SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: is 1 Gbps a MUST?



    >>>>> "vince" == vince cavanna <vince_cavanna@agilent.com> writes:
    
     vince> Unfortunately some believe that they can be iSCSI compliant by
     vince> having a slow implementation of IPSec and claiming that most
     vince> traffic will not require security processing. I am not one of
     vince> those persons. I think that at least the policy check must
     vince> occur at link speed regardless of what proportion of traffic
     vince> requires security processing.
    
    I can't think of any RFC that contains a performance mandate.  For
    example, the TCP standard does not mandate doing TCP at wire rate or
    any other rate.  The iSCSI spec does not mandate doing iSCSI at any
    particular rate.  Why, then, should the security spec mandate doing
    something at some particular rate?
    
     vince> Jonathan pointed out the need for bandwidth*RoundTripDelay
     vince> worth of buffering per TCP connection to avoid a cliff-effect
     vince> drop in performance; and I extrapolated the need to have no
     vince> bottlenecks (such as IPSec) anywhere in the path to those
     vince> buffers. From my perspective IPSec, or at least the part of
     vince> IPSec that discriminates between secured and unsecured
     vince> traffic, had better not be a bottleneck or IPSec will not be
     vince> turned on at all.
    
    More generally, the throughput you get is that of the lowest
    throughput component, and the buffering you ideally want is that times
    the round-trip delay including any internal delays cause by high
    latency processing steps.  That will drive your design decisions given
    a particular performance requirement.
    
    So if your example, if the requirement is X Mb/s total and Y Mb/s of
    that protected by IPsec, the sorting of protocol 50 from protocol 6,
    and the checking of protocol 6 traffic against the SPD to verify that
    it's allowed to travel in the clear, have to run at rate X (not Y)
    since they are a common bottleneck.  What X is depends on what you're
    building.  If you need X to be gigabit wire rate, you have some work
    to do, but nothing fundamental in IP or IPsec stands in the way.
    
         paul
    
    


Home

Last updated: Fri Feb 22 17:18:01 2002
8859 messages in chronological order