Check out the new USENIX Web site. next up previous
Next: Security Policy Up: Implementation Details Previous: Solving the RSA ``problem''

Performance and Code Size

The SA negotiation is very CPU-intensive. More specifically, in main and aggressive mode there is always a Diffie-Hellman exponentiation and sometimes, depending on authentication method, RSA or DSS signature operations that are fairly expensive in terms of CPU processing. In quick mode, the DH exponentiation is optional but recommended. That exponentiation is what provides ``Perfect Forward Secrecy.'' Some sample timings can be found in figure 4.

In its current state, isakmpd consists of roughly 36,000 lines of code, almost all of it in C. This includes commentary, which we have at least tried to be fairly generous with. Security protocol implementations need to be auditable, and readability is therefore an important aspect. 4,000 of these are the platform-dependent parts, and 2,500 are regression testing. The static memory footprint for i386 is approximately 950KB for a full-blown version and 300KB for a trimmed down version with support only for mandatory ciphers, exchanges, groups, and authentication methods (no debugging or refined policy handling is included in the trimmed-down version).



Angelos D. Keromytis
4/20/2000