Xialiang (Frank, Network Integration Technology Research Dept) writes: > The other point we should consider is the performance improvement by > skipping the IKEv2 negotiation and DH calculation. Take a large > scale network as the example, it will take a long time for multiple > peers to set up the SAs with one peer by IKEv2 and DH key exchange, > since one peer has the cpu/memory up-limit to constrain the maximal > number of IKEv2 sessions at the same time. But, by replacing the > IKEv2 and DH with the key calculation (by peer itself, or by > controller) and key distribution (through the controller), the total > time for creating SAs among a large number of peers can be decreased > dramatically and keep under certain time.
How about update your machines so they are using CPUs made in last decade or something. My home firewall can do 200 Diffie-Hellman calculations in second (using MODP-2048 which is the current recommended size), so doing 10000 Diffie-Hellman operations will take less than minute. My firewall is 3 years old, with CPU that is 5 years old (came out Q2 of 2013 Intel Xeon E3-1225v3 3.2GHz), and this test was only using single core out of the 4 it has. Yes, if you have more than connections than that, then it is even more important to use IKEv2, as you do not want to create all of them at startup, but instead create them dynamically when you need them, i.e. create SA when you are trying to send first packet to it. -- [email protected] _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
