[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: ISAKMP performance
Alex Alten wrote:
> > On Tue, 15 Jul 1997 pcalhoun@usr.com wrote:
> >
> > > Using hardware acceleration, a security server will only be able to
> > > generate about 6 SAs/second (assume the DH exchange, the signing and
> > > the verification). Now certainly it is possible to add more hardware,
> > > but read below before we go on this thread.
> > >
>
> 6 key setups per second is too slow. I believe about 1000/sec
> will be needed (in software).
Is your local service provider using a cray as his NAS? You're not gonna
see a D-H exchanges with any realistic prime plus a digital sign and verify
with any reasonably secure modulus in anything close to 1/1000 of a second!
FAST, CHEAP, SECURE: pick any two.
And this has _nothing_ to do with ISAKMP either; any scheme which
authenticates a Diffie-Hellman with digital signatures-- like SKIP or
Photuris-- would have similar performance.
Dan.
Follow-Ups:
References: