[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggestion for SOI wrt PFS



On Mon, 1 Apr 2002, Angelos D. Keromytis wrote:

>
> In message <15528.30002.854691.842292@thomasm-u1.cisco.com>, Michael Thomas wri
> tes:
> >
> >Oh please. Not everything is a site-site VPN. IKE
> >was specifically deemed useless by Packetcable for
> >cable telephony because restart avalanches of tens
> >or hundreds of *thousands* subscriber boxes would
> >lead to unacceptible down times. That's *one*
> >business need, and hardly a unique one. Any high
> >fan out use of IPsec is going to care a great deal
> >about how the high fan in box behaves, and the
> >number of SA's per second is an important number.
>
> (Oh please)^2!
>
> The majority of deployments (such as they are) of IPsec these days is on VPNs
> or similar topologies (and I'll include host-to-host IPsec in this as well).
> That's not to say that this is all IPsec is going to be used for (hopefully
> not!), but we should be designing for the currently-known (or widely
> agreed-upon future) common case.
>

That's hard to do when no one wants to discuss the requirements
draft...

jan


> If we're going to go to the realm of science fiction and decide that we want to
> use IPsec in a network with 10^6-to-1 ratio of clients/servers (as in cable
> modems vs. head office servers), you'll allow me to postulate a $300 modexp
> chip in the latter, capable of doing 4K ops/second (it'll be out in the market
> in a couple of months, as a matter of fact --- so not much of SciFi material
> there :-)
> -Angelos
>
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847