> Over the past few days I've received some very helpful guidance about > assembling LEAF VPN appliances to handle multi-megabit 3DES encryption > throughput rates; and I really appreciate the guidance given this Mac & NT > geek (& linux newbie). > > However, since LEAF is essentially a small, stripped down (yet robust!) > router that fits on 1 or 2 floppies, is there another router/encryption > project out there in *nix land that's more suited for high capacity, i.e. > something on the order of an Intel NetStructure 31xx VPN gateway > <http://www.intel.com/network/idc/products/vpn_gateway.htm>?
Do not make the mistake of equating "stripped down" with "low capacity". The capacity of a LEAF system is related to the hardware you install it on. Use a 486 with NE2000 ISA NIC's, and you'll be lucky to get 5 or 6 MBits/sec (although this is fine for most cable/DSL users). Upgrade to a Pentium class system with good PCI NIC's, and you'll get a router system that can come close to saturating several 100 MBit links. Since you're mainly interested in encryption throughput, I refer you again to the FreeS/WAN performance page: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html Testing with single processor 733 MHz Pentium III systems, and measuring with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92 MBits/s (that's a pretty saturated 100Mbit ethernet link!). Adding encryption overhead caused these speeds to drop by about 1/3, to 3268-3402 KB/s, or about 27 MBits/s. With much faster systems are available today, and taking into account the fact that the encrypted throughput numbers above are for the end-end TCP connection (ie the acutal traffic on the encrypted link is running at a higher bandwidth, due to the IPSec protocol overhead), and I don't think you're going to have trouble saturating your internet connections. IIRC, you indicated you were starting with a T1, which can easily be kept saturated by a Pentium-1 class system (ie P90-133), even when running encryption. The 733 MHz systems above provide you with about a 20X margin for future growth, with a modern 1.5 MHz single CPU system likely providing 40-50x your initial T1 requirement. The intel system with hardware crypto acceleration only provides a peak performance of 95 MBits/s. You should be able to match this using linux and FreeS/WAN with a 2.5-3 GHz CPU...these may not be availble today, but it won't be long until they are. If you're customers are seriously going to be using more bandwidth than a modern fast CPU can encrypt/decrypt, you should have no problem jumping to a high-end dedicated VPN endpoint solution...while these systems are quite expensive, the purchase price will likely be lost in the noise of your monthly bandwidth charges... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
