IPSEC performance MD5 vs SHA

RouterOS General
1

hello,

I’ve done some testing with RB433 and IPSEC performance.
I have noticed something strange or maybe normal.. not sure.

If I use MD5 in Proposal Auth. Algorithem then I get:

  1. AES-128 → 15 Mbit/s
  2. 3DES → 5,5 Mbit/s

But If I use SHA1 in Proposal Auth. Algorithem then I get:

  1. AES-128 → 2 Mbit/s
  2. 3DES → 1,7 Mbit/s

RB433 CPU is always on 100% load
Copy large file via SMB from one LAN to Another (Win7 Pro)
I also tried IPSEC to Cisco ASA on one end and the speed is the same.. Cisco is not the limiting factor!

I thought Encrption Algorithm is the performance factor and not the Auth Algorithm.
Is such difference normal (MD5 vs SHA1)?
What that IPSEC Hardware Acceleration (RB1000) accelerate (SHA1/MD5 or 3DES/AES encription)?

2

Hi,

this is something that has been found several times before.
But, as far as i know, nobody ever found a fitting conclusion why this is happening.
I have three ideas…

  1. mipsbe architecture is very bad at performing the mathematical operations required for sha-1
  2. sha-1 hashing algorithm implementation used is badly optimized for mipsbe.
  3. sha-1 is terribly slow by nature

However, I don’t know if that also affects other routerboard architectures.

3

Please see attached performance comparision of RB450 and RB450G using openssl test:
http://open-wrt.ru/forum/viewtopic.php?id=22323

4

That rules out 1) and 3) (slower but not terribly) and leaves ‘2) sha-1 hashing algorithm implementation used is badly optimized for mipsbe’ ?

5

It may be. I did test on x86 and difference is not that large.

[ayufan@neutron ~] $ openssl speed md5 sha1
OpenSSL 0.9.8o 01 Jun 2010
built on: Thu Feb 10 20:02:37 UTC 2011
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               6296.04k    23606.95k    74073.86k   161270.41k   245812.06k
sha1              6449.26k    21310.82k    54162.41k    88180.78k   108096.04k
[ayufan@neutron ~] $ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 28
model name      : Intel(R) Atom(TM) CPU N270   @ 1.60GHz
stepping        : 2
cpu MHz         : 1600.035
cache size      : 512 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu de tsc msr pae mce cx8 apic mtrr mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht nx constant_tsc aperfmperf pni est ssse3 movbe hypervisor
bogomips        : 3200.07
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 28
model name      : Intel(R) Atom(TM) CPU N270   @ 1.60GHz
stepping        : 2
cpu MHz         : 1600.035
cache size      : 512 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 1
initial apicid  : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu de tsc msr pae mce cx8 apic mtrr mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht nx constant_tsc aperfmperf pni est ssse3 movbe hypervisor
bogomips        : 3200.07
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:
6

Thanx for clarification..
It would be nice if someone from Mikrotik would respond to this and not just users..

I was reading IPSEC mikrotik wiki and found that only AES is hardware accelerated.
I would like to know the difference between MD5 ans SHA on RB1200..

Need real world numbers..
Anyone..

7



Notice: For support from Mikrotik staff, write to > support@mikrotik.com > - Mikrotik does not generally offer support on the forum, this is a user forum

Taken from http://forum.mikrotik.com/index.php

If you do get an official reply post back here tho to share with other users.