Date: Thu, 8 Nov 2001 10:54:21 +1000 From: Nick Slager <ns@BlueSkyFrog.COM> To: Darren Reed <avalon@cairo.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: KAME IPsec on low-end hardware Message-ID: <20011108105421.A3785@BlueSkyFrog.COM> In-Reply-To: <20011107223149.A31603@BlueSkyFrog.COM>; from ns@BlueSkyFrog.COM on Wed, Nov 07, 2001 at 10:31:49PM %2B1000 References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au> <20011107223149.A31603@BlueSkyFrog.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Nick Slager (ns@BlueSkyFrog.COM): > Thus spake Darren Reed (avalon@cairo.anu.edu.au): > > > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > > > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > > > > > With IPsec not active, response times are "normal" (~ 0.5ms) > > > > That doesn't sound normal to me. > > > > I've been using IPsec on a OpenBSD/sparc (IPX) box which is > > definately not faster than either the DX4/100 or P90 and my > > ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. > > In the absence of IPsec, ping times are sub-1ms. These are > > on the same LAN (no router between them), however. That is > > using DES-MD5. > > Hmmm, odd. I've just changed the encryption/hash to DES/MD5. > No change in response times. Hmmm, seems that I failed to do this correctly last night :-\ Changing the encryption/hash to DES/MD5 *does* indeed make a difference to response times; I'm consistently seeing rtt times of 13-14ms now. Compare this to the "default" triple-DES/SHA-1 scheme, which consistently comes in at 33-34ms. I suspect that compression would also affect response times, but omitting: compression_algorithm deflate; from racoon.conf results in a parse error. Does anyone know if compression can be disabled? Also, is there much difference between racoon and isakmpd? AFAICT isakmpd supports dymamic client IP addresses, but that seems to be the only major difference. Regards, Nick -- Excuse of the day: Internet outage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108105421.A3785>