ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

[Andrew Gierth]

>>>>> "Rob" == Rob Siemborski <rjs3 at andrew.cmu.edu> writes:

 Rob> Additionally, since both the DSS SASL mechanism and TLS require
 Rob> the expense of a public key operation to setup, and once the
 Rob> overhead of that is done with the continued expense of
 Rob> encrypting the traffic isn't that high, I don't think you are
 Rob> saving much by avoiding the relative simplicity of TLS/PLAIN.

I can offload the authentication exchange, but keeping the connection
encrypted after that means more work for the frontend systems.

Oh, and encrypting the whole session plays hell with the throughput for
dialup users (who, thanks to shared/leased dialup pools, are the ones
most likely to be required to authenticate).

 Rob> I mean, is it really worth the expense of the public key
 Rob> operation if you're just going to encrypt the 5-10 bytes of the
 Rob> password?  If it is, its probably worth it to just buy a TLS
 Rob> accelerator card, encrypt the whole connection, and be done with
 Rob> it.

I'm not finding hard info on throughput of accelerators, but sales
blurbs saying things like "can completely fill a 100Mbps network link"
tell me that they are not playing in the right league - I wasn't
kidding about measuring traffic in gigabits.

-- 
Andrew.