> 
> Message: 3
> Date: Tue, 14 Aug 2007 23:33:22 +0200
> From: Ivar Janmaat <[EMAIL PROTECTED]>
> Subject: Re: [SunRay-Users] openvpn and sunray2fs built-in VPN client
> To: SunRay-Users mailing list <[email protected]>
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Would it be an option to upgrade the already available arcfour 
> encryption of ALP to something more secure?
> With the new released T2 chip we could then see "security without the 
> extra cost" on sunray all connections.
> Atleast when ran on T2 servers ;-)
> 
> Ivar

The issue is not the encryption on the server side so much as the speed
on the Sun Ray side. ARCFOUR was the only algorithm that gave sufficient
performance for high-bandwidth use. Even so, with the Sun Ray 1, having
encryption on dropped the data throughput in half - from a maximum of
about 50 Mbps to around 25 Mbps. The difference in rendering with
encryption on was noticeable. That's much less true on the Sun Ray 2,
which does about 40 Mbps with encryption on.

We get away with supporting 3DES and AES in software for the VPN due to
the fact that we're typically running at low bandwidths, certainly under
10 Mbps. The good news is that the Alchemy chip in the Sun Ray 2
contains a crypto engine that I'm looking at using. Once we have the
hardware encryption working on the Sun Ray side, we can look at
supporting AES on a higher bandwidth connection.

I'm not sure why everybody thinks ARCFOUR is so insecure. I've read the
literature, and aside from some extreme corner cases that affect the
first 256 bytes of the code stream, there are no attacks that break the
coding. (In the Sun Ray implementation, the first 256 bytes of the
stream are thrown away.) I'm willing to be enlightened on why it's
insecure, if anybody knows. After all, we've used it as the encryption
algorithm in SSL/HTTPS for years.

Kent
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

Reply via email to