From owner-freebsd-net@FreeBSD.ORG Fri Dec 30 12:47:01 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A1F016A41F for ; Fri, 30 Dec 2005 12:47:01 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp3.mail.easynet.fr (smarthost173.mail.easynet.fr [212.180.1.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7B3443D55 for ; Fri, 30 Dec 2005 12:47:00 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by smtp3.mail.easynet.fr with esmtp (Exim 4.50) id 1EsJfF-0004SP-Pc for freebsd-net@freebsd.org; Fri, 30 Dec 2005 13:47:22 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 90A693F17; Fri, 30 Dec 2005 13:46:57 +0100 (CET) Date: Fri, 30 Dec 2005 13:46:57 +0100 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20051230124657.GA22834@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <43B38747.1060906@iteranet.com> <20051229122549.GA11055@uk.tiscali.com> <20051229123815.GB1854@zen.inc> <20051230121708.GB14630@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051230121708.GB14630@uk.tiscali.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 12:47:01 -0000 On Fri, Dec 30, 2005 at 12:17:08PM +0000, Brian Candler wrote: [simultaneous negociations] > You could have a crypto accelerator card even in a low-end CPU. Yep, but it doesn't help so much, for the same reasons. Crypto accelerator for IPSec traffic is really more important ! > My concern is with long network RTTs to the clients, and packet loss. > Anything like that which slows down the exchange will block out other > clients from negotiating, if I understand rightly. No. basically, racoon just process incoming messages (from kernel or from network) one by one, but simultaneous SAs can be negociated with various peers at the same time. > With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of > negotiations going on, and one badly-behaved connection could cause a > backlog of outstanding SA negotiations and probably a meltdown. 1 hour for phase2 is "quite short" (well, it is NOT too short, lifetimes of a few minuts are too short), compared to 1 day as default value for many vendors. And once again, one stalled negociation will NOT block others. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com