HP-UX IPSec vA.02.00 Performance and Sizing White Paper
Table Of Contents
13
Tuning Performance: Maximum Quick Mode SAs
The time required to negotiate the ISAKMP/MM SA is more than 100 times greater than the time
required to negotiate one pair of IPsec/QM SAs, so the number of IPsec/QM SA pairs negotiated per
ISAKMP/MM SA affects performance. The maximum number of IPsec/QM SA pairs negotiated per
ISAKMP/MM SA is configurable. In HP-UX version A.02.00 and later, you configure the maximum
Quick Mode SAs per ISAKMP/MM SA using the maxqm option in the ipsec_config add ike
command. The default value is 100.
Administrators can specify 1 for the maxqm option to force IKE to create a new ISAKMP/MM SA for
each IPSec/QM SA negotiation and perform a Diffie-Hellman exchange for each IPSec/QM
negotiation. This provides Perfect Forward Secrecy (PFS) for the IPsec/QM SA keys and the identities
of the ISAKMP negotiating parties. With PFS, the exposure of one key permits access only to data
protected by that key. In other words, the exposure of the Diffie-Hellman value negotiated in the
ISAKMP/MM SA can not be used by an intruder to determine the cryptography keys used to for the
IPSec/QM SAs. However, the time required to establish an ISAKMP/MM SA is much longer than the
time required to establish an IPsec/QM SA pair. The aggregate time to establish 100 IPsec/QM SA
pairs is over 51 seconds when using PFS:
(100 * 0.509) + (100 * 0.004) = 51.3 seconds
By comparison, if the default value for maxqm is used (100), the aggregate time to establish 100
IPsec/QM SA pairs is less than one second:
(1 * 0.509) + (100 * 0.004)= 0.909 seconds