[166591] in North American Network Operators' Group
Re: latest Snowden docs show NSA intercepts all Google and Yahoo
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Fri Nov 1 04:13:25 2013
In-Reply-To: <CAEd1pt41P8_Ny6sxjob3roMubwpowqgUoN4f=sVjuk6pL6iGFQ@mail.gmail.com>
Date: Fri, 1 Nov 2013 03:13:11 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Michael Still <mikal@stillhq.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Oct 31, 2013 at 11:26 PM, Michael Still <mikal@stillhq.com> wrote:
> [snip]
>
> Its about the CPU cost of the crypto. I was once told the number of
> CPUs required to do SSL on web search (which I have now forgotten) and
> it was a bigger number than you'd expect -- certainly hundreds.
>
So, crypto costs money at scale basically.
>
SSL Cryptography for web search is a different problem than, say
Site-to-Site VPN encryption.
Every time a new browser connects, you have a new SSL session setup.
New SSL session setup requires public cryptography operations which impose
a significant delay, and the public key operations have an enormous CPU
cost.
So much so, that the key generation and signing operations involved in CPU
session setup are a big bottleneck, and therefore, a potential DoS risk.
For encryption of traffic between datacenters; There should be very
little session setup and teardown (very few public key operations);
almost all the crypto load would be symmetric cryptography.
No doubt, there still must be some cost in terms of crypto processors
required to achieve encryption of all the traffic on 100-gigabit links
between datacenters; it's always something, after all.
>
> Cheers,
> Michael
>
>
--
-JH
