[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[4]: ISAKMP performance
Supporting a total of, say, 6 a second is really too low.
One could get up to 20-50 per second commonly, perhaps, with elliptic
curve groups for both the DH and signature, but there is definitely a
penalty associated with the blessing of public key technology.
However, there are ways to engineer this, aren't there? One could
cache the keying security association on something non-volatile (even
a trusted third party) and use it to derive new IPSEC SA's on restart,
for example. It's a management of security issue that could be worked
out in practice.
Also note that SKIP in non-PFS mode does allow one to pre-compute all
the expected DH keys and keep them somewhere safe (if there is such a
place) to use on restart.
Hilarie