From owner-freebsd-net@FreeBSD.ORG Fri Dec 30 12:17:12 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C47016A41F for ; Fri, 30 Dec 2005 12:17:12 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BA8143D78 for ; Fri, 30 Dec 2005 12:17:11 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 81DD3D6; Fri, 30 Dec 2005 07:17:32 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 40DB623BD; Fri, 30 Dec 2005 07:17:31 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1EsJC0-0003oa-4j; Fri, 30 Dec 2005 12:17:08 +0000 Date: Fri, 30 Dec 2005 12:17:08 +0000 From: Brian Candler To: VANHULLEBUS Yvan Message-ID: <20051230121708.GB14630@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <43B38747.1060906@iteranet.com> <20051229122549.GA11055@uk.tiscali.com> <20051229123815.GB1854@zen.inc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051229123815.GB1854@zen.inc> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 12:17:12 -0000 On Thu, Dec 29, 2005 at 01:38:15PM +0100, VANHULLEBUS Yvan wrote: > > "Known issues: > > - Non-threaded implementation. Simultaneous key negotiation performance > > should be improved." > > > > I think that would limit its usefulness as a scalable concentrator, if the > > comment is still valid. > > The comment is still valid, but impact is not so strong. > > Key negociations doesn't happen so much during an IPSec tunnel > lifetime, and negociating simultaneous SAs will be slow even with a > multi-threaded implementation if you have a low-end CPU. You could have a crypto accelerator card even in a low-end CPU. My concern is with long network RTTs to the clients, and packet loss. Anything like that which slows down the exchange will block out other clients from negotiating, if I understand rightly. With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of negotiations going on, and one badly-behaved connection could cause a backlog of outstanding SA negotiations and probably a meltdown. Another issue is with DoS. Is it possible for an attacker to start an IKE exchange and get sufficiently far through it that they can block out other negotiations, before getting to the point of needing to provide valid credentials? Regards, Brian.