odd. I've just changed the encryption/hash to DES/MD5.
No change in response times.

I will take the router box out of the loop tomorrow and
see how things go, but don't think that's the problem.


Nick

-- 
Excuse of the day:
Password is too complex to decrypt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message