Re: Suggestion for SOI wrt PFS

["Angelos D. Keromytis" <angelos@cs.columbia.edu>]

In message <Pine.LNX.4.33.0203311507080.21949-100000@janpc-home.cisco.com>, Jan
  Vilhuber writes:
 >
 >In other words they are NOT cheap, but the cost is bearable, when you
 >have to do only a small/limited number of them.
 >
 >"RSA operations are cheap, except when they are not". Bogus.

Cost is always measured in comparison to the task at hand (and the derived
benefit).

 >Not everything has hardware support and not every device has a P6 1GHz...

I never said that everything has hardware support (so why do you keep
repeating it ?); and the numbers I posted a few weeks ago were from a
more moderate box than a P6 1GHz...

My home IPsec gateway is a 450Mhz Pentium (a low-power SBC), but has no
problem establishing a few tunnels every 20 minutes --- despite in fact
doing full certificate verification and RSA signature (oh, and PFS). I'm
giving you some facts -- something I haven't seen from you yet.

 >> of hundred, even on a moderate box. And I've seen no argument (let alone a
 >> convincing one) why you'd need massive amounts of tunnels/sec (your IPsec
 >> gateway likely won't be able to handle traffic for them anyway).
 >
 >Certainly not if we have to constantly do rsa operations for every
 >transaction, that's true.

So you're saying that you *do* have a business need for a box that can
support a sustained SA setup rate of 1000 tunnels/second ? Could you
expand on it ?
-Angelos