Re: Re[2]: ISAKMP performance

[dpkemp@missi.ncsc.mil (David P. Kemp)]

> From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
> 
> Discussion of the possibility of designing some other key management
> protocol for ipsec is (barely) in order, although at this point if this
> discussion gets extensive Bob and I would probably recommend starting a
> separate working group to avoid bogging down existing efforts.


Before designing some other key management protocol, it would be
worthwhile considering if the existing protocol can meet the performance
requirements.

ISAKMP was designed to use two phases precisely to allow the sort of
performance tradeoffs being discussed.  It seems to me that a NAS which
required 1000 SA establishments per second, with, say, an average
connection lifetime of 5 minutes (300 seconds), would be capable of
supporting 300,000 simultaneous connections!  I would expect such a
mongo box to have enough non-volatile memory (disk or flash) to be able
to cache enough phase 1 SAs to reduce the miss rate (the required rate
of D-H calculations) to acceptably low levels.


What size KDC would it take to support N NASes, each doing 1000
connections per second?

---

Follow-Ups:

• Re: Re[2]: ISAKMP performance
• From: "C. Harald Koch" <chk@tor.securecomputing.com>

---

• Prev by Date: I-D ACTION:draft-ietf-ipsec-ciph-blowfish-cbc-00.txt
• Next by Date: Re: Re[2]: ISAKMP performance
• Prev by thread: Re: Re[2]: ISAKMP performance
• Next by thread: Re: Re[2]: ISAKMP performance
• Index(es):
  • Main
  • Thread