[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Draft ipsec agendas




Oop, I made a mistake on our product performance.  It's 250Mb/s for single
vpn session and 600Mb/s for aggregated vpn session, as stated in our
marketing literature.

Michael Shieh

-----Original Message-----
From: Michael Choung Shieh [mailto:mshieh@netscreen.com]
Sent: Tuesday, March 19, 2002 5:52 PM
To: 'William Dixon'; Theodore Ts'o; ipsec@lists.tislabs.com
Cc: iscsi-security@external.cisco.com
Subject: RE: Draft ipsec agendas


William,

I cannot open the link of the draft.

For performance reason, I would prefer tunnel mode since it requires fewer
operation, and we only support tunnel mode.

Our current products can support upto 350Mb/s for single TCP session and
1Gb/b for aggregate sessions.  I think many vendors can do more than 100Mb/s
these days.

Michael Shieh

-----Original Message-----
From: William Dixon [mailto:wdixon@windows.microsoft.com]
Sent: Tuesday, March 19, 2002 4:36 PM
To: Theodore Ts'o; ipsec@lists.tislabs.com
Cc: iscsi-security@external.cisco.com
Subject: RE: Draft ipsec agendas


Ted, is there 2 or 3 minutes to update the IPsec WG on one outcome of
the recent IP Storage using IPsec discussion ?  I'm happy to squeeze in
where someone finishes early.  I mainly want to poll the audience of
implementers to see what IPsec GW implementation can accept and run an
IPSec tunnel SA for a single or aggregate of TCP connections at
100Mbits/sec & 1Gbit/sec 3DES/SHA1 for the following selector:

Possible Quick Mode proposal of an IP storage initiator to IPSec GW:

Src IP = initiator real IP
Dst IP = target real IP (the target is behind the gateway, not the GW IP
itself)
Protocol = TCP
Src Port = * or <dynamically allocated port>
Dst Port = wellknown (e.g. 3260 for iSCSI)

The polling of vendors is important to determine if the target community
can achieve their goal of bolting on a commercial IPsec security gateway
in front of a (single or group of) IP storage target(s), perhaps find
those that could be used for interop testing in 3 months.

I am still thinking transport mode is more appropriate choice for
securing IP Storage TCP connections, but nevertheless, we should
determine if IPsec GWs vendors can deal with a tunnel like this, and
what the tunnel mode alternative is if they can't.

Interested folks can see latest draft, but I don't think this version
made cutoff for submission and isn't current with yesterday's discussion
yet.
http://www.drizzle.com/~aboba/RDMA/draft-ietf-ips-security-11.txt

Thx,
Wm