Avaya Configuring IPsec Services Bedienungsanleitung PDF herunterladen (Seite 36)

Configuring IPsec Services

1-18

308630-15.1 Rev 00

You can optimize performance by using the information in this section to plan and

manage CPU resources on BayRS routers configured with IPsec.

Greater security can adversely affect performance. Before you deploy IPsec,

identify the data traffic that must be protected. Effective traffic analysis can result

in minimal performance impact on the router. Configure IPsec to bypass traffic

that does not need to be protected, thereby reducing the CPU resources used.

Also, the amount of CPU resources required varies significantly for different

encryption and authentication algorithms. These algorithms are listed in order of

increasing CPU consumption and security:

• MD5

• SHA1

• DES

• DES with MD5

• DES with SHA1

• 3DES

• 3DES with MD5

• 3DES with SHA1

In addition, the key generation and periodic rekeying done by IKE Diffie-Hellman

imposes a CPU burden. For example, 3DES + SHA1 traffic with aggressive

phase 1 (IKE) and IPsec rekeying (for example, every 10 minutes) can cause

significant performance degradation under heavy traffic loads. Therefore, consider

the keying intervals for IKE and for IPsec that you choose during configuration.

Less frequent rekeying reduces the burden on the CPU. Consider rekeying the

phase 1 (IKE) SAs less frequently than the IPsec SAs.

Finally, packet size affects the performance of the router. Smaller packet sizes at a

given data rate impose a greater processing load than larger packet sizes. For

example, BayRS IPsec on a BN router can fill a 2 Mb/s WAN pipe with

bidirectional DES-encrypted traffic.

You may experience SNMP timeouts during periods when the router is carrying

peak loads of protected traffic.

1 2 ... 31 32 33 34 35 36 37 38 39 40 41 ... 121 122

Keine Kommentare

Avaya Configuring IPsec Services Bedienungsanleitung Seite 36