SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: saag whyenc draft (was RE: Security Gateways)



    > Are you prepared to argue that data requiring
    > confidentiality will never or almost never be sent via iSCSI or
    > FCIP?  That is the line of reasoning that this draft leads to.
    
    It's worth keeping in mind that Encrypting File Systems are now widely
    supported. So in practice, the data may already be encrypted, and it might
    be argued that in such a case, IPsec confidentiality is redundant. 
    
    > OTOH, this argument may have some merit, as I would definitely expect
    > to see things like this sort of brain-damaged software encryption module
    > if confidentiality becomes a "MUST implement".  
    
    Unfortunately, such a software encryption module would not be
    "brain-damaged." Such performance is typical of 3DES implemented in
    software on Pentium class processors in the 200 - 300 Mhz range (and
    equivalent RISC processors). Software AES implementations will do
    almost an order of magnitude better. but that's still a far cry from 1+
    Gbps. At those speeds hardware acceleration will be required. 
    
    Ultimately, the credibility of mandating confidentiality depends on the
    demonstration that the service can actually be provided at the required
    line rates. I expect that we will be able to lay out the evidence by the
    Interim Meeting. 
    
    > this applies only to confidentiality -- a small amount of thought about
    > the consequences of impersonation and a script kiddie's TCP hijack attack
    > leads to the conclusion that authentication and cryptographic integrity
    > have to be "MUST implement" for iSCSI, FCIP, and iFCP.
    > 
    
    Yup. 
    
    > The paper indicated that PowerPC clock speeds of 600-800 Mhz would be
    > required in order for UMAC to handle 1 Gbps line rate...
    
    I agree that it might be challenging to implement a software MAC on an
    iSCSI target running at 1+ Gbps line rate. But this is more credible
    for an iSCSI initiator running on a new PC with say, 1.7 Ghz clock rate. 
    At 1 Gbps, UMAC-4/8 would consume 262.5 Million cycles/second, or
    15% of CPU. 
    
    By the interim meeting, we hope to have some presentations on the
    performance achievable via hardware acceleration. I'd
    note that software MAC algorithms are not necessarily the fastest
    algorithms to implement in hardware. So the 2-3 cycles/byte of UMAC
    on PowerPC should not be considered the best that can be done, just an
    indication of how far we've come from HMAC-SHA1. 
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:06 2001
6315 messages in chronological order