Tom Dunigan's VPN performance

Virtual Private Network Performance

Starting in the summer of 1996, we conducted a number of evaluations of VPN hardware and software. Several of the hardware solutions had problems tunneling UDP packets that were bigger than the local network MTU (IP fragmentation). The PIX unit was corrected, but the NetFortress box still (10/1/96) and the Compatible box (5/99) fails to tunnel UDP larger than the Ethernet MTU when using 3DES, ok with DES. Tunneling throughput was measured over a range of packet sizes with TCP and UDP.

Test environment

Test generators (ttcp, 1K packets, TCP, isolated Ethernet) (Revised 9/18/96) mist 90MHz Pentium Linux 1.2.13 charade 120MHz Pentium Linux 1.2.13 (or NetBSD) (md5: 6.1 MBs des-cbc 970 KBs) puffin 166MHz Pentium NetBSD +NRL ipv6 (md5: 8.5MBs, des-cbc 1.3 MBs) maya 166MHz Pentium Linux 1.2.13 ISAKMP key exchange: 2.3 seconds (ikmpd jul196 + 8/6/96 mods) PIX Version 2.7.10 with Newbridge ISA DES board CA95C68-16CP host -- PIX ---ether --- PIX -- host (same for NetFortress) IPv4 We also did encrypted-tunnel testing between two Cisco routers (IOS software encryption), but Cisco requests that we not publish those performance numbers (4/97). Througput HARDWARE throughput KBs mist-charade 893 PIX no encryption 626 PIX encrypted 309 Netfortress 181 SOFTWARE IPv4/6 crypto (ttcp -A2 and/or -T2) charade-puffin v4 clear 884 v4 A2 765 v4 T2 505 v4 T2+A2 421 v6 clear 822 v6 A2 690 v6 T2 472 v6 A2+T2 393 Application-level crypto charade-maya ttcp with des/md5 (contention) nuance/thistle (200MHz) idle clear 850 998 md5 714 965 des-cbc 572 953 md5+des 495 961 SSH crypto (ttcp tunneled through ssh ) charade->puffin clear (no tunnel) 925 none (no encryption) 794 RC4 685 TSS (MD5 stream cipher) 676 DES 437 IDEA 369 3DES 222 SunSkip Win95 (charade/mist) 12/97 clear 800 encrypt (RC2-40) 200 pptp tests (200 MHz Pentiums, NT) 6/98 a===B---c direct 1037 KBs pptp-clear 812 pptp-RC4 811 Checkpoint Firewall1/Securemote v3 tests a==NT--b (7/98) NT 200 MHz dual pentium pro, NT 4/sp3 with hotfixes, a-b clear 953 FWZ1 400 DES 280 Cylink a -- cy ==== cy -- b (7/98) a-b clear 1005 DES 1005 Compatible VPN a====V---b 5/99 a/b 200 MHz/linux a-b direct 1087 DES 774 3DES 430 Linux Free/SWAN a--X====Y--b X/Y 450 MHz 100 Mbs 6/99 a-b clear 1185 KBs 3DES 1375 KBs go figure? using an ssh-3des tunnel: 821 KBS Linux NIST's IPsec a===b a 450 MHz b 300 MHz 10 Mbs (7/99) a-b clear 850 KBs 3DES/md5 tunnel 758 ttcp3des-md5 857 Latency 8 byte UDP echo, minimum rd trip time (microseconds) direct Ether (charade <--> nimbus linux/166 4/29/97) microseconds clear 450 md5 467 des/cbc 494 md5+des 525 charade <-> puffin NetBSD NRL ipv6 microseconds PIX-clear 784 PIX-enc 2084 NetFortress 2729 v6 733 v6 A2 1292 v6 T2 1517 v6 A2+T2 2145 v4 593 v4 A2 1256 v4 T2 1265 v4 A2+T2 2001 sunskip charade->mist win95 clear 1519 encrypt 4205 pptp tests (200 MHz Pentiums, NT) direct 325 pptp-clear 628 ppt-rc4 633 Firewall1/securemote a==NT--b a-b clear 902 FWZ1 1650 DES 1650 Cylink a -- cy ==== cy -- b (200 and 166 MHz pentiums) clear 560 (a-b) DES 1763 streaming rate (4300 pps, clear direct: 14000 pps) Compatible (several router hops) des 3166 3des 3243 Linux Free/SWAN a--X==Y--b clear 421 3des 678 Linux NIST IPsec clear 284 3des 677

The effect of encryption on network performance may be worse for modems that do compression. The encrypted packets will not compress and so effective throughput will be further reduced unless the application has done compression before encryption.


Last Modified Sunday, 10-Jun-2001 19:38:18 EDT thd@ornl.gov (touches: 213751 ) Back to VPN page
also see USDA Cisco tunnel performance
Other security related links can be found here.