[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP performance numbers
What we can officially state (which is what I stated last month) is
that a Diffie-Hellman exchange with a reasonable modulus which is
authenticated with, say, RSA signatures (that's sign, verify CA sig on
cert, verify peer's sig-- or one sign, 2 verifies) with reasonably
secure exponents IS NOT FREE! This has _nothing_ to do with ISAKMP.
In the past you stated that your SAs would live for a year. Also that
you weren't concerned about confidentiality, only "securing" the NAS to
LNS link (I presume this means authentication). So, my question to you
is: why do you want an ephemeral key? Why do you want to do ISAKMP?
Why not just statically configure your NAS-to-LNS SAs and be done with it?
Dan.
> So that said, can we now officially state that there *is* a scaling
> issue? Please keep in mind that some boxes *will* have to handle
> around 50 SAs per second.
>
> PatC
References: