[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP performance numbers

To: pcalhoun@usr.com
Subject: Re: ISAKMP performance numbers
From: Daniel Harkins <dharkins@cisco.com>
Date: Tue, 05 Aug 1997 09:19:23 -0700
Cc: ipsec@tis.com, Robert Moskowitz <rgm3@chrysler.com>
In-Reply-To: Your message of "Tue, 05 Aug 1997 08:23:44 CDT." <3E72C1F0.3000@usr.com>
Sender: owner-ipsec@ex.tis.com

  What we can officially state (which is what I stated last month) is
that a Diffie-Hellman exchange with a reasonable modulus which is 
authenticated with, say, RSA signatures (that's sign, verify CA sig on
cert, verify peer's sig-- or one sign, 2 verifies) with reasonably
secure exponents IS NOT FREE! This has _nothing_ to do with ISAKMP.

  In the past you stated that your SAs would live for a year. Also that
you weren't concerned about confidentiality, only "securing" the NAS to
LNS link (I presume this means authentication). So, my question to you
is: why do you want an ephemeral key? Why do you want to do ISAKMP?
Why not just statically configure your NAS-to-LNS SAs and be done with it? 

  Dan.

>      So that said, can we now officially state that there *is* a scaling 
>      issue? Please keep in mind that some boxes *will* have to handle 
>      around 50 SAs per second.
>      
>      PatC

References:

Re: ISAKMP performance numbers

From: pcalhoun@usr.com

Prev by Date: Re: ISAKMP performance numbers
Next by Date: Re[2]: ISAKMP performance numbers
Prev by thread: Re: ISAKMP performance numbers
Next by thread: Re[2]: ISAKMP performance numbers
Index(es):
- Main
- Thread