Re: draft-ietf-ipsec-arch-sec-02.txt and last call

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Brian" == Brian Leu <bleu@semaphorecom.com> writes:
    Brian> It seems to me that if imposing the canonical ordering on the SPD
    Brian> entries then for every packet there is an overhead which on the average
    Brian> is proportional (linearly) to the number of entries in SPD because the
    Brian> search is sequential. 

  Exactly.
  This was my (unstated) thinking behind an objection to the explicit
SPD ordering. It is just isn't computationally efficient at times.
  This remains my major objection to most of the firewall performance
testing that has been done: they have not measured performance as a
function of rule complexity. This is where is really counts.

]       ON HUMILITY: to err is human. To moo, bovine.           |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNHvGDcmxxiPyUBAxAQE5AgMAolfZ4tthozcWWsmS+jIqwqEoLgyI267D
uGXs1J+cSTZLdWT2p+p9lbFt69EpocbLUgvXVqrqTD3DFkpI4mL0ThRb5UztSsuW
vKjU0GDQbVC8h97LQfEk+zAcvlIMiFCu
=XD07
-----END PGP SIGNATURE-----

---

Follow-Ups:

• Re: draft-ietf-ipsec-arch-sec-02.txt and last call
• From: "Scott G. Kelly" <scott@fet.com>

References:

• RE: draft-ietf-ipsec-arch-sec-02.txt and last call
• From: Brian Leu <bleu@semaphorecom.com>

---

• Prev by Date: RE: draft-ietf-ipsec-arch-sec-02.txt and last call
• Next by Date: I-D ACTION:draft-ietf-ipsec-auth-header-03.txt
• Prev by thread: RE: draft-ietf-ipsec-arch-sec-02.txt and last call
• Next by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
• Index(es):
  • Main
  • Thread