In a previous post I wrote about how raw SSL Performance looks like on a server, briefly mentioning network level encryption methods. I thought I'd post a brief note on some implications of using MACsec after watching a rather informative Cisco Live session on the topic.
MACsec is ASIC based line-rate encryption provided by some platforms. The information below comes from Cisco but, given MACsec is a standard, I'd expect it to be quite close for everyone else. Of course the devil's in the details with each vendor's implementation.
The facts: for point-to-point direct links, enabling MACsec adds 1-3 µs of latency and the encapsulation adds about 40 extra bytes.
This is done at Layer2 so those extra bytes of MACsec header MUST fit within the interface MTU or the frame will not be sent! So straight off, in order to support a payload size of 1500, the interfaces have to be configured for jumbo MTUs.
OK so we're adding ~40B to packets, how will this affect our throughput? Efficiency below is only calculated for the MACsec additional encapsulation
size / (size+40):
- for a 1500B packet, the efficiency will be ~97.4%
- for a 256B packet, the efficiency will be ~86.5%
- for a 64B packet, the efficiency will be ~61.5%
Let that sink in for a minute: if the average packet size is really small, you could lose almost 40% of the throughput of that interface! The tradeoff is you get encryption, but the point here is that capacity planning becomes quite important (as is knowing your traffic profile!) when enabling this feature.
I'll end with one last (rather depressing) bit of maths: for the smallest possible Ethernet packet of 64B, the payload would actually be 46B (even if actual data is less, it gets padded up to 46B) yielding a ~72% efficiency.
What if it's a G.729 voice packet (20B of voice data, 4B of cRTP) which gives a non-encrypted 37.5% efficiency (data vs total frame size) but with MACsec, the efficiency falls down to 23%. Which means that on a MACsec enabled 1Gbps link, you'd be sending 230Mbps of voice, 211Mbps of padding and 559Mbps of encapsulation. Wonderful!
And, as always, thanks for reading.