Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2578
Views
0
Helpful
3
Replies

What are the performance advantages of the ESP-NULL transform-set in IPSec

SecureFirewall SecureFirewall
Level 1
Level 1

‎11-07-2016 11:36 AM - edited ‎02-21-2020 09:02 PM

What are the advantages of using a ESP-NULL transform-set in the Cisco ASA. From my understanding the transform-set parameters are only used during phase1 negotiation. The packets are still encrypted according to the phase2 SA (crypto isakmp policy XXX) and thus you still incur a lot of the overhead when actually transfering data. The only thing I can see ESP-NULL speeding up is the phase1 negotiation but not actually throughput in terms of Mbps.

Am i correct or am I misunderstanding transform-set vs isakmp policy

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎11-07-2016 12:38 PM

Just look at what the RFC says about it:

NULL is a block cipher the origins of which appear to be lost in
   antiquity.  Despite rumors that the National Security Agency
   suppressed publication of this algorithm, there is no evidence of
   such action on their part. Rather, recent archaeological evidence
   suggests that the NULL algorithm was developed in Roman times, as an
   exportable alternative to Ceaser ciphers. However, because Roman
   numerals lack a symbol for zero, written records of the algorithm's
   development were lost to historians for over two millennia.

Ooops, wrong paragraph, this is the relevant part:

The NULL encryption algorithm is a convenient way to represent the option of
   not applying encryption.

Today, where VPNs are always encrypted regardless of the data, NULL has only a meaning for learning IPsec which gives you the option to look at the data in Wireshark.

BTW: You are mixing up the phases of IPsec. "crypto isakmp ..." defines the parameters for Phase 1, Transform-sets what should be used in Phase 2 to setup the Ipsec SAs.

0 Helpful

SecureFirewall SecureFirewall
Level 1
Level 1
In response to Karsten Iwen

‎11-07-2016 02:31 PM

Haha thanks for the RFC.  Also thanks for clearing up phase1 vs phase2.

With that being said, is NULL an option if I do not want encryption but simply tunneling?  For example it is the same traffic I would be comfortable sending over GRE but prefer or am forced to use IPSec.  I assume NULL will drastically speed things up.

0 Helpful

Karsten Iwen
VIP
VIP
In response to SecureFirewall SecureFirewall

‎11-07-2016 02:37 PM

All ASAs have hardware-acceleration for VPNs. I wouldn't expect too much performance-gain but never measured it. And yes, if you just need tunneling without encryption, ESP-NULL is an option.

0 Helpful
Customers Also Viewed These Support Documents