[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

To: ipsec@tis.com
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
From: dpkemp@missi.ncsc.mil (David P. Kemp)
Date: Thu, 17 Apr 1997 09:17:30 -0400
Sender: owner-ipsec@ex.tis.com

> From: Stephen Kent <kent@bbn.com>
> 
> 	As for the optional nature of the AR counter, I'm quite happy to
> make it permanent field if that's what the WG wants, but as the I-D points
> out, this will result in an extra 4 bytes of overhead for IPv4.  Given that
> some folks have produced ESP drafts that employ implicit IVs specifically
> to reduce per-packet transmission overhead in the 4-8 byte range, it seems
> a bit inconsistent to mandate this 4 byte field.
> 
> 	I have also heard that there was some concern expressed over the
> issue of making anti-replay optional, because of the overhead of
> negotiating this security service, especially in terms of window size
> negotiation.  I've had some private communication with folks immediately
> preceeding the meeting, and one suggestion that arose was making a window
> size of 32 the default, if AR is negotiated.  One might eliminate the need
> to negotiate a window size at all if this default were considered adequate,
> and the receiver were free to implement a larger window as a local option.
> This would simplify the negotiation process, and allow it to be expressed
> as just a compound "transform" along with the algorithm negotiation.  That
> would require no additional ISAKMP messages and thus should not raise
> objections re added negotiation complexity.


Perhaps I am missing something important, but I've never understood the
justification for negotiating replay window sizes.

Replay window size is entirely a property of the receiver, no?  Does the
transmitter do anything different with a window size of 32 than it would
with a window size of, say, 128?  If there is no difference in the bits
on the wire, why do window size negotiation at all?

Your point about replay yes/no negotiation is well taken - it seems
inconsistent to mandate 4 bytes of AR overhead while negotiating IVs to
save 4-8 bytes.  Nonetheless, I think Cheryl's suggestion towards the
end of the first IPSEC session has great merit:  never negotiate AR,
always transmit the AR counter, then the receiver can unilaterally decide
whether or not to do AR, and if so, what window size to use.  That is
the ultimate in simplicity, and it gets my vote^H^H^H^H straw poll ballot.

Follow-Ups:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: Thomas Narten <narten@raleigh.ibm.com>

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Small subgroups and ISAKMP/Oakley
Next by Date: Re: Small subgroups and ISAKMP/Oakley
Prev by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Index(es):
- Main
- Thread