[55946] in North American Network Operators' Group
Re: VoIP over IPsec
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Tue Feb 18 18:52:25 2003
Date: Tue, 18 Feb 2003 15:51:38 -0800 (PST)
From: Vadim Antonov <avg@kotovnik.com>
To: Stephen Sprunk <stephen@sprunk.org>
Cc: nanog@merit.edu
In-Reply-To: <000d01c2d781$aa1f0d70$93b58742@ssprunk>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 18 Feb 2003, Stephen Sprunk wrote:
> > It also allows precomputation of the key stream, adding nearly zero
> > latency/jitter to the actual packet processing.
>
> You fail to note that this requires precomputing and storing a keystream for
> every SA on the encrypting device, which often number in the thousands.
> This isn't feasible in a software implementation, and it's unnecessary in
> hardware.
You don' have to store the entire keystream, just enough to allow
on-the-fly packet processing. Besides, memory is cheap. 100 msec buffers
for 100,000 simultaneous voice connections is an astonishing 80 Mb.
More realistically, it's 10k calls and 30 msec of buffering.
--vadim
