----- Original Message ----- > From: "Ted Unangst" <t...@tedunangst.com> > To: "Stuart Henderson" <s...@spacehopper.org> > Cc: misc@openbsd.org > Sent: Monday, April 2, 2012 7:42:01 PM > Subject: Re: openbsd / ipsec / hardware > > On Mon, Apr 02, 2012, Stuart Henderson wrote: > >> i'm using a simple scp of a 100MB file. scp reports its > >> transmission > >> speed. and i'm comparing the same transmission of the same file > >> between > >> the same two hosts with and without vpn encryption. it may not be > >> the best or most accurate measurement, but i believe it gives me > >> the > >> information i'm looking for. > > > > Sorry, this is a horrible way to measure connection speed. > > Plain ftp would be better, but something that doesn't also measure > > disk throughput would be better still (tcpbench, iperf etc). > > I'll take the dissenting view here. We often criticize people for > putting too much emphasis on fake benchmarks and ignoring real world > performance data. Here we have somebody actually testing the same > thing he's going to be using (maybe). A few other tests may provide > a > insight into the problem, but at the end of the day, they > aren't going to determine whether the ipsec link is usable or not. > > > Also if you're testing from the router itself note that results > > when testing from another machine which connects through the router > > are likely to be very different. > > This is very true.
ted, that was my thought as well ... i chose scp because this link will be used to sync data offsite via, rsync, and a few other methods. while tcpbench is a nifty tool, it doesn't really show me what i need to see. i currently have a freebsd box on one side of the connection and linux on the other. i will eventually have openbsd on both sides with which i could use tcpbench, but again that doesn't seem to matter at this time. each box has 4GB of memory, so i figured the 100MB file would be transmitted to/from RAM in the first place. and as far as i'm aware even the slowest sata disk can handle the slow connection i'm attempting to test, so disk throughput shouldn't be a factor. and i'm not testing from router to router, but across both routers. and of course, my measurements are comparisons between transmissions with and without vpn. so the difference between the two shows the overhead of the vpn, and that's what i'm trying to work on here. i know that the alix has hardware crypto supporting aes-128-cbc. one thing that was unclear to me was, on the openbsd ipsec side, whether aes == aes-128 == aes-128-cbc ... my assumption was YES, after seeing that aes/aes-128 are both 3 times faster than des on this hardware - but then i found that blowfish and aes-256 are both faster as well, so at this point i'm still not sure i'm even getting anything out of the hardware crypto. one ah-hah, though, was that the scp command was reporting megabytes per second, not megabits per second as was being reported by another user here. so there was confusion on my part.
