From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 16:29:29 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDE9816A41F for ; Wed, 28 Dec 2005 16:29:29 +0000 (GMT) (envelope-from gaylord@dirtcheapemail.com) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2179C43D72 for ; Wed, 28 Dec 2005 16:29:29 +0000 (GMT) (envelope-from gaylord@dirtcheapemail.com) Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id AA268D2E7D3 for ; Wed, 28 Dec 2005 11:29:26 -0500 (EST) Received: from web2.messagingengine.com ([10.202.2.211]) by frontend1.internal (MEProxy); Wed, 28 Dec 2005 11:29:26 -0500 Received: by web2.messagingengine.com (Postfix, from userid 99) id 21C505FA6; Wed, 28 Dec 2005 11:29:21 -0500 (EST) Message-Id: <1135787361.22425.250668026@webmail.messagingengine.com> X-Sasl-Enc: IFY//a731EILsqA5PiZRyma1X0g8mR1gS8icHqG8LmSr 1135787361 From: "Clark Gaylord" To: freebsd-net@freebsd.org Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-8859-1" MIME-Version: 1.0 X-Mailer: MIME::Lite 1.5 (F2.73; T1.15; A1.64; B3.05; Q3.03) References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> In-Reply-To: <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> Date: Wed, 28 Dec 2005 11:29:21 -0500 Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 16:29:29 -0000 On Wed, 28 Dec 2005 10:08:54 -0500, "Matt Emmerton" said: > (which is already encrypted via HTTPS, but you can't be too safe!) Yes and no. There are substantial support and performance costs every time you encrypt. You can figure that encryption will cost you about 1/3 of your bandwidth every time you do it (different protocols vary, but not a bad rule of thumb). So, double encryption gives you 44% throughput, where single encryption gives you 67% -- triple it and you are down to 30%, etc. The "encrypt at every layer possible" approach is only good if you have an infinite budget (or you are the WAN service provider who gets to receive the revenue from your infinite budget), infinite CPU, and infinite staff. That being said, it is ok to have some "belt and suspenders" designs, but usually I find that solving a problem once allows me to a) do it better and b) solve more problems. Labyrinthine solutions are inherently insecure. --ckg -- Clark Gaylord Blacksburg, VA USA gaylord@dirtcheapemail.com