[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-arch-sec-02.txt and last call



Michael Richardson wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> "Brian" == Brian Leu <bleu@semaphorecom.com> writes:
> Brian> It seems to me that if imposing the canonical ordering on the SPD
> Brian> entries then for every packet there is an overhead which on the average
> Brian> is proportional (linearly) to the number of entries in SPD because the
> Brian> search is sequential.
> 
>   Exactly.
>   This was my (unstated) thinking behind an objection to the explicit
> SPD ordering. It is just isn't computationally efficient at times.
<snip>

I disagree with the argument against canonical ordering. First, a
logical ordering does not necessarily reflect the physical ordering.
There are a number of creative approaches to indexing selectors which
are explored in database texts. A simple hashing mechanism has better
than linear performance.

Second, we might apply a variation of Occam's razor here: when selecting
administrative mechanisms, always take the simplest path, especially in
matters critical to system function (e.g. security). This (hopefully)
will preclude introduction of errors resulting from poorly understood
complexities of interaction.

Regarding the search overhead, there simply does not seem to be any way
to completely avoid it... hence, we must balance this overhead with
other concerns. I think the ordering does that nicely, especially if you
are clever about indexing into the db.


References: