[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggestion for SOI wrt PFS
On Sun, 31 Mar 2002, Angelos D. Keromytis wrote:
>
> In message <Pine.LNX.4.33.0203311507080.21949-100000@janpc-home.cisco.com>, Jan
> Vilhuber writes:
> >
> >In other words they are NOT cheap, but the cost is bearable, when you
> >have to do only a small/limited number of them.
> >
> >"RSA operations are cheap, except when they are not". Bogus.
>
> Cost is always measured in comparison to the task at hand (and the derived
> benefit).
>
> >Not everything has hardware support and not every device has a P6 1GHz...
>
> I never said that everything has hardware support (so why do you keep
> repeating it ?); and the numbers I posted a few weeks ago were from a
> more moderate box than a P6 1GHz...
>
> My home IPsec gateway is a 450Mhz Pentium (a low-power SBC), but has no
> problem establishing a few tunnels every 20 minutes --- despite in fact
> doing full certificate verification and RSA signature (oh, and PFS). I'm
> giving you some facts -- something I haven't seen from you yet.
>
Right. Ad hominem..
The home box you or I have is not the issue. It's the concentrator
that terminates all the hundreds of thousands connections that's the
issue. One every 20 minutes for your home box is fine. One every 20
minutes multiplied by several hundred thousand is the issue.
> >> of hundred, even on a moderate box. And I've seen no argument (let alone a
> >> convincing one) why you'd need massive amounts of tunnels/sec (your IPsec
> >> gateway likely won't be able to handle traffic for them anyway).
> >
> >Certainly not if we have to constantly do rsa operations for every
> >transaction, that's true.
>
> So you're saying that you *do* have a business need for a box that can
> support a sustained SA setup rate of 1000 tunnels/second ? Could you
> expand on it ?
Cisco builds gateways. I'm after the most efficient protocol I can
get.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847