[c-nsp] Pix performance

Crist Clark crist.clark at globalstar.com
Tue Jan 31 16:51:22 EST 2006 

Kris Amy wrote:
> Hi,
> 
> It could be this. I notice that the doc's on cisco.com point to ipsec having
> a 56byte/packet overhead. Is this correct?

Could be. The amount of overhead when using ESP (which I assume is
what we're really talking about) varies. If you are using tunnel
mode, the original IP header will get pushed down into the payload.
If we assume the encryption is one-to-one and no compression, that
usually adds 20 bytes. The SPI and replay counter are both 32-bits
and always present, so that adds 8 bytes. The encryption used may
or may not include a IV field. The encryption may or may not need
padding and padding can vary from packet to packet. The pad length
and next header fields are one byte each. Finally, the integrity
check value length is variable depending on the algorithm chosen
and may not be present if disabled.

But 56 bytes is feasible depending on the algorithms chosen.

 > Also does anyone know what the
> overhead for an SSH tunnel is?

Well, SSH is TCP only so compared to an ESP tunnel, it's just
tunneling an application-layer streams. The minimum SSH packet
overhead is about 28 bytes, but also can vary depending on the
cryptographic prototols chosen.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Shalinsky
> Sent: Tuesday, 31 January 2006 2:57 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Pix performance
> 
> Hi,
> 
> I believe that ESP adds around 20 bytes to the standard TCP header.  That
> being said, it won't significantly affect throughput by increasing
> overhead.  The throughput limitation is more due to the encryption process
> being CPU intensive.
> 
> I can't find any pps specs on a 501, but I would think it should be able to
> push more than 1200pps and 0.5 mbps.  For sure, it's not an overhead
> problem.  HTH.
> 
> Regards,
> ~Dan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 


-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact postmaster at globalstar.com

More information about the cisco-nsp mailing list