[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and TCP

To: andrade@netcom.com
Subject: Re: IPsec and TCP
From: ho@earth.hpc.org (Hilarie Orman)
Date: Sun, 5 Jan 1997 14:44:53 -0500
Cc: ipsec@tis.com, naganand@ftp.com
In-reply-to: Yourmessage <199701050933.BAA00135@netcom17.netcom.com>
Sender: owner-ipsec@ex.tis.com

>  You'd be lucky 
>  to see 5 keys exchanged a second with Diffie-Hellman.  Has anyone 
>  measured (or at least estimated) the performance metrics for IPsec 
>  routers (and hosts) to exchange/update keys?  And on total IPsec
>  routing performance, say with a mixture of clear and encrypted links,
>  using various key update intervals. 

Luck has very little to do with it; modulus size and implementation are
more relevant.  Also key lifetime and number of different SA's needed per
unit time.

You can do much better than 200 msec for a reasonably secure DH, but there's
no question that it imposes a severe computational burden, and you also need
to add the cost of authentication.  In cases where the participants are static,
it shouldn't be necessary to do DH very often.  In the case of a server
machine establishing hundreds(?) of different client connections per second,
the authenticated keying might well swamp the machine, leading to need for
a second processor.

Hilarie

References:

Re: IPsec and TCP

From: andrade@netcom.com (Andrade Software Andrade Networking)

Prev by Date: Re: IPsec and TCP
Next by Date: Re: IPsec and TCP
Prev by thread: Re: IPsec and TCP
Next by thread: Re: IPsec and TCP
Index(es):
- Main
- Thread