[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: is 1 Gbps a MUST?

    Hi Paul,
    I agree with everything you said.  What I was hoping to get comments on, is
    my interpretation of Jonathan Stone's claim and its implications to IPSec. 
    Jonathan pointed out the need for bandwidth*RoundTripDelay worth of
    buffering per TCP connection to avoid a cliff-effect drop in performance;
    and I extrapolated the need to have no bottlenecks (such as IPSec) anywhere
    in the path to those buffers. From my perspective IPSec, or at least the
    part of IPSec that discriminates between secured and unsecured traffic, had
    better not be a bottleneck or IPSec will not be turned on at all.
    |-----Original Message-----
    |From: Paul Koning []
    |Sent: Friday, February 22, 2002 6:55 AM
    |Subject: Re: is 1 Gbps a MUST?
    |>>>>> "Vince" == A-Roseville,ex1  <CAVANNA> writes:
    | Vince> Thanks for the clarification. Something still bothers me
    | Vince> however.  If IPSec is a bottleneck (because the policy lookup
    | Vince> is done in software) then the receiver may be forced to drop
    | Vince> packets quite frequently. Such behavior could have a dramatic
    | Vince> effect on performance as explained in a memo that Jonathan
    | Vince> Stone posted on 2/5/02 (attached) and in my interpretation
    | Vince> which I did not post on 2/6/02 (attached). Comments?
    |Your assumption "policy lookup is done in software" is not necessarily
    |valid -- just like the popular assertion "TCP is slow because it is
    |done in software" is not necessarily valid.
    |Apart from that, the fact that it's done in software doesn't
    |necessarily make it slow.  It is certainly doable with a decent
    |network processor to do SPD lookup at 1Gb/s line speeds in software.
    |Note also that SPD lookup for encrypted traffic is often quite easy.
    |You already have the inbound SA (and that lookup is trivial if you
    |assign SAIDs sensibly).  You can bind to that the list of SPD entries
    |-- often just one -- describing the traffic that is allowed to travel
    |on that SA, so you have no search, only a compare of the SPD entry
    |with the address/port/protocol fields of the packet.
    |Going back to the original question, I read the statement in the
    |security spec as a protocol requirement, not an implementation
    |requirement -- so it constrains the choice of security protocol.
    |IPsec ESP can be implemented to run at the specified speeds in the
    |timeframes called for (the whole thing -- not just the crypto
    |primitives) so it satisfies that requirement on the protocol.  (It's
    |not trivial to achieve this -- nor is it inexpensive -- but it *can*
    |be done if you really want to.)  But there is no requirement on
    |implementations to run at that speed, of course.
    |It would be good for the security spec wording to be clarified so
    |makes it explicit that this is a protocol selection requirement, not
    |an implementation requirement.
    |   paul


Last updated: Fri Feb 22 14:18:19 2002
8850 messages in chronological order