Re: pf_key comments

[Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>]

> > > I am looking into implementing PF_KEY and I have some comments on this too:
> > >
> > > 1. I like the idea of sending the IV down from an application.  I think
> > > that an application is a reasonable place to do the random number
> > > generation because
> >
> > Its completely unreasonable to send the IV from the
> > application. Since IVs have to be sent on every packet, that
> > would mean you would need to do a PF_KEY operation on every
> > packet. This is not going to be feasible.
> >
>
> There is no need to do an operation for every packet. The kernel
> could ask for a block of random data and use it as it wishes.
>

However, if we assume a 100mbs ethernet link ~85% efficient and
1024 byte packets (and enough CPU juice to handle that data :),
that's ~10k packets per second. Using 8 bytes of random IV for
each packet the kernel will require ~80k of random IV per
second.

It seems unreasonable for the kernel to acquire that amount of
data from a user level process each second; however, I wonder
whether pseudo random data generators can produce that amount
of data at that rate too. If not, then pseudo random IV is useful
for slow packet rates in which case it may be reasonable for the
kernel to request random data from a user level process.


-dpg