Re: Suggestion for SOI wrt PFS

[Jan Vilhuber <vilhuber@cisco.com>]

On Mon, 1 Apr 2002, Angelos D. Keromytis wrote:

>
> In message <15528.30002.854691.842292@thomasm-u1.cisco.com>, Michael Thomas wri
> tes:
> >
> >Oh please. Not everything is a site-site VPN. IKE
> >was specifically deemed useless by Packetcable for
> >cable telephony because restart avalanches of tens
> >or hundreds of *thousands* subscriber boxes would
> >lead to unacceptible down times. That's *one*
> >business need, and hardly a unique one. Any high
> >fan out use of IPsec is going to care a great deal
> >about how the high fan in box behaves, and the
> >number of SA's per second is an important number.
>
> (Oh please)^2!
>
> The majority of deployments (such as they are) of IPsec these days
> is on VPNs or similar topologies (and I'll include host-to-host
> IPsec in this as well).  That's not to say that this is all IPsec is
> going to be used for (hopefully not!), but we should be designing
> for the currently-known (or widely agreed-upon future) common case.
>
> If we're going to go to the realm of science fiction and decide that
> we want to use IPsec in a network with 10^6-to-1 ratio of
> clients/servers (as in cable modems vs. head office servers), you'll
> allow me to postulate a $300 modexp chip in the latter, capable of
> doing 4K ops/second

Again: What if I can do 3 times the number of Sa setups with the same
hardware (with $300 modexp chip or whatever) with a different
protocol that doesn't need as many RSA operations?

jan



> (it'll be out in the market in a couple of
> months, as a matter of fact --- so not much of SciFi material there
> :-)

> -Angelos
>
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847