Kampanakis, Panos <[email protected]> wrote: > In a typical network scenario, the smallish RTTs are 20-30ms. Let’s say > 20ms. 2 extra RTTs mean 40ms. Now, we can crudely say that an > overestimated size of an ML-DSA sig+cert chain is 15KB (these certs > typically do not include SCTs) whereas carrying the certs as per PQuAKE > we can say the size is 10KB (assuming the peer cert and the issuing CA > certs are carried). That means an additional 5KB=40Kbits on the wire
Fragmented UDP, 10K is no more likely to avoid a fragment drop than 15KB in
my opinion. More round trips with smaller packets is probably a win in my
opinion. (It might push us back to thinking about the puzzles/RFC8019 again)
But, probably draft-smyslov-ipsecme-ikev2-reliable-transport is the better
answer.
> for the typical IKEv2 with ML-DSA case vs PQuAKE. That is 40Kbits each
> direction or a total of 80Kbits bidirectionally. Then, only when the
> network bandwidth between the peers is >80/40=2Mbps, will ML-DSA in
> typical IKEv2 be slower than PQuAKE. I am not sure if there are many
> IKEv2 negotiations taking place under <2MBps connections. Let me know
> if there is an issue in this logic. Admittedly, even then, the speed
> will not matter for these negotiations because the tunnels stay up for
> a long time. As Scott asked, could there be more motivations for such a
> drastic change in ikEv2? The proofs, anything else?
For site to site exchanges, there are no concerns.
Where I think this hurts is gateways with thousands+ of client systems.
Negotiating less often and doing session resumption should be a win.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
