[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec, IKE, and Key Management Scaling?

To: ipsec@lists.tislabs.com
Subject: IPsec, IKE, and Key Management Scaling?
From: Gary A Hayward <gah@research.telcordia.com>
Date: Mon, 15 Jan 2001 10:13:48 -0500
Reply-To: gah@research.telcordia.com (Gary A. Hayward)
Sender: owner-ipsec@lists.tislabs.com

How well does IPsec and the related key management technology scale
into the mass market?  At Telcordia we're trying to gather some
technical data in that area, and would be delighted to hear from/share
with anyone who has experience-based measurements and implementation
projections along the following lines:

   What is the memory footprint for each 10,000 simultaneous sessions in a
   server running IPsec to protect VoIP services?  Assume some sort of X.509v3
   certificates are used throughout.

   If those N*10,000 sessions are lost and simultaneously recovered,
   say in a regional power outage and restoration, what is the elapsed
   time (or number of server CPU cycles) taken after power restoration
   and until full N*10,000 session restoration has been achieved?
   Assume that the centralized server stays up, but the distributed
   endpoints all need restarting and all ask for session
   re-initialization simultaneously.  A big voice end office can
   handle about 50,000 telephone lines, so N=5 would be a wonderful
   datapoint for comparison.

   How much of the memory and CPU burden above is due to IPsec proper,
   and how much to the key management and policy management processing
   on the centralized server?  Are their obvious optimizations that
   are available to the industry but not quite yet incorporated into
   current IPsec products and stacks?

   Some VPN and encrypted networking systems suffer a form of
   deadly-embrace in wide area recovery - protection timers timeout
   while awaiting successful recovery of the protected sessions,
   maintenance code then interprets this as a localized failure, and
   the session creation is abandoned and the whole process is
   endlessly restarted.  Are there potential problems like this with
   large scale IPsec systems, or more likely with the applications
   code expecting to run with IPsec systems?  How should
   deadlock/livelock protection timeouts be set as a function of IPsec
   deployment scale and options?

   What data exist on life-cycle labor costs for IPsec and key
   management infrastructure?  As a rule of thumb, how many full time
   equivalent staff are needed to administer key management (including
   CRL processing) and policy/configuration management per 10,000
   secured hosts?  At the client side, how much capital and
   minutes-per-year of user time is required to prevent the
   client-side private key from being used inappropriately, say by
   anyone/anything other than the intended secured user?

Any discussion of these points is welcome, public or private.  Please
note that none of the material above really depends on the actual
encryption/authentication performance - it is all based on the
processing needed to create and maintain session state.  If someone
has a reply of the kind "It depends on what you assume as ...", please
make your own assumption based on best commercial practice and feel
free to reply to the modified question.  If I've missed some seminal
analysis in the literature that covers this material already, my
apologies to all.  A lot of discussion seems to assume particular
answers to the questions above, but I've never seen an authoritative
reference.

I'll be delighted to summarize all responses and make them available
on request.

Gary A. Hayward
Telcordia Technologies

Prev by Date: Links to papers about how to calculate Keyed and Hashed AH and ESP payload lenght
Next by Date: Re: Inbound processing of ESP packet
Prev by thread: Links to papers about how to calculate Keyed and Hashed AH and ESP payload lenght
Next by thread: Manual SA SPI range
Index(es):
- Main
- Thread