Date: Fri, 30 Dec 2005 12:17:08 +0000 From: Brian Candler <B.Candler@pobox.com> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <20051230121708.GB14630@uk.tiscali.com> In-Reply-To: <20051229123815.GB1854@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <43B38747.1060906@iteranet.com> <20051229122549.GA11055@uk.tiscali.com> <20051229123815.GB1854@zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2005 at 01:38:15PM +0100, VANHULLEBUS Yvan wrote: > > "Known issues: > > - Non-threaded implementation. Simultaneous key negotiation performance > > should be improved." > > > > I think that would limit its usefulness as a scalable concentrator, if the > > comment is still valid. > > The comment is still valid, but impact is not so strong. > > Key negociations doesn't happen so much during an IPSec tunnel > lifetime, and negociating simultaneous SAs will be slow even with a > multi-threaded implementation if you have a low-end CPU. You could have a crypto accelerator card even in a low-end CPU. My concern is with long network RTTs to the clients, and packet loss. Anything like that which slows down the exchange will block out other clients from negotiating, if I understand rightly. With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of negotiations going on, and one badly-behaved connection could cause a backlog of outstanding SA negotiations and probably a meltdown. Another issue is with DoS. Is it possible for an attacker to start an IKE exchange and get sufficiently far through it that they can block out other negotiations, before getting to the point of needing to provide valid credentials? Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230121708.GB14630>