Date: Fri, 30 Dec 2005 13:46:57 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <20051230124657.GA22834@zen.inc> In-Reply-To: <20051230121708.GB14630@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <43B38747.1060906@iteranet.com> <20051229122549.GA11055@uk.tiscali.com> <20051229123815.GB1854@zen.inc> <20051230121708.GB14630@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 30, 2005 at 12:17:08PM +0000, Brian Candler wrote: [simultaneous negociations] > You could have a crypto accelerator card even in a low-end CPU. Yep, but it doesn't help so much, for the same reasons. Crypto accelerator for IPSec traffic is really more important ! > My concern is with long network RTTs to the clients, and packet loss. > Anything like that which slows down the exchange will block out other > clients from negotiating, if I understand rightly. No. basically, racoon just process incoming messages (from kernel or from network) one by one, but simultaneous SAs can be negociated with various peers at the same time. > With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of > negotiations going on, and one badly-behaved connection could cause a > backlog of outstanding SA negotiations and probably a meltdown. 1 hour for phase2 is "quite short" (well, it is NOT too short, lifetimes of a few minuts are too short), compared to 1 day as default value for many vendors. And once again, one stalled negociation will NOT block others. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230124657.GA22834>