[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: swIPe comments



Perry,

	When IPSP is used between two routers, I have that the SAID
would identify the associations between these two points, not based on
the addresses of the ultimate source and destination end systems.
Between a couple of a large organization nets, this could ammount to
quite a few associations, depending on the granularity at which
associations are otherwise managed.  For multiply-homed nets, if
multiple devices implement IPSP and they are configured to be
"equivalent" (to allow for any device to process and packet), there
would be a need to avoid collisions in the SAID space, and that would
argue for not too tight a space.  Also, for multicast support, one
might want to carve out a portion of the space, since multicast SAIDs
need to be unique across a broader set of endpoints.  In the IEEE
802.10B protocol, they devote a bit to marking multicast SAIDs, which
takes away 1/2 the sapce.  Given these observations, 16 bits of SAID
might not be enough.

	As for sequence numbers, in an ATM environment, one can move a
lot of packets in a hurry.  At the other end of the spectrum, if two
large organization nets want to establish a single, encrypted tunnel
between them, then the volume of traffic might be pretty significant
at ATM speeds.  With small, e.g., about 100 bytes, IP packets, one can
go through a 32 bit sequence number space in about 2 hours using a
620Mb/s access line.  If we are confident that key changeover will be
smooth, 32 bits may be adequate, but if want to limit changeover
because of possible disruption to the association, then a bigger
sequence number may be required.  I just want to make sure that we
make these decisions with a clear understanding of the implications.

	As for sequence number management, I think it would be good to
specify a sliding window on a per-association basis, within which
packets are accepted.  A bit map and sequence number counters can be
used to manage the window, to prevent replays.  The window size and
the sequence number size would be negotiated parameters at association
establishment, perhaps with enumerated options for both.  Use of no
sequence numbers also should be a valid option.

	I also think we should consider requiring that all
IPSP-protected packets be sent with the DNF bit set, to avoid a range
of nasty denial of service attacks.  This would require the IPSP
implementation to employ MTU discovery, and to pass the info along to
hosts behind an IPSP router implementation.  

Steve


References: