On Tue, 21 Sep 2004 21:14:21 -0400
Benjamin LaHaise <bcrl@xxxxxxxxx> wrote:
> On Wed, Sep 22, 2004 at 09:07:06AM +1000, Herbert Xu wrote:
> > Benjamin LaHaise <bcrl@xxxxxxxxx> wrote:
> > >
> > >> - Unlikely to integrate with the new native IPSEC stuff.
> > >
> > > L2TP over IPSEC? Are you insane? You'd not be able to terminate more
> > > than
> > > a couple of dozen connections over it. =-)
> > Why not? L2TP over IPsec is the only reason I'm looking at L2TP at all.
> CPU load. The main reason I was forced to revisit L2TP (imo, it's a
> horrible protocol that suffers from too many bad decisions) was in its
> role for terminating DSL. In this case one expects to be able to have
> tens of thousands of connections terminated by a single box, which
> means pushing hundreds of megabits of traffic. The overhead of crypto
> operations in such a scenario makes it a far too costly choice.
I've heard of usage of both types described by Herbert and yourself,
and both are valid.
Therefore it's great that your scheme scales so well Ben, but it
has to support IPSEC properly as well.