[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: transport-friendly ESP
>>>>> "Alex" == Alex Alten <Alten@home.com> writes:
Alex> Frank, Thank you for your detailed analysis about why a block
Alex> cipher like DES will not work for a core router. It's a bit
Alex> like saying why a 2400 baud modem won't work either.
I didn't see the message you're replying to; my guess is that it
appeared on the tf-esp list (which I don't see).
Alex> Why can't we design, implement and verify a cipher that can
Alex> meet these constraints you point out in such detail? We are
Alex> engineers who don't hesitate to design complex new protocols,
Alex> yet when it comes to designing a new cipher we become extremely
Alex> timid.
I should hope so.
Creating protocols is a completely trivial exercise by comparison, yet
it's hard enough. The number of competent cryptographers in the world
is very small. Many engineers are smart enough to know they are not
competent cryptographers. (Unfortunately, some, either through
ignorance or otherwise, think that they are.)
I assume you know about the AES effort. Apart from that, there are
additional existing cyphers that may be faster and/or more secure than
DES.
Alex> We know the asymptotic speed limit of any cipher, either an XOR
Alex> or an indexed memory lookup operation. Generally speaking on
Alex> today's modern CPU's these are limited to how fast you can move
Alex> data from main memory through the L2 & L1 caches and back out
Alex> to main memory. On a Pentium one can get 1.5 cycle/Byte, on a
Alex> PPro 200 about 1 c/B, and on a PP II about .8 c/B. Any extra
Alex> computations should be simple, few in number and only on L1
Alex> cached data. I contend that it should be feasible to develop a
Alex> cipher that can come close to meeting your performance and
Alex> memory constraints.
I don't see that the CPU data moving timings have any relevance
whatsoever in a discussion about crypto on core routers. Core routers
don't do anything relating to forwarding in anything resembling a
general purpose CPU.
If you want to talk high speed crypto, you need to examine what the
state of the art allows for data rates in custom ASIC
implementations. Those numbers are actually quite high, close to what
core routers would need. For example, a 1 Gb/s DES implementation was
done back in 1992 (DEC SRC report #90). And that one wasn't even
pipelined so you should be able to do quite a lot better with today's
densities.
Alex> However having said all that, I do agree that it will be a long
Alex> time before the core routers would do any crypto.
That's probably true, but I'm not sure that performance is the
argument for it. Rather, since end to end is the most useful way of
doing crypto, you wouldn't do it at core routers because they are not
at any end.
paul
References: