[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: ISAKMP performance



   Date: Wed, 16 Jul 1997 10:38:40 -0700
   From: Daniel Harkins <dharkins@cisco.com>

   Is your local service provider using a cray as his NAS? You're not gonna
   see a D-H exchanges with any realistic prime plus a digital sign and verify 
   with any reasonably secure modulus in anything close to 1/1000 of a second!

	   FAST, CHEAP, SECURE: pick any two.

   And this has _nothing_ to do with ISAKMP either; any scheme which 
   authenticates a Diffie-Hellman with digital signatures-- like SKIP or 
   Photuris-- would have similar performance.

Dan's absolutely right.

Your only other choice if you need that kind of authentication speed is
to use a system based on secret-key technology, such as Kerberos.
(Hint: there's a reason why Microsoft selected Kerberos as its
authentication technology for intra-domain authentication for NT.)

						- Ted


Follow-Ups: References: