IPSEC documentation
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Fri Dec 30 04:47:01 PST 2005
On Fri, Dec 30, 2005 at 12:17:08PM +0000, Brian Candler wrote:
[simultaneous negociations]
> You could have a crypto accelerator card even in a low-end CPU.
Yep, but it doesn't help so much, for the same reasons. Crypto
accelerator for IPSec traffic is really more important !
> My concern is with long network RTTs to the clients, and packet loss.
> Anything like that which slows down the exchange will block out other
> clients from negotiating, if I understand rightly.
No. basically, racoon just process incoming messages (from kernel or
from network) one by one, but simultaneous SAs can be negociated with
various peers at the same time.
> With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of
> negotiations going on, and one badly-behaved connection could cause a
> backlog of outstanding SA negotiations and probably a meltdown.
1 hour for phase2 is "quite short" (well, it is NOT too short,
lifetimes of a few minuts are too short), compared to 1 day as default
value for many vendors.
And once again, one stalled negociation will NOT block others.
Yvan.
--
NETASQ - Secure Internet Connectivity
http://www.netasq.com
More information about the freebsd-net
mailing list