Joy Latten wrote: > On Wed, 2006-06-07 at 22:57 -0400, Paul Moore wrote: > >>On Wednesday 07 June 2006 8:14 pm, Joy Latten wrote: >> >>>The networking hooks using IPSec were stressed with netperf >>>sending constant stream of tcp and udp packets. >>>All tests have completed successfully! >>> >>>All tests had following configuration: >>>Pseries lpars running FC5 >>>IPSec was configured to use: >>> - ESP (Encapsulating Security Payload) >>> - security label, "system_u:object_r:unlabeled_t:s0" >> >>Out of curiosity, what algorithms did you use? Also, did you test AH? Not >>that I suspect the results will be much different but I believe that is what >>people plan on evaluating ... >> > > I used 3des and now that you have mentioned it, I should have included > AH too or at least enabled authentication in ESP. But I was more > interested in stress testing than functional testing and only included > the performance numbers for the heck of it. I believe when we did > functional testing we did try both, 3des for ESP and sha1 for AH. But I > have not yet tried AES algorithm for ESP. > > I will try this again (performance run, not stress testing) later with > authentication enabled and with ESP-3des, ESP-aes, and send results to > list as an FYI. >
Okay thanks for the update, I was more curious than anything else. For what it is worth, it is probably a good idea to always test ESP with authentication if you are not using AH as well. If I recall correctly there was a (somewhat obvious) CERT/MITRE advisory a few years ago about running ESP without auth or AH and as a result I think the common case with ESP-only will be with auth enabled. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
