Re: [redhat-lspp] LSPP Development Telecon 06/05/2006 Minutes

[Joy Latten <latten austin ibm com>]

On Thu, 2006-06-08 at 13:27 -0400, Paul Moore wrote:
> Joy Latten wrote:
> > On Wed, 2006-06-07 at 22:57 -0400, Paul Moore wrote:
> > 
> >>On Wednesday 07 June 2006 8:14 pm, Joy Latten wrote:
> >>
> >>>The networking hooks using IPSec were stressed with netperf
> >>>sending constant stream of tcp and udp packets.
> >>>All tests have completed successfully!
> >>>
> >>>All tests had following configuration:
> >>>Pseries lpars running FC5
> >>>IPSec was configured to use:
> >>> - ESP (Encapsulating Security Payload)
> >>> - security label, "system_u:object_r:unlabeled_t:s0"
> >>
> >>Out of curiosity,  what algorithms did you use?  Also, did you test AH?  Not 
> >>that I suspect the results will be much different but I believe that is what 
> >>people plan on evaluating ...
> >>
> > 
> > I used 3des and now that you have mentioned it, I should have included
> > AH too or at least enabled authentication in ESP. But I was more
> > interested in stress testing than functional testing and only included
> > the performance numbers for the heck of it. I believe when we did
> > functional testing we did try both, 3des for ESP and sha1 for AH. But I
> > have not yet tried AES algorithm for ESP. 
> > 
> > I will try this again (performance run, not stress testing) later with
> > authentication enabled and with ESP-3des, ESP-aes, and send results to
> > list as an FYI.
> > 
> 
> Okay thanks for the update, I was more curious than anything else.  For
> what it is worth, it is probably a good idea to always test ESP with
> authentication if you are not using AH as well.  If I recall correctly
> there was a (somewhat obvious) CERT/MITRE advisory a few years ago about
> running ESP without auth or AH and as a result I think the common case
> with ESP-only will be with auth enabled.
> 
Yes, I agree. I usually do include authentication, so it was a slip-up
on my part for forgetting. I won't forget the next time. :-)