Re: P75 OK for DSL firewall w. NAT & IPSEC???

On Thu, Feb 08, 2001 at 04:38:32PM -0700, Steve Williams wrote:
> Hi,
> I am putting a proposal together for a client that will eventually have
> 6 locations connected together over DSL lines using a IPSEC VPN.
> The firewalls are just going to provide straight DNS Caching,
> IPNAT, general access to the Internet, and IPSEC VPN connections.
> The connection will be a 1.5 M DSL line.
> Does anyone have a gut feeling if an Intel P75 can handle the the IPSEC 
> encryption required to send data down a 1.5 M line?
> I have absolutely no idea how much horsepower it takes to do the encryption.
> Everything else  is almost irrelevant from a processor point of view.

I will install several 1M DSL connected firewalls / IPSec / VPN
gateways in the comming months. Right now I've a few P120 / 32 MB
boxes doing IPSec / ipf / ipnat via 64K lines. CPU usage is barely
above a 1%.

In the meantime, I've done a few tests on a LAN between OpenBSD 2.8
and NT4 running PGPnet 6.5.8 :

OpenBSD box :
- Celeron 500 Mhz
- 64 MB RAM
- OpenBSD 2.8 (well, kernel is -current from late January)
- 100 Mbits RealTek card connected to a 10 MBit hub
- hub connected to a 10/100 switch
- 10/100 MBits switch connected to a 100 MBits hub

NT box :
- PII 400 Mhz / 128 MB RAM / NT4 SP6a
- PGPNet 6.5.8
- IPSec (transport mode, not tunnel) with CAST-128
- 100 Mbits RealTek card connected to the 100 MBits hub

While FTP'ing between the two boxes (WS-FTP client on NT4, stock ftpd
on obsd), I get ~900 KBytes per second. CPU usage on the 533 Mhz obsd
box is ~10%, while on the NT4 box, cpu usage goes to 50% (!!).

Note that in this test I didn't put ipf nor ipnat in the game, but I
don't think it would impact performance significantly.

If everything goes linear, on a P75 with a 1.5 Mbits line, and if my
math is correct you will get 10-11% cpu usage :

ratio between 10 Mbits and 1.5 Mbits : 6.67 times slower
ratio between 533 and 75 Mhz : 7.11 times slower.

7.11 / 6.67 * 10(%) = ~10.7% cpu usage

Even if (for various architectural reasons) your P75 is actually 2 or
3 times slower Mhz per Mhz than my Celeron 500 box doing IPSec, you
will still have plenty of CPU left for other tasks.

Note that I didn't tried to count the lag introduced by such a little
box. You might want to switch to a faster box if you have lot of (or
critical) interactive sessions going through this tunnel.


