Re: Status of IPSEC Key Management

[Germano Caronni <caronni@tik.ee.ethz.ch>]

Bill Sommerfeld wrote:
> For those of you closer to the bleeding edge, I have this funny
> feeling that IP+ESP+TCP will fit in 2 ATM cells, but IP+SKIP+ESP+TCP
> won't.  [What's the per-IP-packet ATM framing overhead?  It's got to
> be more than 8 bytes as I thought that a 40-byte minimal IP+TCP packet
> doesn't fit in a single 48-byte cell]

AFAIK a minimal TCP packet fits into a cell of 48 bytes. Just add another 4
bytes overhead for the AAL5 trailer, and you will have 4 bytes of payload
left.

IP+ESP(encryption only)+TCP fits into two ATM cells, but as soon as you add 
authentication, it will not fit anymore. (Assuming e.g. RFC1829 ESP is of
length 16) The typical SKIP header has a length of 20 bytes. So you are
certainly right, 3 cells are needed for the minimal SKIP+ESP TCP packet. 

But then, if you are going to use ATM, you do not care very much about this
issue. If you have low bandwith sparse traffic, the establishment of the VC
will cost you much more than sending 2 or 3 or 10 cells. If you have high
volume traffic, you do not care much about the +20 bytes per e.g. 4kB AAL5
frame you are sending out.


Oh yes, in an earlier mail you raised the issue of header compression.
Certainly this is a viable approach to 'save' the inband keying information,
and I agree fully that it might be nice to have. This is an optional add-on
that has been extensively discussed... But then, at the moment it is not of
paramount importance. It is an optional mode of operation that can be
explored later. 

My 2 cents worth

   Germano

---

References:

• Re: Status of IPSEC Key Management
• From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

---

• Prev by Date: Re: Status of IPSEC Key Management
• Next by Date: Re: bandwidth in the Internet
• Prev by thread: Re: Status of IPSEC Key Management
• Next by thread: Re: Status of IPSEC Key Management
• Index(es):
  • Main
  • Thread