RE: is 1 Gbps a MUST?

To: vince_cavanna@agilent.com
Subject: RE: is 1 Gbps a MUST?
From: Paul Koning <ni1d@arrl.net>
Date: Fri, 22 Feb 2002 16:12:51 -0500 (EST)
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <01A7DAF31F93D511AEE300D0B706ED9201BF478D@axcs13.cos.agilent.com>
Sender: owner-ips@ece.cmu.edu

>>>>> "vince" == vince cavanna <vince_cavanna@agilent.com> writes:

 vince> Unfortunately some believe that they can be iSCSI compliant by
 vince> having a slow implementation of IPSec and claiming that most
 vince> traffic will not require security processing. I am not one of
 vince> those persons. I think that at least the policy check must
 vince> occur at link speed regardless of what proportion of traffic
 vince> requires security processing.

I can't think of any RFC that contains a performance mandate.  For
example, the TCP standard does not mandate doing TCP at wire rate or
any other rate.  The iSCSI spec does not mandate doing iSCSI at any
particular rate.  Why, then, should the security spec mandate doing
something at some particular rate?

 vince> Jonathan pointed out the need for bandwidth*RoundTripDelay
 vince> worth of buffering per TCP connection to avoid a cliff-effect
 vince> drop in performance; and I extrapolated the need to have no
 vince> bottlenecks (such as IPSec) anywhere in the path to those
 vince> buffers. From my perspective IPSec, or at least the part of
 vince> IPSec that discriminates between secured and unsecured
 vince> traffic, had better not be a bottleneck or IPSec will not be
 vince> turned on at all.

More generally, the throughput you get is that of the lowest
throughput component, and the buffering you ideally want is that times
the round-trip delay including any internal delays cause by high
latency processing steps.  That will drive your design decisions given
a particular performance requirement.

So if your example, if the requirement is X Mb/s total and Y Mb/s of
that protected by IPsec, the sorting of protocol 50 from protocol 6,
and the checking of protocol 6 traffic against the SPD to verify that
it's allowed to travel in the clear, have to run at rate X (not Y)
since they are a common bottleneck.  What X is depends on what you're
building.  If you need X to be gigabit wire rate, you have some work
to do, but nothing fundamental in IP or IPsec stands in the way.

     paul

References:
- RE: is 1 Gbps a MUST?
  - From: vince_cavanna@agilent.com

Prev by Date: RE: is 1 Gbps a MUST?
Next by Date: RE: is 1 Gbps a MUST?
Prev by thread: RE: is 1 Gbps a MUST?
Next by thread: RE: is 1 Gbps a MUST?
Index(es):
- Date
- Thread

Home

Last updated: Fri Feb 22 17:18:01 2002
8859 messages in chronological order