IPSEC documentation
Clark Gaylord
gaylord at dirtcheapemail.com
Wed Dec 28 08:29:29 PST 2005
On Wed, 28 Dec 2005 10:08:54 -0500, "Matt Emmerton" <matt at gsicomp.on.ca>
said:
> (which is already encrypted via HTTPS, but you can't be too safe!)
Yes and no. There are substantial support and performance costs every
time you encrypt. You can figure that encryption will cost you about
1/3 of your bandwidth every time you do it (different protocols vary,
but not a bad rule of thumb). So, double encryption gives you 44%
throughput, where single encryption gives you 67% -- triple it and you
are down to 30%, etc.
The "encrypt at every layer possible" approach is only good if you have
an infinite budget (or you are the WAN service provider who gets to
receive the revenue from your infinite budget), infinite CPU, and
infinite staff. That being said, it is ok to have some "belt and
suspenders" designs, but usually I find that solving a problem once
allows me to a) do it better and b) solve more problems.
Labyrinthine solutions are inherently insecure.
--ckg
--
Clark Gaylord
Blacksburg, VA USA
gaylord at dirtcheapemail.com
More information about the freebsd-net
mailing list