[SLL] WRT54GL --> wireless to wired repeater?

Jarod Wilson jarod at wilsonet.com
Fri Dec 26 11:36:23 PST 2008 

On Thu, 2008-12-25 at 21:38 -0800, Robert Woodcock wrote:
> On Thu, Dec 25, 2008 at 10:04:47PM -0500, Jarod Wilson wrote:
> > It'd require some investigation into the computational complexity of
> > AES vs. blowfish. Offhand, I have no idea how they compare.
> 
> They're not too different - you can benchmark OpenSSL's implementation of
> them just by running "openssl speed".
> 
> My results on an Athlon XP 2500+ are:
> 
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes    64 bytes    256 bytes   1024 bytes  8192 bytes
> [...]
> des cbc          42910.58k   45357.53k   45967.87k   46149.29k   46046.66k
> des ede3         15559.86k   15860.45k   15985.38k   15985.36k   16012.63k
> [...]
> blowfish cbc     67574.89k   73725.16k   75315.20k   75577.36k   75986.26k
> [...]
> aes-128 cbc      44625.12k   69858.65k   81771.67k   85795.84k   86955.35k

I'd wager most vpn traffic deals in smaller-sized payloads to encrypt,
and with smallest chunk size there, blowfish does appear to be around
50% faster than AES. According to the font of (sometimes unreliable)
knowledge that is Wikipedia, blowfish "is one of the fastest block
ciphers in widespread use". (And also a claimed to have no known
weaknesses.)

> aes-192 cbc      40406.79k   61185.22k   70736.93k   73755.99k   74711.04k
> aes-256 cbc      37157.79k   54430.68k   62146.30k   64428.37k   65120.94k
> 
> Note that 3DES is much, much slower than both.

Very good info there, this gives us a pretty good idea of the primary
source of the throughput difference between Derek's OpenVPN setup and my
ipsec setup.

> A couple other factors to consider:
> 
> * You are far more likely to see AES hardware acceleration support than
>   Blowfish support, especially in low-power processors that could use it,
>   such as the AMD Geode LX and the VIA C3/C5/C7 (Soekris net5501, all
>   manner of mini-ITX boards)

Such as the Via Padlock crypto engine, which I previously mentioned. :)

I actually thought about replacing my WRT54GS setup w/a Via itx board,
but never got around to it. I just bring up the vpn as needed via
NetworkManager on my laptop these days. Less temptation to look at work
email and whatnot if I don't have a nailed pipe. ;)

> * It's probably safe to say that AES has been vetted more comprehensively
>   than Blowfish (although it's a fair bet that both will age gracefully.)

If you ask the US government, its a fact that AES has been more
comprehensively vetted. AES is on the Federal Information Processing
Standard 140-2 "Approved Algorithms" list, blowfish is not.

--jarod

More information about the linux-list mailing list