Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1963
Views
0
Helpful
5
Replies

ACE 4710 SSL performance (TPS) for 2048bit keys?

Go to solution
ROMAN TOMASEK
Level 1
Level 1

‎04-19-2013 02:39 AM

Hi all,

do you have any info about the SSL performance for 2kb keys on ACE4710? There is only SSL performance for 1024b keys on ACE4710 (7500 SSL TPS) in the data sheet.:-( Thank you very much.

Roman

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sivaksiv
Cisco Employee
Cisco Employee

‎04-19-2013 03:44 AM

Hi Roman,

There are no definitive numbers on the how much could a 4710 handle in term of SSL with 2048b keys  but it is much lower then what it would be if you were using 1024b keys. It is also based on testing, means different test scenario will produce different test result.

2048 bit keys require approximately 7 times more processing than 1024 bit keys, so the TPS rate should drop by this same factor in a well behaved system.

Regards,

Siva

View solution in original post

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3

‎04-19-2013 11:25 AM

Building on what Siva noted -

   ACE4710 does not have published numbers for higher bit keys, but its not uncommon to see about 1200-1400 TPS with 2048 bit keys under "average" scenarios.  You have to keep in mind that they way SSL works on any device, as the bit count goes up, it becomes *exponentially* more difficult to decrypt SSL.  As well, things like cipher strength and compression play a huge role in how inundated the SSL 'server' or in our case, the SSL daughter card becomes trying to handle 'normal' traffic flow. Obviously, if you are inundated at 100% cpu doing high-cipher-high bitstrength encryption, your TPS will start to suffer. Up to the CPU is spiked... you wouldn't see a difference. Hence, the range in performance.

  Last note - If you want to get the maximum out of your SSL daughter card, make sure to enable ssl reuse and session cache.  That does have a large impact on performance, but it is at the expense of security.

  There are many hits on google for benchmarking SSL and why there is such a hit on higher bit strenghts.  Example:

http://blog.exceliance.fr/2011/09/16/benchmarking_ssl_performance/

  Hope that helps!

Regards,

Chris Higgins

View solution in original post

0 Helpful
5 Replies 5

Go to solution
sivaksiv
Cisco Employee
Cisco Employee

‎04-19-2013 03:44 AM

Hi Roman,

There are no definitive numbers on the how much could a 4710 handle in term of SSL with 2048b keys  but it is much lower then what it would be if you were using 1024b keys. It is also based on testing, means different test scenario will produce different test result.

2048 bit keys require approximately 7 times more processing than 1024 bit keys, so the TPS rate should drop by this same factor in a well behaved system.

Regards,

Siva

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3

‎04-19-2013 11:25 AM

Building on what Siva noted -

   ACE4710 does not have published numbers for higher bit keys, but its not uncommon to see about 1200-1400 TPS with 2048 bit keys under "average" scenarios.  You have to keep in mind that they way SSL works on any device, as the bit count goes up, it becomes *exponentially* more difficult to decrypt SSL.  As well, things like cipher strength and compression play a huge role in how inundated the SSL 'server' or in our case, the SSL daughter card becomes trying to handle 'normal' traffic flow. Obviously, if you are inundated at 100% cpu doing high-cipher-high bitstrength encryption, your TPS will start to suffer. Up to the CPU is spiked... you wouldn't see a difference. Hence, the range in performance.

  Last note - If you want to get the maximum out of your SSL daughter card, make sure to enable ssl reuse and session cache.  That does have a large impact on performance, but it is at the expense of security.

  There are many hits on google for benchmarking SSL and why there is such a hit on higher bit strenghts.  Example:

http://blog.exceliance.fr/2011/09/16/benchmarking_ssl_performance/

  Hope that helps!

Regards,

Chris Higgins

0 Helpful

Go to solution
ROMAN TOMASEK
Level 1
Level 1
In response to chrhiggi

‎04-22-2013 01:24 AM

It's strange, because for example F5 shows the SSL performance for both keys (1024 and 2048). :-(

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3
In response to ROMAN TOMASEK

‎04-22-2013 10:08 AM

Roman-

  I don't know the real reason why some of the numbers are not released. However, I do know that we try to minimise arguments about performance numbers in general.  Performance is extremely subjective as every customer uses a product in different ways and they all effect performance uniquely.  If someone sold you a box that did 1k TPS and you could only do 800TPS with your traffic, you would probably feel you didn't get what you payed for.  As well, you don't generally want to under-sell yourself either. 

Regards,

Chris Higgins

0 Helpful

Go to solution
ROMAN TOMASEK
Level 1
Level 1
In response to chrhiggi

‎04-23-2013 05:35 AM

Hi Christopher,

no problem. Thank you very much.

Roman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents