|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: is 1 Gbps a MUST?>>>>> "Vince" == A-Roseville,ex1 <CAVANNA> writes: Vince> Thanks for the clarification. Something still bothers me Vince> however. If IPSec is a bottleneck (because the policy lookup Vince> is done in software) then the receiver may be forced to drop Vince> packets quite frequently. Such behavior could have a dramatic Vince> effect on performance as explained in a memo that Jonathan Vince> Stone posted on 2/5/02 (attached) and in my interpretation Vince> which I did not post on 2/6/02 (attached). Comments? Your assumption "policy lookup is done in software" is not necessarily valid -- just like the popular assertion "TCP is slow because it is done in software" is not necessarily valid. Apart from that, the fact that it's done in software doesn't necessarily make it slow. It is certainly doable with a decent network processor to do SPD lookup at 1Gb/s line speeds in software. Note also that SPD lookup for encrypted traffic is often quite easy. You already have the inbound SA (and that lookup is trivial if you assign SAIDs sensibly). You can bind to that the list of SPD entries -- often just one -- describing the traffic that is allowed to travel on that SA, so you have no search, only a compare of the SPD entry with the address/port/protocol fields of the packet. Going back to the original question, I read the statement in the security spec as a protocol requirement, not an implementation requirement -- so it constrains the choice of security protocol. IPsec ESP can be implemented to run at the specified speeds in the timeframes called for (the whole thing -- not just the crypto primitives) so it satisfies that requirement on the protocol. (It's not trivial to achieve this -- nor is it inexpensive -- but it *can* be done if you really want to.) But there is no requirement on implementations to run at that speed, of course. It would be good for the security spec wording to be clarified so makes it explicit that this is a protocol selection requirement, not an implementation requirement. paul
Home Last updated: Fri Feb 22 14:18:19 2002 8850 messages in chronological order |