On Thu, 2006-06-08 at 13:27 -0400, Paul Moore wrote: > Joy Latten wrote: > > On Wed, 2006-06-07 at 22:57 -0400, Paul Moore wrote: > > > >>On Wednesday 07 June 2006 8:14 pm, Joy Latten wrote: > >> > >>>The networking hooks using IPSec were stressed with netperf > >>>sending constant stream of tcp and udp packets. > >>>All tests have completed successfully! > >>> > >>>All tests had following configuration: > >>>Pseries lpars running FC5 > >>>IPSec was configured to use: > >>> - ESP (Encapsulating Security Payload) > >>> - security label, "system_u:object_r:unlabeled_t:s0" > >> > >>Out of curiosity, what algorithms did you use? Also, did you test AH? > >>Not > >>that I suspect the results will be much different but I believe that is > >>what > >>people plan on evaluating ... > >> > > > > I used 3des and now that you have mentioned it, I should have included > > AH too or at least enabled authentication in ESP. But I was more > > interested in stress testing than functional testing and only included > > the performance numbers for the heck of it. I believe when we did > > functional testing we did try both, 3des for ESP and sha1 for AH. But I > > have not yet tried AES algorithm for ESP. > > > > I will try this again (performance run, not stress testing) later with > > authentication enabled and with ESP-3des, ESP-aes, and send results to > > list as an FYI. > > > > Okay thanks for the update, I was more curious than anything else. For > what it is worth, it is probably a good idea to always test ESP with > authentication if you are not using AH as well. If I recall correctly > there was a (somewhat obvious) CERT/MITRE advisory a few years ago about > running ESP without auth or AH and as a result I think the common case > with ESP-only will be with auth enabled. > Yes, I agree. I usually do include authentication, so it was a slip-up on my part for forgetting. I won't forget the next time. :-)
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
