[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

To: dpkemp@missi.ncsc.mil (David P. Kemp)
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
From: Stephen Kent <kent@bbn.com>
Date: Fri, 18 Apr 1997 11:31:42 -0500
Cc: ipsec@tis.com
In-Reply-To: <199704171317.JAA21004@argon.ncsc.mil>
Sender: owner-ipsec@ex.tis.com

Dave,

	You raise two points that I'll address separately:

	- it is true that the AR window protects the receiver, and imposes
no changes in how the sender operates.  However, I think that the use or
non-use of use of AR is of interest to the sender.  If communication
performance problems arise between two IPSEC sites, one reason might be the
rejection of some number of packets due to the size of the AR and the
out-of-order delivery characteristics associated with the path.  Certainly,
if a default window size of 1 were adopted (as had been suggested), there
would be a significant opportunity for such behavior.  However, if the use
of AR is purely at the discretion of the receiver, I have no way of knowing
if that might be a problem, if I am troubleshooting the problem from the
sender's end.  So, at a minimum, I'd like to know if AR is a characteristic
of each SA.

	With a minimum window size of 32, excessive packet rejection
(leading to performance problems) seems unlikely, but it may not be
impossible for paths with long delay pipes.  If I were responsible for the
management of the sending end of the IPSEC SA being affected, I'd like to
be able to determine the window size in use by the receiver.  If the window
size in use by the receiver was merely reported as a side effect of SA
establishment (vs. being negotiated) that would suffice.  However, this
seemed less in keeping with the general SA parameter management philosophy
we've adopted.  Also, the sender may have more knowledge about the nature
of the application using the SA and, if source routing is employed, may
know more about the path being used, and hence may be better equipped to
suggest an appropriate windwo size, i.e., one that is less likely to
experience problems due to substantial out-of-order arrivals.  Maybe that's
pushing the point, but it would argue for sender input into a window size
negotiaion.

	Yes, always carrying the field, and always maintaining the counter
and letting the receiver dedice whether to pay attention is the simplest
approach in some respects.  But leaving the sender not knowing the security
characteristics of an SA is bothersome.  It also suggests that conformamce
testing is hard (or maybe just useless?), as any behavior by the receiver
would appear to be OK re AR!


Steve

Follow-Ups:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: Daniel Harkins <dharkins@cisco.com>

References:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: dpkemp@missi.ncsc.mil (David P. Kemp)

Prev by Date: Re: introduction; certificates & proxy authentication.
Next by Date: RE: CBC IV generation in ISAKMP/Oakley
Prev by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Index(es):
- Main
- Thread