[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: ISAKMP performance
On Tue, 15 Jul 1997 pcalhoun@usr.com wrote:
> Using hardware acceleration, a security server will only be able to
> generate about 6 SAs/second (assume the DH exchange, the signing and
> the verification). Now certainly it is possible to add more hardware,
> but read below before we go on this thread.
>
> Keep in mind that some of the newer NAS' can support upwards to 1000
> ports.
>
> Understandably an SA can have a long life, say based on time.
>
> Now certainly to initial boot-up where all the calls come in
> simultaneously is a problem (about 3 minutes), but let's look at a
> more serious problem. Say the average call lasts 1 hour, that means
> that over a 24 hour period a NAS would have to cache about 24000
> enties. Assume that an SA takes up about 128 bytes (should be less,
> but it is easier on the math :) that would be 3Mb of cached SAs. Since
> we are dealing with embedded boxes, they do not have virtual memory
> available :(
Having dynamic SAs time out after an idle period of say 4 hours would
mean that even a fully loaded NAS would never have to cache more than 5,000
SAs, which only takes 625 KB.
Norm
Norman Shulman Secure Computing Canada
Systems Developer Tel 1 416 813 2075
norm@tor.securecomputing.com Fax 1 416 813 2001
Follow-Ups:
References: