[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[4]: ISAKMP performance

To: pcalhoun@usr.com
Subject: Re: Re[4]: ISAKMP performance
From: ho@earth.hpc.org (Hilarie Orman)
Date: Mon, 21 Jul 1997 18:15:48 -0400
Cc: ipsec@tis.com
In-reply-to: Yourmessage <199707212124.OAA10600@baskerville.CS.Arizona.EDU>
Sender: owner-ipsec@ex.tis.com

      Supporting a total of, say, 6 a second is really too low.

One could get up to 20-50 per second commonly, perhaps, with elliptic
curve groups for both the DH and signature, but there is definitely a
penalty associated with the blessing of public key technology.

However, there are ways to engineer this, aren't there?  One could
cache the keying security association on something non-volatile (even
a trusted third party) and use it to derive new IPSEC SA's on restart,
for example.  It's a management of security issue that could be worked
out in practice.

Also note that SKIP in non-PFS mode does allow one to pre-compute all
the expected DH keys and keep them somewhere safe (if there is such a
place) to use on restart.

Hilarie

Prev by Date: "Default" cipher and authenticator
Next by Date: New draft -- IPSEC AH
Prev by thread: Re: Re[4]: ISAKMP performance
Next by thread: Re[4]: ISAKMP performance
Index(es):
- Main
- Thread