[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP performance
-----BEGIN PGP SIGNED MESSAGE-----
In message <33c2a4fe0.346c@databus.databus.com>, Barney Wolff writes:
>The issue of ISAKMP performance has come up on the l2tp list, with
>a claim that the Diffie-Hellman negotiation takes too long to be
>viable when a box comes up after a failure. Does anyone have any
>figures on this, or a URL?
The DH itself is not a big issue (although, if you have to
re-establish 200 SAs...), but factor in the hashes/RSA signatures/DES
encryption/lookups (files and/or DNS), and it adds up to quite a few
seconds.
My implementation (which did NOT do RSA signatures, but static key
authentication) took anywhere between 7 to 12 seconds on a lightly
loaded P120 (with *no* network delays) to establish an SA (that is,
establish an ISAKMP SA and then an IPsec SA). Subsequent IPsec SAs
took about 3 seconds. Take these numbers with a grain of salt, as i
wasn't exactly doing any real measurements.
As a comparison, Photuris draft-8 *with* RSA signatures took 5 seconds
(on a P90, too!); i didn't get to implement the SPI_UPDATE messages
back then, so i don't know what the cost of additional SAs would be
(but presumably less than 5 seconds).
All of the above are with an optimized (i'm told) maths library (GMP),
but no hardware assistance for DES/MD5/SHA1.
- -Angelos
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBM8K0H70pBjh2h1kFAQHfkQP+PAbqz2m79NLYT6h5SYac2sUSPsrty5iX
wcOJvMsUB/eDVN1g0E/N9lIOPDhrNYdocJuNQZ6nJpSVAOxm8uYZE75NxUKWJpMF
BDNPYTcoeFAvOrMgCJJeQEus4DX7NLxftMbpbarS+hdexBRnSPf7tuBS9ZZX/I3m
VxBBuFMrYe4=
=qz3e
-----END PGP SIGNATURE-----
References: