[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf_key comments

To: dennis.glatting@plaintalk.bellevue.wa.us
Subject: Re: pf_key comments
From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 03 Jan 1997 15:08:12 -0500
cc: ipsec@tis.com
In-reply-to: Your message of "Fri, 03 Jan 1997 11:44:18 PST." <199701031944.LAA01547@imo.plaintalk.bellevue.wa.us>
Reply-To: perry@piermont.com
Sender: owner-ipsec@ex.tis.com


Dennis Glatting writes:
> However, if we assume a 100mbs ethernet link ~85% efficient and
> 1024 byte packets (and enough CPU juice to handle that data :),
> that's ~10k packets per second. Using 8 bytes of random IV for
> each packet the kernel will require ~80k of random IV per
> second.
> 
> It seems unreasonable for the kernel to acquire that amount of
> data from a user level process each second; however, I wonder
> whether pseudo random data generators can produce that amount
> of data at that rate too.

If you can't crank a block cipher fast enough to generate a random
sequence good enough for IVs, then you can't crank it fast enough to
encrypt the plaintext, either.

> If not, then pseudo random IV is useful
> for slow packet rates in which case it may be reasonable for the
> kernel to request random data from a user level process.

I don't understand. If the kernel can't crank a cipher at a given
rate, why would userland?

Perry

References:

Re: pf_key comments

From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>

Prev by Date: Re: pf_key comments
Next by Date: Re: pf_key comments
Prev by thread: Re: pf_key comments
Next by thread: Re: pf_key comments (random number generation)
Index(es):
- Main
- Thread