Skip to content

Instantly share code, notes, and snippets.

@fukusaka

fukusaka/measure_ipsec_throughput.sh

Created April 18, 2010 18:57
Show Gist options
  • Save fukusaka/370470 to your computer and use it in GitHub Desktop.
Save fukusaka/370470 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
measure_ipsec_throughput.sh
#!/bin/bash
#METHOD=netperf
METHOD=nuttcp
HOST=ref1
HOSTIP="192.168.0.2"
TARGETUSER=root
TARGET=target
TARGETIP="192.168.0.3"
TARGETSSH="$TARGETUSER@$TARGET"
[ "x$USER" != "xroot" ] && SUDO=sudo
[ "x$TARGETUSER" != "xroot" ] && TARGETSUDO=sudo
NETPERF=/usr/bin/netperf
NUTTCP=/usr/bin/nuttcp
TARGETNUTTCP=/usr/bin/nuttcp
#TARGETNUTTCP=/usr/local/bin/nuttcp
SETKEY=/usr/sbin/setkey
TARGETSETKEY=/usr/sbin/setkey
DATAPORT=5001
#use_ipcomp=yes
# for Linux
AUTHS="null hmac-md5 hmac-sha1 hmac-sha256 aes-xcbc-mac"
ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc twofish-cbc aes-ctr camellia-cbc"
#ENCS="null des-cbc 3des-cbc blowfish-cbc blowfish-cbc-128 blowfish-cbc-256 blowfish-cbc-448 aes-cbc aes-cbc-192 aes-cbc-256 twofish-cbc twofish-cbc-256 aes-ctr aes-ctr-224 camellia-cbc camellia-cbc-192 camellia-cbc-256"
# for Mac OSX
#AUTHS="null hmac-md5 hmac-sha1 hmac-sha256"
#ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc "
#AUTHS="null hmac-md5 hmac-sha1"
#ENCS="null aes-cbc aes-ctr blowfish-cbc"
#AUTHS="hmac-sha1"
#ENCS="aes-cbc"
main() {
echo "outbound ($TARGET -> $HOST)" ; measure_ipsec_all $METHOD out
echo "inbound ($TARGET <- $HOST)" ; measure_ipsec_all $METHOD in
}
genkey() {
len=$1
#key=""; for ((i=j=0;i<$len;i+=8,j=(j+1)%10)) do key="$key$j"; done
key=0x`dd if=/dev/urandom bs=1 count=$((len/8)) 2> /dev/null | od -t x1 | sed 's/^[0-9]*//;' | tr -d " \n"`
echo "$key"
}
set_algo() {
auth=$1; enc=$2;
rauth=$auth; rkey=""; AOPT=""; keylen=""
case $auth in
hmac-md5) keylen=128 ;;
hmac-sha1) keylen=160 ;;
#keyed-md5) keylen=128 ;;
#keyed-sha1) keylen=160 ;;
hmac-sha256) keylen=256 ;;
#hmac-sha384) keylen=384 ;;
#hmac-sha512) keylen=512 ;;
#hmac-ripemd160) keylen=160 ;;
aes-xcbc-mac) keylen=128 ;;
*) AOPT='-A null' ;;
esac
if [ "x$AOPT" == "x" ]; then
if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
AOPT="-A $rauth $rkey";
fi
renc=$enc; rkey=""; EOPT=""; keylen=""
case $enc in
des-cbc) keylen=64 ;;
3des-cbc) keylen=192 ;;
blowfish-cbc) keylen=40 ;;
blowfish-cbc-128) keylen=128 ;renc="blowfish-cbc";;
blowfish-cbc-256) keylen=256 ;renc="blowfish-cbc";;
blowfish-cbc-448) keylen=448 ;renc="blowfish-cbc";;
#cast128-cbc) keylen=40 ;;
aes-cbc) keylen=128 ;;
aes-cbc-192) keylen=192 ;renc="aes-cbc";;
aes-cbc-256) keylen=256 ;renc="aes-cbc";;
twofish-cbc) keylen=128 ;;
twofish-cbc-256) keylen=256 ;renc="twofish-cbc";;
aes-ctr) keylen=160 ;;
aes-ctr-224) keylen=224 ;renc="aes-ctr";;
#aes-ctr-288) keylen=288 ;renc="aes-ctr";;
camellia-cbc) keylen=128 ;;
camellia-cbc-192) keylen=192 ;renc="camellia-cbc";;
camellia-cbc-256) keylen=256 ;renc="camellia-cbc";;
*) EOPT='-E null' ;;
esac
if [ "x$EOPT" == "x" ]; then
if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
EOPT="-E $renc $rkey";
fi
}
LOCALCONF="setkey.local"
REMOTECONF="setkey.remote"
setkey_flush() {
FLUSH="flush; spdflush;"
echo "$FLUSH" > $LOCALCONF;
echo "$FLUSH" > $REMOTECONF;
}
setkey_real() {
$SUDO $SETKEY -f $LOCALCONF;
scp -q $REMOTECONF $TARGETSSH:
ssh $TARGETSSH -- "$TARGETSUDO $TARGETSETKEY -f $REMOTECONF"
}
setkey_clear() { setkey_flush; setkey_real; }
setkey_algo() {
method=$1; direct=$2; auth=$3; enc=$4
[ $direct == "out" ] && rdirect="in" || rdirect="out"
set_algo $auth $enc
setkey_flush
case $direct in
out)
srv="$HOSTIP[$DATAPORT]"
clt="$TARGETIP"
;;
in)
srv="$TARGETIP[$DATAPORT]"
clt="$HOSTIP"
;;
esac
SAD="
add $srv $clt esp 12345 $EOPT $AOPT;
add $clt $srv esp 12346 $EOPT $AOPT;
"
SAD_IPCOMP="
add $srv $clt ipcomp 12347 -C deflate;
add $clt $srv ipcomp 12348 -C deflate;
"
if [ "x$use_ipcomp" == "xyes" ]; then
RULES="ipcomp/transport//use esp/transport//require"
SAD="$SAD$SAD_IPCOMP"
else
RULES="esp/transport//require"
fi
SPD_LOCAL="
spdadd $srv $clt tcp -P $direct ipsec $RULES;
spdadd $clt $srv tcp -P $rdirect ipsec $RULES;
"
SPD_REMOTE="
spdadd $srv $clt tcp -P $rdirect ipsec $RULES;
spdadd $clt $srv tcp -P $direct ipsec $RULES;
"
echo "$SAD$SPD_LOCAL" >> $LOCALCONF;
echo "$SAD$SPD_REMOTE" >> $REMOTECONF;
setkey_real
}
net_measure() {
method=$1; direct=$2; mark="$3";
#ITCPOPTS="-s 16K -S 48K -m 16K"
#OTCPOPTS="-s 8K -S 42K -m 16K"
#NUTTCPOPTS="-T 1"
case $method-$direct in
netperf-out)
$NETPERF -t TCP_MAERTS -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $OTCPOPTS
;;
netperf-in)
$NETPERF -t TCP_STREAM -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $ITCPOPTS
;;
nuttcp-out)
ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
$NUTTCP -r -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
;;
nuttcp-in)
ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
$NUTTCP -t -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
;;
esac
}
measure_ipsec_all() {
method=$1; direct=$2;
setkey_clear
net_measure $method $direct " noipsec "
for auth in $AUTHS; do
for enc in $ENCS; do
mark=`printf "% 12s/%- 16s" $auth $enc`
setkey_algo $method $direct $auth $enc
net_measure $method $direct "$mark"
done
done
}
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment