Re: [m0n0wall] False sense of (IPsec)urity?

From:	Jim Thompson <jim at netgate dot com>
To:	Jean Everson Martina <everson at inf dot ufsc dot br>
Cc:	Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] False sense of (IPsec)urity?
Date:	Tue, 08 Nov 2005 01:33:17 -1000

Jean Everson Martina wrote:

>  Typically 3DES is the best choice for site to site
>
>> between m0n0wall and some other IPsec device, for interoperability
>> purposes.  For software encryption (i.e. no hardware crypto card),
>> Blowfish is by far the fastest.  If you switched to 3DES, you'd see a
>> marked decrease in throughput (and/or increase in CPU utilization).
>
>
> Hi all,
>
>
>     I researched on this area for sometime. I have made some testing 
> using site-to-site tunnels, and for sure, blowfish is the best 
> relation between throughput and CPU utilization. Other things that is 
> very interesting is that with  blowfish, no matter what the the key 
> size is, it works faster than other algorithims in software and in 
> hardware(using same specs hardware) with the same key size.
>     But people does not use it very much because it is not the NIST 
> standard....

support for the VIA AES accelerators appears to be either in, or very 
close in FreeBSD 6.0.  Perhaps a future version of m0n0wall will be 
based on same, or someone will "backport" the Via Padlock support to 4.11.

Jim