[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: ISAKMP performance
Date: Wed, 16 Jul 1997 10:38:40 -0700
From: Daniel Harkins <dharkins@cisco.com>
Is your local service provider using a cray as his NAS? You're not gonna
see a D-H exchanges with any realistic prime plus a digital sign and verify
with any reasonably secure modulus in anything close to 1/1000 of a second!
FAST, CHEAP, SECURE: pick any two.
And this has _nothing_ to do with ISAKMP either; any scheme which
authenticates a Diffie-Hellman with digital signatures-- like SKIP or
Photuris-- would have similar performance.
Dan's absolutely right.
Your only other choice if you need that kind of authentication speed is
to use a system based on secret-key technology, such as Kerberos.
(Hint: there's a reason why Microsoft selected Kerberos as its
authentication technology for intra-domain authentication for NT.)
- Ted
Follow-Ups:
References: