Strykar/measure_ipsec_throughput.sh

## measure_ipsec_throughput.sh
#!/bin/bash

#METHOD=netperf
METHOD=nuttcp

HOST=ref1
HOSTIP="192.168.0.2"

TARGETUSER=root
TARGET=target
TARGETIP="192.168.0.3"

TARGETSSH="$TARGETUSER@$TARGET"

[ "x$USER" != "xroot" ] && SUDO=sudo
[ "x$TARGETUSER" != "xroot" ] && TARGETSUDO=sudo

NETPERF=/usr/bin/netperf
NUTTCP=/usr/bin/nuttcp
TARGETNUTTCP=/usr/bin/nuttcp
#TARGETNUTTCP=/usr/local/bin/nuttcp
SETKEY=/usr/sbin/setkey
TARGETSETKEY=/usr/sbin/setkey

DATAPORT=5001

#use_ipcomp=yes

# for Linux
AUTHS="null hmac-md5 hmac-sha1 hmac-sha256 aes-xcbc-mac"
ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc twofish-cbc aes-ctr camellia-cbc"
#ENCS="null des-cbc 3des-cbc blowfish-cbc blowfish-cbc-128 blowfish-cbc-256 blowfish-cbc-448 aes-cbc aes-cbc-192 aes-cbc-256 twofish-cbc twofish-cbc-256 aes-ctr aes-ctr-224 camellia-cbc camellia-cbc-192 camellia-cbc-256"

# for Mac OSX
#AUTHS="null hmac-md5 hmac-sha1 hmac-sha256"
#ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc "

#AUTHS="null hmac-md5 hmac-sha1"
#ENCS="null aes-cbc aes-ctr blowfish-cbc"

#AUTHS="hmac-sha1"
#ENCS="aes-cbc"

main() {
	echo "outbound ($TARGET -> $HOST)" ; measure_ipsec_all $METHOD out
	echo "inbound  ($TARGET <- $HOST)" ; measure_ipsec_all $METHOD in
}

genkey() {
	len=$1
	#key=""; for ((i=j=0;i<$len;i+=8,j=(j+1)%10)) do key="$key$j"; done
	key=0x`dd if=/dev/urandom bs=1 count=$((len/8)) 2> /dev/null | od -t x1 | sed 's/^[0-9]*//;' | tr -d " \n"`
	echo "$key"
}

set_algo() {
	auth=$1; enc=$2;

	rauth=$auth; rkey=""; AOPT=""; keylen=""
	case $auth in
	hmac-md5)		keylen=128	;;
	hmac-sha1)		keylen=160	;;
	#keyed-md5)		keylen=128	;;
	#keyed-sha1)		keylen=160	;;
	hmac-sha256)		keylen=256	;;
	#hmac-sha384)		keylen=384	;;
	#hmac-sha512)		keylen=512	;;
	#hmac-ripemd160)	keylen=160	;;
	aes-xcbc-mac)		keylen=128	;;
	*)	AOPT='-A null'	;;
	esac

	if [ "x$AOPT" == "x" ]; then
		if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
		AOPT="-A $rauth $rkey";
	fi

	renc=$enc; rkey=""; EOPT=""; keylen=""
	case $enc in
	des-cbc)		keylen=64	;;
	3des-cbc)		keylen=192	;;
	blowfish-cbc)		keylen=40	;;
	blowfish-cbc-128)	keylen=128	;renc="blowfish-cbc";;
	blowfish-cbc-256)	keylen=256	;renc="blowfish-cbc";;
	blowfish-cbc-448)	keylen=448	;renc="blowfish-cbc";;
	#cast128-cbc)		keylen=40	;;
	aes-cbc)		keylen=128	;;
	aes-cbc-192)		keylen=192	;renc="aes-cbc";;
	aes-cbc-256)		keylen=256	;renc="aes-cbc";;
	twofish-cbc)		keylen=128	;;
	twofish-cbc-256)	keylen=256	;renc="twofish-cbc";;
	aes-ctr)		keylen=160	;;
	aes-ctr-224)		keylen=224	;renc="aes-ctr";;
	#aes-ctr-288)		keylen=288	;renc="aes-ctr";;
	camellia-cbc)		keylen=128	;;
	camellia-cbc-192)	keylen=192	;renc="camellia-cbc";;
	camellia-cbc-256)	keylen=256	;renc="camellia-cbc";;
	*)	EOPT='-E null'	;;
	esac

	if [ "x$EOPT" == "x" ]; then
		if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
		EOPT="-E $renc $rkey";
	fi
}

LOCALCONF="setkey.local"
REMOTECONF="setkey.remote"

setkey_flush() {
	FLUSH="flush; spdflush;"
	echo "$FLUSH" > $LOCALCONF;
	echo "$FLUSH" > $REMOTECONF;
}

setkey_real() {
	$SUDO $SETKEY -f $LOCALCONF;

	scp -q $REMOTECONF $TARGETSSH:
	ssh $TARGETSSH -- "$TARGETSUDO $TARGETSETKEY -f $REMOTECONF"
}

setkey_clear() { setkey_flush; setkey_real; }

setkey_algo() {
	method=$1; direct=$2; auth=$3; enc=$4

	[ $direct == "out" ] && rdirect="in" || rdirect="out"

	set_algo $auth $enc

	setkey_flush

	case $direct in
	out)
		srv="$HOSTIP[$DATAPORT]"
		clt="$TARGETIP"
		;;
	in)
		srv="$TARGETIP[$DATAPORT]"
		clt="$HOSTIP"
		;;
	esac


	SAD="
add $srv $clt esp 12345 $EOPT $AOPT;
add $clt $srv esp 12346 $EOPT $AOPT;
"
	SAD_IPCOMP="
add $srv $clt ipcomp 12347 -C deflate;
add $clt $srv ipcomp 12348 -C deflate;
"

	if [ "x$use_ipcomp" == "xyes" ]; then
		RULES="ipcomp/transport//use esp/transport//require"
		SAD="$SAD$SAD_IPCOMP"
	else
		RULES="esp/transport//require"
	fi

	SPD_LOCAL="
spdadd $srv $clt tcp -P  $direct ipsec $RULES;
spdadd $clt $srv tcp -P $rdirect ipsec $RULES;
"
	SPD_REMOTE="
spdadd $srv $clt tcp -P $rdirect ipsec $RULES;
spdadd $clt $srv tcp -P  $direct ipsec $RULES;
"

	echo "$SAD$SPD_LOCAL" >> $LOCALCONF;
	echo "$SAD$SPD_REMOTE" >> $REMOTECONF;

	setkey_real
}

net_measure() {
	method=$1; direct=$2; mark="$3";

	#ITCPOPTS="-s 16K -S 48K -m 16K"
	#OTCPOPTS="-s 8K -S 42K -m 16K"
	#NUTTCPOPTS="-T 1"

	case $method-$direct in
	netperf-out)
		$NETPERF -t TCP_MAERTS -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $OTCPOPTS
		;;
	netperf-in)
		$NETPERF -t TCP_STREAM -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $ITCPOPTS
		;;
	nuttcp-out)
		ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
		$NUTTCP -r -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
		;;
	nuttcp-in)
		ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
		$NUTTCP -t -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
		;;
	esac
}


measure_ipsec_all() {
	method=$1; direct=$2;

	setkey_clear
	net_measure $method $direct "         noipsec             "

	for auth in $AUTHS; do
	for enc in $ENCS; do
		mark=`printf "% 12s/%- 16s" $auth $enc`
		setkey_algo $method $direct $auth $enc
		net_measure $method $direct "$mark"
	done
	done
}

main
	#!/bin/bash

	#METHOD=netperf
	METHOD=nuttcp

	HOST=ref1
	HOSTIP="192.168.0.2"

	TARGETUSER=root
	TARGET=target
	TARGETIP="192.168.0.3"

	TARGETSSH="$TARGETUSER@$TARGET"

	[ "x$USER" != "xroot" ] && SUDO=sudo
	[ "x$TARGETUSER" != "xroot" ] && TARGETSUDO=sudo

	NETPERF=/usr/bin/netperf
	NUTTCP=/usr/bin/nuttcp
	TARGETNUTTCP=/usr/bin/nuttcp
	#TARGETNUTTCP=/usr/local/bin/nuttcp
	SETKEY=/usr/sbin/setkey
	TARGETSETKEY=/usr/sbin/setkey

	DATAPORT=5001

	#use_ipcomp=yes

	# for Linux
	AUTHS="null hmac-md5 hmac-sha1 hmac-sha256 aes-xcbc-mac"
	ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc twofish-cbc aes-ctr camellia-cbc"
	#ENCS="null des-cbc 3des-cbc blowfish-cbc blowfish-cbc-128 blowfish-cbc-256 blowfish-cbc-448 aes-cbc aes-cbc-192 aes-cbc-256 twofish-cbc twofish-cbc-256 aes-ctr aes-ctr-224 camellia-cbc camellia-cbc-192 camellia-cbc-256"

	# for Mac OSX
	#AUTHS="null hmac-md5 hmac-sha1 hmac-sha256"
	#ENCS="null des-cbc 3des-cbc blowfish-cbc aes-cbc "

	#AUTHS="null hmac-md5 hmac-sha1"
	#ENCS="null aes-cbc aes-ctr blowfish-cbc"

	#AUTHS="hmac-sha1"
	#ENCS="aes-cbc"

	main() {
	echo "outbound ($TARGET -> $HOST)" ; measure_ipsec_all $METHOD out
	echo "inbound ($TARGET <- $HOST)" ; measure_ipsec_all $METHOD in
	}

	genkey() {
	len=$1
	#key=""; for ((i=j=0;i<$len;i+=8,j=(j+1)%10)) do key="$key$j"; done
	key=0x`dd if=/dev/urandom bs=1 count=$((len/8)) 2> /dev/null \| od -t x1 \| sed 's/^[0-9]*//;' \| tr -d " \n"`
	echo "$key"
	}

	set_algo() {
	auth=$1; enc=$2;

	rauth=$auth; rkey=""; AOPT=""; keylen=""
	case $auth in
	hmac-md5) keylen=128 ;;
	hmac-sha1) keylen=160 ;;
	#keyed-md5) keylen=128 ;;
	#keyed-sha1) keylen=160 ;;
	hmac-sha256) keylen=256 ;;
	#hmac-sha384) keylen=384 ;;
	#hmac-sha512) keylen=512 ;;
	#hmac-ripemd160) keylen=160 ;;
	aes-xcbc-mac) keylen=128 ;;
	*) AOPT='-A null' ;;
	esac

	if [ "x$AOPT" == "x" ]; then
	if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
	AOPT="-A $rauth $rkey";
	fi

	renc=$enc; rkey=""; EOPT=""; keylen=""
	case $enc in
	des-cbc) keylen=64 ;;
	3des-cbc) keylen=192 ;;
	blowfish-cbc) keylen=40 ;;
	blowfish-cbc-128) keylen=128 ;renc="blowfish-cbc";;
	blowfish-cbc-256) keylen=256 ;renc="blowfish-cbc";;
	blowfish-cbc-448) keylen=448 ;renc="blowfish-cbc";;
	#cast128-cbc) keylen=40 ;;
	aes-cbc) keylen=128 ;;
	aes-cbc-192) keylen=192 ;renc="aes-cbc";;
	aes-cbc-256) keylen=256 ;renc="aes-cbc";;
	twofish-cbc) keylen=128 ;;
	twofish-cbc-256) keylen=256 ;renc="twofish-cbc";;
	aes-ctr) keylen=160 ;;
	aes-ctr-224) keylen=224 ;renc="aes-ctr";;
	#aes-ctr-288) keylen=288 ;renc="aes-ctr";;
	camellia-cbc) keylen=128 ;;
	camellia-cbc-192) keylen=192 ;renc="camellia-cbc";;
	camellia-cbc-256) keylen=256 ;renc="camellia-cbc";;
	*) EOPT='-E null' ;;
	esac

	if [ "x$EOPT" == "x" ]; then
	if [ "x$rkey" == "x" ]; then rkey=`genkey $keylen`; fi
	EOPT="-E $renc $rkey";
	fi
	}

	LOCALCONF="setkey.local"
	REMOTECONF="setkey.remote"

	setkey_flush() {
	FLUSH="flush; spdflush;"
	echo "$FLUSH" > $LOCALCONF;
	echo "$FLUSH" > $REMOTECONF;
	}

	setkey_real() {
	$SUDO $SETKEY -f $LOCALCONF;

	scp -q $REMOTECONF $TARGETSSH:
	ssh $TARGETSSH -- "$TARGETSUDO $TARGETSETKEY -f $REMOTECONF"
	}

	setkey_clear() { setkey_flush; setkey_real; }

	setkey_algo() {
	method=$1; direct=$2; auth=$3; enc=$4

	[ $direct == "out" ] && rdirect="in" \|\| rdirect="out"

	set_algo $auth $enc

	setkey_flush

	case $direct in
	out)
	srv="$HOSTIP[$DATAPORT]"
	clt="$TARGETIP"
	;;
	in)
	srv="$TARGETIP[$DATAPORT]"
	clt="$HOSTIP"
	;;
	esac


	SAD="
	add $srv $clt esp 12345 $EOPT $AOPT;
	add $clt $srv esp 12346 $EOPT $AOPT;
	"
	SAD_IPCOMP="
	add $srv $clt ipcomp 12347 -C deflate;
	add $clt $srv ipcomp 12348 -C deflate;
	"

	if [ "x$use_ipcomp" == "xyes" ]; then
	RULES="ipcomp/transport//use esp/transport//require"
	SAD="$SAD$SAD_IPCOMP"
	else
	RULES="esp/transport//require"
	fi

	SPD_LOCAL="
	spdadd $srv $clt tcp -P $direct ipsec $RULES;
	spdadd $clt $srv tcp -P $rdirect ipsec $RULES;
	"
	SPD_REMOTE="
	spdadd $srv $clt tcp -P $rdirect ipsec $RULES;
	spdadd $clt $srv tcp -P $direct ipsec $RULES;
	"

	echo "$SAD$SPD_LOCAL" >> $LOCALCONF;
	echo "$SAD$SPD_REMOTE" >> $REMOTECONF;

	setkey_real
	}

	net_measure() {
	method=$1; direct=$2; mark="$3";

	#ITCPOPTS="-s 16K -S 48K -m 16K"
	#OTCPOPTS="-s 8K -S 42K -m 16K"
	#NUTTCPOPTS="-T 1"

	case $method-$direct in
	netperf-out)
	$NETPERF -t TCP_MAERTS -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $OTCPOPTS
	;;
	netperf-in)
	$NETPERF -t TCP_STREAM -H $TARGET -c -C -P 0 -B "$mark" -- -P $DATAPORT $ITCPOPTS
	;;
	nuttcp-out)
	ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
	$NUTTCP -r -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
	;;
	nuttcp-in)
	ssh -f $TARGETSSH -- "$TARGETNUTTCP -1 < /dev/null" ; sleep 1
	$NUTTCP -t -I "$mark" -p $DATAPORT $NUTTCPOPTS $TARGET
	;;
	esac
	}


	measure_ipsec_all() {
	method=$1; direct=$2;

	setkey_clear
	net_measure $method $direct " noipsec "

	for auth in $AUTHS; do
	for enc in $ENCS; do
	mark=`printf "% 12s/%- 16s" $auth $enc`
	setkey_algo $method $direct $auth $enc
	net_measure $method $direct "$mark"
	done
	done
	}

	main