[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP revisions straw poll
Angelos and Pau,
As I mentioned in my message, the most obvious apporpriate use of
ESP w/o encryption is in tunnel mode, where authenitcation of the outer IP
addresses does not appear to be critical. This is a common scenario for
VPNs, and might be used in conjunction with a transport mode encypted ESP,
in nested fashion, e.g., to provide security to a server or desktop behind
the firewall.
As for the performance concern, we disagree. We are implementing
ESP without encryption, in tunnel mode, for inter-router authentication and
our analysis suggested that this was preferable to AH in tunnel mode.
While I agree with Pau's observation that the greatest gain in a software
implementation is to be had in better hash algorithm implementations, there
is still the issue of the additional hit due to header copying. Also, I
have been approached by some folks who are looking to implement ESP in
hardware (e.g., outboard of a supercomputer). The selective authentication
characteristics of AH make that hard, while the ESP pure encapsulation
design is amenable to efficient DMA processing.
Steve
Follow-Ups:
References: