Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
5
Replies

3DES VPN Performance Impact

kcmartin
Level 1
Level 1

‎05-07-2002 01:03 PM - edited ‎02-21-2020 11:44 AM

Hi,

Has anyone experienced a significant performance hit moving from DES to 3DES on the following VPN devices: PIX515, PIX520, 1710 router?

Your input is appreciated.

Thanks.

Labels:
0 Helpful
5 Replies 5

rdennis
Level 1
Level 1

‎05-09-2002 01:23 PM

Yes there is a major performance hit going between the two..... We tried it and found out it wasent worth it and went back to single DES

0 Helpful

kcmartin
Level 1
Level 1
In response to rdennis

‎05-10-2002 06:45 AM

The reason I posted this question was due to the conflicting info I've heard regarding the upgrade to 3DES.

I posed this question to a TAC engineer who sent it to the whole floor of TAC engineers (senior/junior) looking for any horror stories with 3DES. They overwhelmingly state that there is no noticeable impact on performance unless you're passing huge amounts of traffic. Even then, impact is minimal.

The conflict continues...

0 Helpful

jeff
Level 1
Level 1

‎05-16-2002 10:59 AM

There is a MAJOR performance hit potentially going to 3DES. Think about it.

Triple DES encrypts data 3 times (168 bits) vs. once (56 bits) for DES. It is 3 times SLOWER than DES, if the 3 Keys are different.

There is a hit on the Client side, as you're asking a laptop or PC to perform the encryptions in SOFTWARE. Same thing on your network equipment side.

Why do you think Cisco offers dedicated Encryption modules (SEP) for its VPN3000 boxes? - so the encryption can be done in dedicated specialized HARDWARE processors.

http://www.nwfusion.com/columnists/2000/0320works.html

0 Helpful

bill.higgins
Level 1
Level 1
In response to jeff

‎05-22-2002 09:52 AM

There's a big performance hit, but only at the beginning of the session when the private key exchange is set up using 3DES and ESP. The data transfer uses this latter key for encryption. After that, there should only be a minor difference in performance. On the 1710 router, you probably have a shortage of memory; I'm not so sure about the PIXs on this score.

The dedicated modules on the high end VPN 3000s are most useful when there's frequent session establishment in a very dynamic environment.

0 Helpful

jfrahim
Level 5
Level 5
In response to bill.higgins

‎05-22-2002 02:33 PM

1710 router has a built in Hardware encryption module... There should not be any performance impact on that side.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents