[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggestion for SOI wrt PFS
In message <Pine.LNX.4.33.0203311458560.21949-100000@janpc-home.cisco.com>, Jan
Vilhuber writes:
>
>But you STILL need to redo the rsa sigs. Just caching the certificate
>validation buy's you having to redo all that, but having to redo the
>rsa is costly anyway.
>
>And please don't say "but rsa operations are cheap" because they
>aren't..
RSA operations are cheap. They're not cheap enough to do 1000 tunnel setups
per second (without hardware support), but you can easily sustain a couple
of hundred, even on a moderate box. And I've seen no argument (let alone a
convincing one) why you'd need massive amounts of tunnels/sec (your IPsec
gateway likely won't be able to handle traffic for them anyway).
-Angelos