[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggestion for SOI wrt PFS
In message <Pine.LNX.4.33.0203311507080.21949-100000@janpc-home.cisco.com>, Jan
Vilhuber writes:
>
>In other words they are NOT cheap, but the cost is bearable, when you
>have to do only a small/limited number of them.
>
>"RSA operations are cheap, except when they are not". Bogus.
Cost is always measured in comparison to the task at hand (and the derived
benefit).
>Not everything has hardware support and not every device has a P6 1GHz...
I never said that everything has hardware support (so why do you keep
repeating it ?); and the numbers I posted a few weeks ago were from a
more moderate box than a P6 1GHz...
My home IPsec gateway is a 450Mhz Pentium (a low-power SBC), but has no
problem establishing a few tunnels every 20 minutes --- despite in fact
doing full certificate verification and RSA signature (oh, and PFS). I'm
giving you some facts -- something I haven't seen from you yet.
>> of hundred, even on a moderate box. And I've seen no argument (let alone a
>> convincing one) why you'd need massive amounts of tunnels/sec (your IPsec
>> gateway likely won't be able to handle traffic for them anyway).
>
>Certainly not if we have to constantly do rsa operations for every
>transaction, that's true.
So you're saying that you *do* have a business need for a box that can
support a sustained SA setup rate of 1000 tunnels/second ? Could you
expand on it ?
-Angelos