[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Increased sequence number in ESP/AH



On Tue, 23 Jan 2001 15:17:43 EST you wrote
> >   While we're on the subject of sequence numbers and IKE negotiation
> > I'd like to make use of them negotiable. Right now the sender must always
> > send them even if the recipient is not using them. Parallelization of
> > IPsec processing is much easier if both sides can agree to forgo the
> > benefits of the anti-replay check.
> 
> If all you care about is performance, it's even faster if you leave
> out the crypto. :-)

Yuck, yuck. Actually, no it's not; crypto is not the bottleneck. There
is a point of diminishing returns for complying with the anti-replay 
requirement.

> If you want to avoid multiple crypto engines single-threading on the
> counter increment, negotiate multiple equivalent SA's and load-balance
> across the SA's..

That's one way to do it. But if the recipient has already said she isn't
going to be inspecting the counter, for whatever reason, why mandate that 
the sender keep sending it? 

  Dan.



References: