Re: [IPsec] How long does an IKEv1 session take to complete?
What Dan and Gregory said. But assuming an unloaded gateway, with "normal" hardware (Any Intel, AMD or PowerPC processor from the last 10 years or a recent ARM), then even if you use relatively secure parameters (2048-bit DH group, 2048-bit RSA keys) the round trip time is going to dominate. The calculations themselves take less than 20 milliseconds. So phase 1 should take about 3 round trips. On Nov 18, 2009, at 8:31 AM, wrote: > Greetings. Is there any data out there that quantifies how long a typical > IKEv1 session (main mode and/or aggressive mode) take to complete? > > Hyla smime.p7s Description: S/MIME cryptographic signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] How long does an IKEv1 session take to complete?
On Wed, Nov 18, 2009 at 10:00:22AM -0800, Gregory Lebovitz wrote: > Additionally it will depend on the round trip time across the network > between the two peers. Ahh, of course. > Vendors who are selling network boxes that can do a large number of > simultaneous IKE negotiations tend to care more about simultaneous IKE SA > negotiations per second than they do the actual negotiation time of any one > single negotiation. Yes, the throughput vs. latency issues. A user might care about his/her latency (0-to-IPsec times), but a server vendor (not just a VPN box, BTW -- imagine the IPsec-protected server) might care a lot more about aggregate P1s/second. Dan ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] How long does an IKEv1 session take to complete?
Additionally it will depend on the round trip time across the network between the two peers. Vendors who are selling network boxes that can do a large number of simultaneous IKE negotiations tend to care more about simultaneous IKE SA negotiations per second than they do the actual negotiation time of any one single negotiation. HTH, Gregory. On Wed, Nov 18, 2009 at 8:27 AM, Dan McDonald wrote: > On Tue, Nov 17, 2009 at 11:31:45PM -0700, hyla81...@mypacks.net wrote: > > > > Greetings. Is there any data out there that quantifies how long a typical > > IKEv1 session (main mode and/or aggressive mode) take to complete? > > I don't think anyone's done a thorough survey of implementations or > parameters they use. If anyone has, or knows of such a survey, they should > really share with this list. > > A LOT depends on what you use for your Oakley Group, your authentication > method (and the certificate key size in the case of certificates), and, of > course, the hardware upon which you run it. There's a lot of combinations > there! > > Dan > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- IETF related email from Gregory M. Lebovitz Juniper Networks ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] How long does an IKEv1 session take to complete?
On Tue, Nov 17, 2009 at 11:31:45PM -0700, hyla81...@mypacks.net wrote: > Greetings. Is there any data out there that quantifies how long a typical > IKEv1 session (main mode and/or aggressive mode) take to complete? I don't think anyone's done a thorough survey of implementations or parameters they use. If anyone has, or knows of such a survey, they should really share with this list. A LOT depends on what you use for your Oakley Group, your authentication method (and the certificate key size in the case of certificates), and, of course, the hardware upon which you run it. There's a lot of combinations there! Dan ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] How long does an IKEv1 session take to complete?
Greetings. Is there any data out there that quantifies how long a typical IKEv1 session (main mode and/or aggressive mode) take to complete? Hyla ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec