[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggestion for SOI wrt PFS
On Sun, 31 Mar 2002, Angelos D. Keromytis wrote:
>
> In message <Pine.LNX.4.33.0203311458560.21949-100000@janpc-home.cisco.com>, Jan
> Vilhuber writes:
> >
> >But you STILL need to redo the rsa sigs. Just caching the certificate
> >validation buy's you having to redo all that, but having to redo the
> >rsa is costly anyway.
> >
> >And please don't say "but rsa operations are cheap" because they
> >aren't..
>
> RSA operations are cheap. They're not cheap enough to do 1000 tunnel setups
> per second
In other words they are NOT cheap, but the cost is bearable, when you
have to do only a small/limited number of them.
"RSA operations are cheap, except when they are not". Bogus.
Not everything has hardware support and not every device has a P6 1GHz...
> (without hardware support), but you can easily sustain a couple
> of hundred, even on a moderate box. And I've seen no argument (let alone a
> convincing one) why you'd need massive amounts of tunnels/sec (your IPsec
> gateway likely won't be able to handle traffic for them anyway).
Certainly not if we have to constantly do rsa operations for every
transaction, that's true.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847