|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: is 1 Gbps a MUST?>>>>> "vince" == vince cavanna <vince_cavanna@agilent.com> writes: vince> Unfortunately some believe that they can be iSCSI compliant by vince> having a slow implementation of IPSec and claiming that most vince> traffic will not require security processing. I am not one of vince> those persons. I think that at least the policy check must vince> occur at link speed regardless of what proportion of traffic vince> requires security processing. I can't think of any RFC that contains a performance mandate. For example, the TCP standard does not mandate doing TCP at wire rate or any other rate. The iSCSI spec does not mandate doing iSCSI at any particular rate. Why, then, should the security spec mandate doing something at some particular rate? vince> Jonathan pointed out the need for bandwidth*RoundTripDelay vince> worth of buffering per TCP connection to avoid a cliff-effect vince> drop in performance; and I extrapolated the need to have no vince> bottlenecks (such as IPSec) anywhere in the path to those vince> buffers. From my perspective IPSec, or at least the part of vince> IPSec that discriminates between secured and unsecured vince> traffic, had better not be a bottleneck or IPSec will not be vince> turned on at all. More generally, the throughput you get is that of the lowest throughput component, and the buffering you ideally want is that times the round-trip delay including any internal delays cause by high latency processing steps. That will drive your design decisions given a particular performance requirement. So if your example, if the requirement is X Mb/s total and Y Mb/s of that protected by IPsec, the sorting of protocol 50 from protocol 6, and the checking of protocol 6 traffic against the SPD to verify that it's allowed to travel in the clear, have to run at rate X (not Y) since they are a common bottleneck. What X is depends on what you're building. If you need X to be gigabit wire rate, you have some work to do, but nothing fundamental in IP or IPsec stands in the way. paul
Home Last updated: Fri Feb 22 17:18:01 2002 8859 messages in chronological order |