jdmtPremium
join:2002-05-06
Seattle, WA | Best IPSec Tunnel Encryption for Throughput? I'm wondering what the best IPSec Tunnel Encryption option on an older ZyWALL is for Throughput (not security)? I typically use ESP-3DES-SHA1, but I'm sure that option adds a fair bit of overhead and workload, especially on an older ZyNOS device.
Thinking ESP-DES-MD5 would be more lightweight and possibly faster. Any thoughts? |
|
| Depends, some of the older ZyWALLs had chips to assist with the encryption, if you got one such model, then it depends on what that piece of silicon is able to chew the best.
--
"Perl is executable line noise, Python is executable pseudo-code."
|
|
jdmtPremium
join:2002-05-06
Seattle, WA | I took this from my ZyWALL P1 Built In Help: "Longer keys require more processing power, resulting in increased latency and decreased throughput."
So I guess the order of preferefernece of Enctyption Protocols for max performance would be:
1. DES (56bit)
2. AES128
3. 3DES (168bit)
4. AES192
5. AES256
For Authentication, the help says: "Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower." - I think this should only be a 1 time hit when setting up the tunnel however, so I'll stick with SHA1.
I'll do some experimenting and see if there is a detectable difference between these. |
|
