Memory and CPU Considerations

Running IPSec can affect your device's memory usage and CPU utilization. There are several reasons that IPSec packets might be processed slower than packets that are processed through classic crypto:

IPSec introduces packet expansion, which is more likely to require fragmentation and the corresponding reassembly of IPSec datagrams.
Encrypted packets probably will be authenticated, which means that two cryptographic operations are performed for every packet.
The authentication algorithms can be slow.

In addition, the D-H key exchange used in IKE is an exponentiation of very large numbers (between 768 and 1024 bytes) and can take several seconds to compute on some platforms. RSA performance is dependent on the size of the prime number chosen for the RSA key pair.

For each router, the SA database takes approximately 300 bytes of memory, plus an additional 120 bytes of memory for each SA stored in it. Because an IPSec connection requires two SAs, one inbound and one outbound, 540 bytes of memory are required. Each IKE SA entry requires approximately 64 bytes of memory for storage.

There might also be a small decrease in performance for unencrypted packets going through an interface that is doing crypto, because all packets are checked against the crypto map. There should be no performance impact on packets traversing the router that avoid an interface doing crypto.

[ LiB ]

custom research paper Online Writing Services Which.