[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP revisions straw poll



Angelos and Pau,

	As I mentioned in my message, the most obvious apporpriate use of
ESP w/o encryption is in tunnel mode, where authenitcation of the outer IP
addresses does not appear to be critical.  This is a common scenario for
VPNs, and might be used in conjunction with a transport mode encypted ESP,
in nested fashion, e.g., to provide security to a server or desktop behind
the firewall.

	As for the performance concern, we disagree.  We are implementing
ESP without encryption, in tunnel mode, for inter-router authentication and
our analysis suggested that this was preferable to AH in tunnel mode.
While I agree with Pau's observation that the greatest gain in a software
implementation is to be had in better hash algorithm implementations, there
is still the issue of the additional hit due to header copying.  Also, I
have been approached by some folks who are looking to implement ESP in
hardware (e.g., outboard of a supercomputer).  The selective authentication
characteristics of AH make that hard, while the ESP pure encapsulation
design is amenable to efficient DMA processing.

Steve




Follow-Ups: References: