Re: is 1 Gbps a MUST?

To: vince_cavanna@agilent.com
Subject: Re: is 1 Gbps a MUST?
From: Paul Koning <ni1d@arrl.net>
Date: Fri, 22 Feb 2002 09:55:17 -0500 (EST)
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <01A7DAF31F93D511AEE300D0B706ED9201BF4787@axcs13.cos.agilent.com>
Sender: owner-ips@ece.cmu.edu

>>>>> "Vince" == A-Roseville,ex1  <CAVANNA> writes:

 Vince> Thanks for the clarification. Something still bothers me
 Vince> however.  If IPSec is a bottleneck (because the policy lookup
 Vince> is done in software) then the receiver may be forced to drop
 Vince> packets quite frequently. Such behavior could have a dramatic
 Vince> effect on performance as explained in a memo that Jonathan
 Vince> Stone posted on 2/5/02 (attached) and in my interpretation
 Vince> which I did not post on 2/6/02 (attached). Comments?

Your assumption "policy lookup is done in software" is not necessarily
valid -- just like the popular assertion "TCP is slow because it is
done in software" is not necessarily valid.

Apart from that, the fact that it's done in software doesn't
necessarily make it slow.  It is certainly doable with a decent
network processor to do SPD lookup at 1Gb/s line speeds in software.

Note also that SPD lookup for encrypted traffic is often quite easy.
You already have the inbound SA (and that lookup is trivial if you
assign SAIDs sensibly).  You can bind to that the list of SPD entries
-- often just one -- describing the traffic that is allowed to travel
on that SA, so you have no search, only a compare of the SPD entry
with the address/port/protocol fields of the packet.

Going back to the original question, I read the statement in the
security spec as a protocol requirement, not an implementation
requirement -- so it constrains the choice of security protocol.
IPsec ESP can be implemented to run at the specified speeds in the
timeframes called for (the whole thing -- not just the crypto
primitives) so it satisfies that requirement on the protocol.  (It's
not trivial to achieve this -- nor is it inexpensive -- but it *can*
be done if you really want to.)  But there is no requirement on
implementations to run at that speed, of course.

It would be good for the security spec wording to be clarified so
makes it explicit that this is a protocol selection requirement, not
an implementation requirement.

   paul

References:
- Re: is 1 Gbps a MUST?
  - From: "CAVANNA,VICENTE V (A-Roseville,ex1)" <vince_cavanna@agilent.com>

Prev by Date: RE: iSCSI: key negotiation - Unrecognized value?
Next by Date: RE: is 1 Gbps a MUST?
Prev by thread: Re: is 1 Gbps a MUST?
Next by thread: RE: is 1 Gbps a MUST?
Index(es):
- Date
- Thread

Home

Last updated: Fri Feb 22 14:18:19 2002
8850 messages in chronological order