SSL Relative Performance, VPN Performance

Table 5.7

			SSL Relative Performance
			(scaled to Nonsecure baseline)

	Nonsecure	RC4 /		RC4 /	AES128 /	AES256 /	TDES /
Transaction Type:	TCP/IP	MD5		SHA-1	SHA-1	SHA-1	SHA-1
Request/Response	1.0 x	2.1		2.2	2.4	2.5	5.8
(RR) 128 Byte	1.0 x	2.1		2.2	2.4	2.5	5.8
(RR) 128 Byte
Asym. Connect/Request/Response	1.0 y	4.7		5.2	8.0	9.1	51.7
(ACRR) 8K Bytes	1.0 y	4.7		5.2	8.0	9.1	51.7
(ACRR) 8K Bytes
Large Transfer	1.0 z	8.6		9.0	13.0	15.0	73.7
(Stream) 16K Bytes	1.0 z	8.6		9.0	13.0	15.0	73.7
(Stream) 16K Bytes
Notes:
y Capacity metrics are provided for nonsecure and each variation of security policy
y The table data reflects System i as a server (not a client)
y This is only a rough indicator for capacity planning. Actual results may differ significantly.
y Each SSL connections was established with a 1024 bit RSA handshake.
y x, y and z are scaling constants, one for each NetPerf scenario.

VPN

Although the term Virtual Private Networks (VPN) didn’t start until early 1997, the concepts behind VPN started around the same time as the birth of the Internet. VPN creates a secure tunnel to communicate from one point to another using an unsecured network as media. Table 5.8 provides some rough capacity planning information for VPN communication, when using 1 Gigabit Ethernet.

Table 5.8

			VPN Performance
		(transactions per second per server CPU)

	Nonsecure	AH with		ESP with	ESP with	ESP with TDES /
Transaction Type:	TCP/IP	MD5		RC4 / MD5	AES128 /	SHA-1
					SHA-1
Request/Response	1167.0	428.5		322.9	307.71	148.4
(RR) 128 Byte	1167.0	428.5		322.9	307.71	148.4
(RR) 128 Byte
Asym. Connect/Request/Response	249.7	49.9		37.7	32.7	9.1
(ACRR) 8K Bytes	249.7	49.9		37.7	32.7	9.1
(ACRR) 8K Bytes
Large Transfer	478.4	44.0		31.0	25.6	5.4
(Stream) 16K Bytes	478.4	44.0		31.0	25.6	5.4
(Stream) 16K Bytes
Notes:
y Capacity metrics are provided for nonsecure and each variation of security policy

y The table data reflects System i as a server (not a client)

y VPN measurements used transport mode, TDES, AES128 or RC4 with 128-bit key symmetric cipher and MD5 message digest with RSA public/private keys. VPN antireplay was disabled.

y This is only a rough indicator for capacity planning. Actual results may differ significantly.

This table also shows a range of encryption methods to give you an insight on the performance between less secure but faster, or more secure but slower methods, all compared to unsecured TCP/IP.

Table 5.9 below illustrates relative CPU consumption for VPN instead of potential capacity. Essentially, this is a normalized inverse of the CPU capacity data from Table 5.6. It gives another view of the impact of choosing one security policy over another for various NetPerf scenarios.

Table 5.9

IBM i 6.1 Performance Capabilities Reference - January/April/October 2008
© Copyright IBM Corp. 2008	Chapter 5 - Communications Performance	71

Intel 7xx Servers, 170 Servers, AS/400 RISC Server manual SSL Relative Performance, VPN Performance

Models: 7xx Servers 170 Servers AS/400 RISC Server

SSL Relative Performance

13.0

15.0

73.7

VPN

VPN Performance

478.4

44.0

31.0

25.6

© Copyright IBM Corp. 2008