On Fri, Dec 30, 2005 at 12:17:08PM +0000, Brian Candler wrote: [simultaneous negociations] > You could have a crypto accelerator card even in a low-end CPU.
Yep, but it doesn't help so much, for the same reasons. Crypto accelerator for IPSec traffic is really more important ! > My concern is with long network RTTs to the clients, and packet loss. > Anything like that which slows down the exchange will block out other > clients from negotiating, if I understand rightly. No. basically, racoon just process incoming messages (from kernel or from network) one by one, but simultaneous SAs can be negociated with various peers at the same time. > With 10,000 clients and a phase 2 SA lifetime of one hour, that's a lot of > negotiations going on, and one badly-behaved connection could cause a > backlog of outstanding SA negotiations and probably a meltdown. 1 hour for phase2 is "quite short" (well, it is NOT too short, lifetimes of a few minuts are too short), compared to 1 day as default value for many vendors. And once again, one stalled negociation will NOT block others. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"