Hi Paul, I don't know 10,000 or 20,000 users trying to connect to a VPN server around the same time where each pair is 300 kilobytes or more would have a noticeable impact or not. It depends on many factors I think. One of the factors is how the server stores those data for its computations.
Let's say each pair is a 0.5 megabyte, 20,000 users would be around 10G of memory/storage. So, the over all performance impact could be noticeable once in a while for some VPN network. Quynh. ________________________________ From: Paul Wouters <p...@nohats.ca> Sent: Thursday, June 18, 2020 12:23 PM To: Dang, Quynh H. (Fed) <quynh.d...@nist.gov> Cc: Scott Fluhrer (sfluhrer) <sfluh...@cisco.com>; Panos Kampanakis (pkampana) <pkamp...@cisco.com>; Valery Smyslov <smyslov.i...@gmail.com>; 'ipsecme mailing list' <ipsec@ietf.org> Subject: Re: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? On Thu, 18 Jun 2020, Dang, Quynh H. (Fed) wrote: > Hi Panos and Scott, > > That was exactly what I was thinking. We have been working remotely. > > One could have more than 300 kbytes for a pair of (public key + ciphertext > and public key + sig). The latter public key may be replaced by a > cert chain. > > The impact varies from one situation to another I think. > Speaking as a previous IPsec implementor, the biggest concern I had over IKE > performance was in the ‘flash crowd’ scenario; that is, you’re an > IPsec-based security gateway, and then suddenly everyone wanted to negotiate > with you. This can happen if it’s 8:00 AM (and everyone just > arrived at work), or if you’re a back-up gateway, and then the primary > gateway just failed. We have RFC 5685 REDIRECT for that. If your server becomes too busy, it can redirect new or existing clients to another gateway, provided that other gateway will authenticate itself identically to this gateway. I don't think the key sizes really matter here. Even if computation is 2x or 3x more CPU intensively, from an "overloaded server" point of view that just means like "redirect if at 3000 clients" vs "redirect if at 2000 clients". Paul
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
