Re: Re[2]: ISAKMP performance

[Norman Shulman <norm@tor.securecomputing.com>]

On Tue, 15 Jul 1997 pcalhoun@usr.com wrote:

>      Using hardware acceleration, a security server will only be able to 
>      generate about 6 SAs/second (assume the DH exchange, the signing and 
>      the verification). Now certainly it is possible to add more hardware, 
>      but read below before we go on this thread. 
>      
>      Keep in mind that some of the newer NAS' can support upwards to 1000 
>      ports.
>      
>      Understandably an SA can have a long life, say based on time.
>      
>      Now certainly to initial boot-up where all the calls come in 
>      simultaneously is a problem (about 3 minutes), but let's look at a 
>      more serious problem. Say the average call lasts 1 hour, that means 
>      that over a 24 hour period a NAS would have to cache about 24000 
>      enties. Assume that an SA takes up about 128 bytes (should be less, 
>      but it is easier on the math :) that would be 3Mb of cached SAs. Since 
>      we are dealing with embedded boxes, they do not have virtual memory 
>      available :(

Having dynamic SAs time out after an idle period of say 4 hours would
mean that even a fully loaded NAS would never have to cache more than 5,000
SAs, which only takes 625 KB.

Norm


                    Norman Shulman      Secure Computing Canada
     	         Systems Developer      Tel 1 416 813 2075
      norm@tor.securecomputing.com      Fax 1 416 813 2001

---

Follow-Ups:

• Re: Re[2]: ISAKMP performance
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
• Re: Re[2]: ISAKMP performance
• From: andrade@netcom.com (Andrade Software Andrade Networking)

References:

• Re[2]: ISAKMP performance
• From: pcalhoun@usr.com

---

• Prev by Date: Re[2]: ISAKMP performance
• Next by Date: Re: ISAKMP performance
• Prev by thread: Re[2]: ISAKMP performance
• Next by thread: Re: Re[2]: ISAKMP performance
• Index(es):
  • Main
  • Thread