[SLL] WRT54GL --> wireless to wired repeater?

Jarod Wilson jarod at wilsonet.com
Thu Dec 25 19:04:47 PST 2008 

On Thu, 2008-12-25 at 12:57 -0800, Bryan McLellan wrote:
> On Thu, Dec 25, 2008 at 11:17 AM, Derek Simkowiak <dereks at realloc.net> wrote:
> > /Could it be that you guys are using different ciphers?/
> >
> >  OpenVPN uses SSL to handle encryption.  It uses either a TAP or TUN driver
> > (depending on whether you want bridged mode or routed mode).
> >
> >   vpnc (which I think is what Jeremy was using) is the Cisco VPN
> > Concentrator client, and it works in a very similar fashion.  Like OpenVPN,
> > it is a userspace application that uses the TAP driver to establish the VPN.
> >
> >   The two big differences between the two apps is that (a) vpnc does not use
> > SSL as the protocol, and (b) OpenVPN uses the OpenSSL library (a.k.a.
> > libssl)  but vpnc uses the GNUTLS library (a.k.a. libgcrypt).
> 
> vpnc doesn't support SSL (Cisco Anyconnect) at this time [1], and uses
> IPSEC. However, the important part in relation to CPU usage is the
> ciphers in use rather than the protocols.

What he said. Well, cipher is one of the two big factors here. The other
one is key size. DES is a 64-bit key (but effective key strength of 56
bits, due to parity bits and whatnot). AES starts at 128-bit, and also
offers 192-bit and 256-bit versions.

Now, Derek said his numbers were with 128-bit blowfish, so DES is
probably irrelevant to this discussion. (side bar: anyone still using
DES and thinking they're secure should be taken out and shot). So for
the most part, it *should* boil down to blowfish vs. whatever my
employer's Cisco VPN concentrators are offering up. If its AES-256, I'm
pretty sure that would account for the throughput differences between
vpnc and openvpn. If its AES-128... It'd require some investigation into
the computational complexity of AES vs. blowfish. Offhand, I have no
idea how they compare. But there *is* a reason folks like Via ship
things like their Padlock crypto engine -- AES is no light-weight crypto
algorithm. The other possibility is that my employer's vpn is
triple-des, which would be 192-bit (effectively 168-bit, blah blah). So
yeah, cipher and key size are definitely important to consider here.

Hm... For my personal edification, I should poke around and see if I can
figure out what cipher and key size work uses... Ah, triple-des it is.
So we're comparing blowfish w/a 128-bit key vs. triple-des, which is a
192-bit key. I can't change work's vpn to try blowfish 128, but if
you're able, it'd be interesting to see the throughput of openvpn using
triple-des.

--jarod

More information about the linux-list mailing list