genekoh
join:2009-05-18
australia
| AES vs 3DES on Netgear FVS114
Hi there
I've read up on AES vs 3DES encryption. Most of the articles that I have found suggest AES throughput would be greater than 3DES. Obviously this is still dependent on your hardware.
I decided that I would test this on the spare equipment we have at work. The setup involves 2 Netgear FVS114 units (to create the VPN tunnel) with a notebook at either end.
I used Qcheck to check for TCP throughput and ping. Here are the results that I obtained which was quite surprising considering what I have been reading.
3DES (SHA1) - It's 3DES as I skipped DES altogether
Ping Ave: 3ms
Throughput: 7.2Mbps
AES128 (SHA1)
Ping Ave: 5ms
Throughput: 1.7Mbps
AES192 (SHA1)
Ping Ave: 5ms
Throughput: 1.5Mbps
AES256(SHA1)
Ping Ave: 6ms
Throughput: 1.3Mbps
I am assuming that the Netgear FVS114 units are extremely bad at AES but this is purely an assumption. Can anyone shed any light on the Netgear FVS114 AES results? Thanks. Gene |
|
rjs1003
join:2002-12-04
united kingd
| I don't know but I can make an educated guess:
You are correct that 3DES encryption is more difficult to compute than AES... however, a lot of devices don't compute the encryption using their main processor - they offload the encryption to a specialist crypto chip. My guess is that (true for a lot of older routers) the crypto chip on that unit only supports DES & 3DES... therefore when you do either of those, it'll run at a reasonable speed (and probably the same speed for both DES & 3DES)...
AES is not supported by the crypto chip, so it has to be computed in the router's main processor and so not only goes slower but also slows down the stronger the encryption (and probably also slows down other routed traffic too if encryption is being used).
Having said all that, even your 3DES performance isn't great. If it has hardware acceleration it's pretty poor if it can't manage 20-30Mbps... so perhaps netgear just use very weedy processors!
Bob |
|
