[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)

To: Henry Spencer <henry@spsystems.net>, IP Security List <ipsec@lists.tislabs.com>
Subject: Re: hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)
From: Alex Alten <Alten@attbi.com>
Date: Mon, 26 Aug 2002 04:40:16 -0700
In-Reply-To: <Pine.BSI.3.91.1020825021009.8974A-100000@spsystems.net>
References: <3.0.3.32.20020824211140.013d8ed0@mail>
Sender: owner-ipsec@lists.tislabs.com

The 50% cross over from 10 to 100 has already occurred for new Fast
Ethernet NICs. Giga-Ethernet is now about 5-10% with 50% crossover in new
NICs around 2005 or 2006.  Installed PC base usually takes about 7-8 years to 
completely change over (about a 12% scrap rate).  Network upgrades are
every 7-8 years, a relic of telecom upgrade cycle.  If crypto is in sw then
all installed base is a factor, hw crypto can only be delivered in new NICs.
I doubt one can get old 10 Mbps LANs to upgrade with new crypto NICs, they
only will spend $5/NIC max. 

The rough rule of thumb I use with software crypto in network stack is
that it must run well on 5 yr old hardware (to cover 80% of installed
base).  This means 200 Mhz PCs.  In this case, AES is maybe 1/4 or 1/3 of
the CPU at 10 Mbps data transfer rates.  Just barely acceptable.  
Extrapolating this means that 2 GHz PCs are where AES finally is OK
in software for Fast Ethernet, but it will be 5 yrs before 2/3rds of
installed PC base is this fast.  Forget GigaEthernet for 10 years.

Now one can see why the "active" installed base of DES/3DES IPsec has
probably not exceeded 100,000 PCs, 1/1000 of all Internet hosts.  Despite
AES 5x speed up over DES, I think it is not quite fast enough either.  Once
you are forced to use hardware, then the uptake drops to much less than 1%.

I think IPsec is really stuck in a deep hole, unless a cipher (or a mode?) 
can be found that runs 10x faster than AES in software.  Then we can 
in a practical manner cover the majority of the PC installed base now.

- Alex

At 02:18 AM 8/25/2002 -0400, Henry Spencer wrote:
>On Sat, 24 Aug 2002, Alex Alten wrote:
>> What year it is also determines the expected data rate that most PCs use.
>> This year it is still 100 Mbps.
>
>No, this year it is still 10 Mbps.  100 Mbps is coming on strong, but I
>doubt that it even has a majority of the jacks, let alone "most".  (A lot
>of 10/100 interfaces currently run at 10, because that's what the local
>network infrastructure supports.)  Don't confuse what's selling best with
>what's used most; there *is* a time lag there, even though it's shorter in
>computing than elsewhere.
>
>The 10->100 transition is well underway but by no means complete, partly
>because a lot of users don't *need* 100 that much.  It's only quite
>recently that the costs of 100 have come down to the point that ordinary
>users are buying 10/100 hubs and such by default, instead of by specific
>need only. 
>
>                                                          Henry Spencer
>                                                       henry@spsystems.net
>
>
--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- Re: hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Alex Alten <Alten@attbi.com>
- hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)
  - From: Henry Spencer <henry@spsystems.net>

Prev by Date: Minimum set of crypto algos for ipsec implementaion
Next by Date: Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)
Next by thread: Re: hardware vs software (was Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt)
Index(es):
- Date
- Thread