SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    >  In any event. the need is for security is at least 3DES.
    
    First you said that you didn't need anything. Now you seem
    to imply that you need confidentiality, integrity, and
    authentication and that even 3DES may not be enough. 
    
    There are gradations between these two extremes. As Ran
    said, even DES will get you something. And there are
    circumstances where you might be willing to live with
    integrity and authentication alone. 
    
    >Also the cost of a Gigabit chip for 3DES, I just found out, 
    >is $300 for Samples.
      
    Well, the cost of a Gigabit NIC is pretty high today in
    quantity one, but I don't expect that to be the case in 
    18-24 months. You need to factor in time and volume into 
    your calculation. 
    
    >Now, I am beginning to think that it is reasonable for one 
    >of the following approaches to be OK. That is, one of those 
    >approaches should meet the requirement for "Must Implement".
    >1. Only implementing an interface to the external IPSec/TLS box
    >2, SW implementation of IPSec/TLS
    >3. HW IPSec/TLS
    
    Problem with approach 1 is that the total cost will be *much*
    higher than it would be if you build capability on the NIC. 
    
    Problem with SW implementation of TLS is that you won't be 
    able to go much above 200 Mbps if that, even with a 1 Ghz
    processor. IPSEC 3DES in SW is much worse. Trust me, a task
    oriented crypto co-processor is the way to go in this
    application. 
    
    In my opinion, HW IPSEC is the best choice. I expect costs
    for 1 Gbps chips to approximate current costs for 100 Mbps
    in the next 18-24 months. 
    
    HW TLS is a lot harder because you typically have to terminate
    TCP sessions on the card. That means lots of memory, which is
    what we've been trying to avoid with RDMA. So cost will be
    a good deal higher and the approach won't readily be extensible
    to 10 Gbps. Don't go there. 
    


Home

Last updated: Tue Sep 04 01:05:33 2001
6315 messages in chronological order