On 2019-06-10, mabi <mabi@protonmail.ch> wrote:
> Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput which is quite satisfying. The bandwidth throughput over my IPsec tunnel achieves a max of 80 Mbit/s which I was sort of expecting with the default encryption settings (auth hmac-sha2-256 enc aes-256).
It helps to understand that the authentication algorithm can require
as much or more CPU than the encryption. HMAC-SHA2 is expensive.
On hardware that has AES-NI support, like the APU2 family, AES-GCM
is generally the fastest encryption/authentication combo.
> In order to increase bandwidth throughput over my IPsec tunnel I wanted to know what you guys think is a good compromise between performance and security? I was thinking for example of changing the encryption cipher to aes-128 instead of aes-256 and maybe blowfish? What would you recommend?
AES-128 is good enough, although on the APU2 family with AES-NI it
seems to be only marginally faster than AES-256.
Don't use Blowfish. It's obsolete. And its reputation for speed
precedes the introduction of AES.
> Anything else I should be looking at? maybe like a hardware crypto accellerator miniPCI card compatible with the APU4 and OpenBSD?
No, that was 15 years ago.
--
Christian "naddy" Weisgerber naddy@mips.inka.de
No comments:
Post a Comment