Re: Retransmits in traffic count?

[Ricky Charlet <rcharlet@redcreek.com>]

Tim Jenkins wrote:
> 
> Let me start again.
> 
> Should the traffic used in re-transmitting packets used in phase 1 SAs while
> negotiating anything be counted against the traffic-based lifetime of the
> SA?
> 
> In other words, if I have to send the first quick mode 1 message three times
> before I get a response from the peer, should that first packet's traffic be
> counted one time or three times against the phase 1 SA's lifetime (by
> traffic) limitation?


	Three Times!


> 
> The current ISAKMP DOI-independent MIB does:
> 
> ==>
> 
> saInPackets OBJECT-TYPE
>         SYNTAX          Counter32
>         MAX-ACCESS      read-only
>         STATUS          current
>         DESCRIPTION
>                 "The total number of packets received by the ISAKMP phase 1
> SA, including un-encrypted packets used to negotiate the ISAKMP phase 1 SA,
> and any re-transmissions."
>         ::= { saEntry 13 }
> 
> saOutPackets OBJECT-TYPE
>         SYNTAX          Counter32
>         MAX-ACCESS      read-only
>         STATUS          current
>         DESCRIPTION
>                 "The total number of packets sent by the ISAKMP phase 1 SA,
> including un-encrypted packets used to negotiate the ISAKMP phase 1 SA, and
> any re-transmissions received."
>         ::= { saEntry 14 }
> 
> saInOctets OBJECT-TYPE
>         SYNTAX          Counter32
>         UNITS           "bytes"
>         MAX-ACCESS      read-only
>         STATUS          current
>         DESCRIPTION
>                 "The amount of encrypted traffic measured in bytes received
> by the ISAKMP phase 1 SA. This includes encrypted traffic used to negotiate
> the ISAKMP phase 1 SA, and any re-transmissions received."
>         ::= { saEntry 15 }
> 
> saOutOctets OBJECT-TYPE
>         SYNTAX          Counter32
>         UNITS           "bytes"
>         MAX-ACCESS      read-only
>         STATUS          current
>         DESCRIPTION
>                 "The amount of encrypted traffic measured in bytes sent by
> the ISAKMP phase 1 SA. This includes encrypted traffic used to negotiate the
> ISAKMP phase 1 SA, and any re-transmissions."
>         ::= { saEntry 16 }
> 
> <==
> 
> I'm thinking I should remove the "including re-transmissions" part of those
> and related objects.
> 
> Other objects are the global counters. Should they include re-transmissions
> if the individual SAs don't?

	I assume you refer to isakmpTotal(In/Out)(Packets/Octests). I beleive
that the retransmissions (packets and octets) should be counted in both
the global counters and the individual phase1 SA counters. I anticipate
this will be the natural expectation of Operantions-and-Maintenance
shops who will not want to see deffinitions of counters like "all
traffic except for ..." I also think this is well matched to what the SA
lifetime counters are tracking. (rfc2409 says "a number of kbytes
protected." in Appendix A. under Lifetype). 
	Actually, I can't think of a reason not to count the retransmissions in
all of these counters. (that don't mean there ain't one!) Could you tell
us about the potential motivations you see for
this?                                  




-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

---

References:

• RE: Retransmits in traffic count?
• From: Tim Jenkins <tjenkins@TimeStep.com>

---

• Prev by Date: Re: Using Legacy Authentication for IPSRA (was : xauthrequirements: vulnerabilities)
• Next by Date: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Prev by thread: RE: Retransmits in traffic count?
• Next by thread: Re: Retransmits in traffic count?
• Index(es):
  • Main
  • Thread