Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2239
Views
5
Helpful
3
Replies

Performance impact of using higher DH group for site-to-site VPNs

Go to solution
sludge3000
Level 1
Level 1

‎01-10-2018 03:04 AM - edited ‎03-12-2019 04:54 AM

Hello all,

 

Just wondering if anyone has or can point me towards any statistics, figures or testing done to show performance impact of using a higher DH group on an ASA for site-to-site VPNs.
Obviously every environment is unique and actual performance may vary etc etc, just wanting to see if anyone knows of anything as I can't find anything online myself.

Or maybe Cisco has some figures they can share?

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-10-2018 06:34 AM

I doubt there are such statistics published.

The next generation encryption like DH19, DH20 or DH21 use elliptic curves and offers same level of security with smaller keys and thus with a reduced processing overhead.

Also another way of reducing the performance hit of DH would be to increase the ikev2 lifetime. 

 

HTH

Bogdan

View solution in original post

3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-10-2018 06:34 AM

I doubt there are such statistics published.

The next generation encryption like DH19, DH20 or DH21 use elliptic curves and offers same level of security with smaller keys and thus with a reduced processing overhead.

Also another way of reducing the performance hit of DH would be to increase the ikev2 lifetime. 

 

HTH

Bogdan

Go to solution
sludge3000
Level 1
Level 1
In response to Bogdan Nita

‎01-10-2018 06:39 AM

Hi Bogdan,

 

I was under the impression that the EC encryption, while using a smaller key size, still uses more processing overhead due to the algorithm used. Just to confirm, that is incorrect and processing overhead is only based on the key length?

Yeah, I've looked for similar performance stats with other vendors before and never get much but though it was worth asking, just in case.

 

Thanks,

Luke

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to sludge3000

‎01-10-2018 07:13 AM

Hi Luke,

I do not think it is a one to one relationship, but that is the idea.

"The main advantage of ECC is that it allows equal security for a smaller key size than the key size used RSA, that is why ECC reduces the processing overhead."

http://ieeexplore.ieee.org/document/8009587/

0 Helpful
Customers Also Viewed These Support Documents