[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Expiry based on traffic (kilobytes)

To: rpereira@TimeStep.com (Roy Pereira)
Subject: Re: Expiry based on traffic (kilobytes)
From: Cheryl Madson <cmadson@cisco.com>
Date: Fri, 3 Oct 1997 16:43:05 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <c=US%a=_%p=TimeStep_Corpora%l=TSNTSRV2-971003191816Z-2690@tsntsrv2.timestep.com> from "Roy Pereira" at Oct 3, 97 03:18:16 pm
Sender: owner-ipsec@ex.tis.com

> 
> I think that the wording surounding how to expire an SA based on traffic
> should be clearified.  While one can use common sense to figure out this
> issue for an Oakley SA, the IPSec SA is trickier. 
> 
> The problem is how does the traffic get counted.  
> 
> [1] Do we add all of the IP packet, or just the section that the SA
> secured (since an IP packet might have more than one SA transform it).  
I just count the section that the SA secured. 

> [2] Do we also add up the byte count from incoming packets?  

I do, to get a general indication of the volume for a pipe where
traffic is greater in one direction than the other ("I'm using this
key this much") . But because of potential packet loss on the net, 
your figure may not be "accurate" w.r.t. the sender.

> [3] If so, do we count all of the packet, or just the section that was
> protected by the SA?
> 

Just the section that the SA secured.


- C

References:

Expiry based on traffic (kilobytes)

From: Roy Pereira <rpereira@TimeStep.com>

Prev by Date: RE: ISAKMP/Oakley does not allow negotiation on PFS requirement.
Next by Date: RE: Internet Drafts -- AH and ESP specs
Prev by thread: Expiry based on traffic (kilobytes)
Next by thread: Re: Expiry based on traffic (kilobytes)
Index(es):
- Main
- Thread