Re: Suggestion for SOI wrt PFS

["Angelos D. Keromytis" <angelos@cs.columbia.edu>]

In message <15528.30002.854691.842292@thomasm-u1.cisco.com>, Michael Thomas wri
tes:
>
>Oh please. Not everything is a site-site VPN. IKE
>was specifically deemed useless by Packetcable for
>cable telephony because restart avalanches of tens
>or hundreds of *thousands* subscriber boxes would
>lead to unacceptible down times. That's *one*
>business need, and hardly a unique one. Any high
>fan out use of IPsec is going to care a great deal
>about how the high fan in box behaves, and the
>number of SA's per second is an important number.

(Oh please)^2!

The majority of deployments (such as they are) of IPsec these days is on VPNs
or similar topologies (and I'll include host-to-host IPsec in this as well).
That's not to say that this is all IPsec is going to be used for (hopefully
not!), but we should be designing for the currently-known (or widely
agreed-upon future) common case.

If we're going to go to the realm of science fiction and decide that we want to
use IPsec in a network with 10^6-to-1 ratio of clients/servers (as in cable
modems vs. head office servers), you'll allow me to postulate a $300 modexp
chip in the latter, capable of doing 4K ops/second (it'll be out in the market
in a couple of months, as a matter of fact --- so not much of SciFi material
there :-)
-Angelos