[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: ISAKMP performance

To: andrade@netcom.com (Andrade Software Andrade Networking)
Subject: Re: Re[2]: ISAKMP performance
From: Daniel Harkins <dharkins@cisco.com>
Date: Wed, 16 Jul 1997 10:38:40 -0700
Cc: norm@tor.securecomputing.com (Norman Shulman), pcalhoun@usr.com, ipsec@tis.com
In-Reply-To: Your message of "Wed, 16 Jul 1997 07:33:03 PDT." <199707161433.HAA17461@netcom13.netcom.com>
Sender: owner-ipsec@ex.tis.com

Alex Alten wrote:
> > On Tue, 15 Jul 1997 pcalhoun@usr.com wrote:
> > 
> > >    Using hardware acceleration, a security server will only be able to 
> > >    generate about 6 SAs/second (assume the DH exchange, the signing and 
> > >    the verification). Now certainly it is possible to add more hardware, 
> > >    but read below before we go on this thread. 
> > >      
> 
> 6 key setups per second is too slow.  I believe about 1000/sec
> will be needed (in software).

Is your local service provider using a cray as his NAS? You're not gonna
see a D-H exchanges with any realistic prime plus a digital sign and verify 
with any reasonably secure modulus in anything close to 1/1000 of a second!

	FAST, CHEAP, SECURE: pick any two.

And this has _nothing_ to do with ISAKMP either; any scheme which 
authenticates a Diffie-Hellman with digital signatures-- like SKIP or 
Photuris-- would have similar performance.

  Dan.

Follow-Ups:

Re: Re[2]: ISAKMP performance

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

References:

Re: Re[2]: ISAKMP performance

From: andrade@netcom.com (Andrade Software Andrade Networking)

Prev by Date: Re: ISAKMP performance
Next by Date: Re: Re[2]: ISAKMP performance
Prev by thread: Re: Re[2]: ISAKMP performance
Next by thread: Re: Re[2]: ISAKMP performance
Index(es):
- Main
- Thread