Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

3DES VPN Performance Impact

Hi,

Has anyone experienced a significant performance hit moving from DES to 3DES on the following VPN devices: PIX515, PIX520, 1710 router?

Your input is appreciated.

Thanks.

5 REPLIES
Community Member

Re: 3DES VPN Performance Impact

Yes there is a major performance hit going between the two..... We tried it and found out it wasent worth it and went back to single DES

Community Member

Re: 3DES VPN Performance Impact

The reason I posted this question was due to the conflicting info I've heard regarding the upgrade to 3DES.

I posed this question to a TAC engineer who sent it to the whole floor of TAC engineers (senior/junior) looking for any horror stories with 3DES. They overwhelmingly state that there is no noticeable impact on performance unless you're passing huge amounts of traffic. Even then, impact is minimal.

The conflict continues...

Community Member

Re: 3DES VPN Performance Impact

There is a MAJOR performance hit potentially going to 3DES. Think about it.

Triple DES encrypts data 3 times (168 bits) vs. once (56 bits) for DES. It is 3 times SLOWER than DES, if the 3 Keys are different.

There is a hit on the Client side, as you're asking a laptop or PC to perform the encryptions in SOFTWARE. Same thing on your network equipment side.

Why do you think Cisco offers dedicated Encryption modules (SEP) for its VPN3000 boxes? - so the encryption can be done in dedicated specialized HARDWARE processors.

http://www.nwfusion.com/columnists/2000/0320works.html

Community Member

Re: 3DES VPN Performance Impact

There's a big performance hit, but only at the beginning of the session when the private key exchange is set up using 3DES and ESP. The data transfer uses this latter key for encryption. After that, there should only be a minor difference in performance. On the 1710 router, you probably have a shortage of memory; I'm not so sure about the PIXs on this score.

The dedicated modules on the high end VPN 3000s are most useful when there's frequent session establishment in a very dynamic environment.

Bronze

Re: 3DES VPN Performance Impact

1710 router has a built in Hardware encryption module... There should not be any performance impact on that side.

125
Views
0
Helpful
5
Replies
CreatePlease to create content