[redhat-lspp] LSPP Development Telecon 06/05/2006 Minutes
Paul Moore
paul.moore at hp.com
Thu Jun 8 17:27:20 UTC 2006
Joy Latten wrote:
> On Wed, 2006-06-07 at 22:57 -0400, Paul Moore wrote:
>
>>On Wednesday 07 June 2006 8:14 pm, Joy Latten wrote:
>>
>>>The networking hooks using IPSec were stressed with netperf
>>>sending constant stream of tcp and udp packets.
>>>All tests have completed successfully!
>>>
>>>All tests had following configuration:
>>>Pseries lpars running FC5
>>>IPSec was configured to use:
>>> - ESP (Encapsulating Security Payload)
>>> - security label, "system_u:object_r:unlabeled_t:s0"
>>
>>Out of curiosity, what algorithms did you use? Also, did you test AH? Not
>>that I suspect the results will be much different but I believe that is what
>>people plan on evaluating ...
>>
>
> I used 3des and now that you have mentioned it, I should have included
> AH too or at least enabled authentication in ESP. But I was more
> interested in stress testing than functional testing and only included
> the performance numbers for the heck of it. I believe when we did
> functional testing we did try both, 3des for ESP and sha1 for AH. But I
> have not yet tried AES algorithm for ESP.
>
> I will try this again (performance run, not stress testing) later with
> authentication enabled and with ESP-3des, ESP-aes, and send results to
> list as an FYI.
>
Okay thanks for the update, I was more curious than anything else. For
what it is worth, it is probably a good idea to always test ESP with
authentication if you are not using AH as well. If I recall correctly
there was a (somewhat obvious) CERT/MITRE advisory a few years ago about
running ESP without auth or AH and as a result I think the common case
with ESP-only will be with auth enabled.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list