latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic

Jimmy Hess mysidia at
Fri Nov 1 08:13:11 UTC 2013

On Thu, Oct 31, 2013 at 11:26 PM, Michael Still <mikal at> wrote:

> [snip]

> Its about the CPU cost of the crypto. I was once told the number of
> CPUs required to do SSL on web search (which I have now forgotten) and
> it was a bigger number than you'd expect -- certainly hundreds.
So, crypto costs money at scale basically.

SSL Cryptography for web search is a different problem than, say
 Site-to-Site VPN encryption.

Every time a new browser connects, you have a new SSL session setup.
New SSL session setup requires  public cryptography operations which impose
a significant delay, and the public key operations have an enormous CPU

So much so,  that the key generation and signing operations involved in CPU
session setup are a big bottleneck, and therefore, a potential DoS risk.

For encryption of traffic between datacenters;    There should be very
little session setup and teardown  (very few public key operations);
 almost all the crypto load would be symmetric cryptography.

No doubt, there still  must be some cost in terms of crypto processors
required to achieve encryption of all the traffic on 100-gigabit links
 between datacenters;  it's always something, after all.

> Cheers,
> Michael


More information about the NANOG mailing list