[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[6]: ISAKMP performance

To: pcalhoun@usr.com
Subject: Re: Re[6]: ISAKMP performance
From: Daniel Harkins <dharkins@cisco.com>
Date: Tue, 22 Jul 1997 11:07:34 -0700
Cc: ho@earth.hpc.org (Hilarie Orman), ipsec@tis.com
In-Reply-To: Your message of "Tue, 22 Jul 1997 08:09:33 CDT." <3D4C3000.3000@usr.com>
Sender: owner-ipsec@ex.tis.com

  Pat,

  Although the lifetime of a SA might be a year, generally if the user logs 
off or the connection is dropped for whatever reason the SA is thrown away. 
Since joe@bigcorp doesn't know which NAS he dials into he wouldn't know 
which SA to use to talk to the NAS anyway (assuming he's also cacheing the 
SAs for the various NASs too). You're only going to keep active SAs, so 
if your box can support 1000 active connections that's 1000 SAs period.

  You're also just securing the NAS to LNS. joe@bigcorp's line to his NAS
is in the clear. There are certain gov't agencies (not necessarily US either:
imagine a Boeing executive in France these days) that I don't think have 
figured out how to use a sniffer but they have decades of experience tapping 
phone lines. If I was joe and my communications were sensitive enough to 
require encryption I'd want my whole thing encrypted. It seems pointless to 
leave in the clear the one point that would be easiest to attack. And since 
IPSec provides tunneling capabilities already why not just use them? 
(IMPORTANT NOTE: that's my opinion and not necessarily that of my employer). 

  Also, there seems to be alot of concern about KM performance but if I
was joe@bigcorp in your example packets for my telnet as they traverse through 
the ether would look like this if I'm not mistaken:

           IP | IPSec | UDP | L2TP | PPP | IP | TCP | <blah>

which is a heckuva lot of overhead (IMPORTANT NOTE: that's my opinion and
not necessarily that of my employer). I'd be pretty concerned about
1000 of those things too. 
  If *I* was joe@bigcorp I wouldn't pay for BigDarnServiceProvider's secure 
tunneling service-- I'd just use IPSec in tunnel mode from my laptop or SOHO 
router or whatever. End-to-end security with less overhead.

  Dan.

>       Thanks for the input, but I believe that you may have missed the 
>    rest of the thread. Let me paint a picture of a real network where my 
>    product would typically sit.
>    
>       Imagine BigDarnServiceProvider which has 500 POPs around the U.S. 
>    Each POP has about 20 of my boxes (which has about 1000 incoming ports 
>    each). So that means about 20,000 ports per POP and so on.
>    
>       The service being offered (on top of straight Internet Access) is 
>    access to corporate networks using some well known Tunneling Protocol 
>    (in this case L2TP because it tunnels PPP traffic). This service 
>    provider has thousands of customers which have outsourced their dial 
>    service to this ISP. In addition, this service provider belongs to 
>    some Roaming corsortiums which means that users travelling to the US 
>    from abroad can use this service provider instead of having to do an 
>    international long distance for corporate access.
>    
>       So in this case the number of possible Firewalls to traverse are 
>    really in the thousands!
>    
>       So let's assume that user Joe@BigCorp dials in on NAS(a), an SA is 
>    established with BigCorp's Firewall. The SA could expire in a year. 
>    Once the user logs out, he logs back in and now connects to NAS(b), 
>    which needs to redo the SA from scratch. (will a hunt group, you have 
>    no idea which NAS you will hit, and in some installations you have no 
>    idea which city you will get connected to!).
>    
>       Now user Bob@BiggerCorp dials in and hits NAS(a), again the SA 
>    needs to be established and so on... Since I have 1000 ports, that 
>    means alot of SAs need to be cached. And even if the SA was to expire 
>    in a year, some of these embedded boxes with limited memory would have 
>    to trash the SA in order to preserve memory. So that means that the 
>    next day when Sally@BigCorp dials in and hits NAS(a), chances are an 
>    SA will have to be established again!
>    
>       Storing to non-volative memory is very difficult. Hard drives are 
>    not available in most routers (well, not in the ones that most ISPs 
>    are willing to run :). And flash memory is very limited.
>    
>       Now, storing the SA off to some third party is a VERY interesting 
>    idea. Presumably NAS(a) could send SA information to this third party, 
>    which would obviously be trusted. Do we know of any such thing being 
>    run today? I would assume that the keys being passed to this third 
>    party would be encrypted using a key encryption key which only NAS(a) 
>    could decrypt. How do most folk feel about this design?
>    
>       I would appreciate any input,
>    
>       PatC

References:

Re[6]: ISAKMP performance

From: pcalhoun@usr.com

Prev by Date: Re: Re[6]: ISAKMP performance
Next by Date: draft-ietf-ipsec-ciph-arcfour-00.txt
Prev by thread: Re[6]: ISAKMP performance
Next by thread: Re: Re[6]: ISAKMP performance
Index(es):
- Main
- Thread