SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: is 1 Gbps a MUST?



    >>>>> "Vince" == A-Roseville,ex1  <CAVANNA> writes:
    
     Vince> Thanks for the clarification. Something still bothers me
     Vince> however.  If IPSec is a bottleneck (because the policy lookup
     Vince> is done in software) then the receiver may be forced to drop
     Vince> packets quite frequently. Such behavior could have a dramatic
     Vince> effect on performance as explained in a memo that Jonathan
     Vince> Stone posted on 2/5/02 (attached) and in my interpretation
     Vince> which I did not post on 2/6/02 (attached). Comments?
    
    Your assumption "policy lookup is done in software" is not necessarily
    valid -- just like the popular assertion "TCP is slow because it is
    done in software" is not necessarily valid.
    
    Apart from that, the fact that it's done in software doesn't
    necessarily make it slow.  It is certainly doable with a decent
    network processor to do SPD lookup at 1Gb/s line speeds in software.
    
    Note also that SPD lookup for encrypted traffic is often quite easy.
    You already have the inbound SA (and that lookup is trivial if you
    assign SAIDs sensibly).  You can bind to that the list of SPD entries
    -- often just one -- describing the traffic that is allowed to travel
    on that SA, so you have no search, only a compare of the SPD entry
    with the address/port/protocol fields of the packet.
    
    Going back to the original question, I read the statement in the
    security spec as a protocol requirement, not an implementation
    requirement -- so it constrains the choice of security protocol.
    IPsec ESP can be implemented to run at the specified speeds in the
    timeframes called for (the whole thing -- not just the crypto
    primitives) so it satisfies that requirement on the protocol.  (It's
    not trivial to achieve this -- nor is it inexpensive -- but it *can*
    be done if you really want to.)  But there is no requirement on
    implementations to run at that speed, of course.
    
    It would be good for the security spec wording to be clarified so
    makes it explicit that this is a protocol selection requirement, not
    an implementation requirement.
    
       paul
    
    

    • References:


Home

Last updated: Fri Feb 22 14:18:19 2002
8850 messages in chronological order