Re: [Openvpn-users] cipher speed vs. security

[James Y. <ji...@yo...>]

Jon Bendtsen <jon...@la...> said:

> openssl and thus openvpn supports a wide number of ciphers to encrypt 
> with. Some are faster
> than others, significantly faster. Others are significant weaker than 
> others.
> 
> Assuming that the implementation is correct, i can see 2 ciphers that i 
> might consider using, namely
> blowfish and aes, since i consider them just as secure.
> 
> blowfish cbc     85955.51k    91289.94k    93026.82k    93183.32k    
> 91864.71k
> aes-128 cbc      30871.89k    31260.69k    31642.28k    31615.66k    
> 31645.70k
> 
> Blowfish scores about twice as much in the openssl speed benchmarks, 
> but what does this
> mean for actual throughput of the openvpn tunnel? Does the 
> encryption/decryption take up
> most of the cpu? or is it lower?

In my own benchmarking, I've seen that 80% or more of OpenVPN's CPU
utilization is taken up by crypto operations (i.e. encrypt, decrypt, and HMAC).

This is easily tested as such (on *nix) with 2 machines on the same physical
network which is firewalled from the internet:

  time openvpn [options] --secret key --cipher x

Transfer a large file by FTP, then (on both machines):

  time openvpn [options]

Transfer the same file again.  The second openvpn instantiation makes a
cleartext tunnel with no encryption.  This is a good way to measure the
tunneling overhead which OpenVPN adds above and beyond the crypto operations.
 Make sure to run this benchmark where both machines are on the same physical
network protected from the internet by a firewall, as the cleartext tunnel in
the second benchmark lacks any security.

Since the 'time' command measures CPU time utilization, this would also be a
good method to benchmark whether OpenVPN is benefiting from hardware-based
crypto acceleration.

James