[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Increased sequence number in ESP/AH

To: "Ipsec" <ipsec@lists.tislabs.com>, "Sandy Harris" <sandy@storm.ca>
Subject: RE: Increased sequence number in ESP/AH
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Wed, 24 Jan 2001 09:20:07 -0800
Importance: Normal
In-reply-to: <3A6E4ABA.C6866A4F@storm.ca>
Sender: owner-ipsec@lists.tislabs.com




> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Sandy Harris
> Sent: Tuesday, January 23, 2001 7:24 PM
> To: 'ipsec@lists.tislabs.com'
> Subject: Re: Increased sequence number in ESP/AH
>
>
> "Steven M. Bellovin" wrote:
> >
> > In message <3A6DF166.60200CD1@columbia.sparta.com>, Andrea
> Colegrove writes:
> > >Steve,
> > >    How does this address freshness (anti-replay)?
> > >
> > >    Is this intended only as a useful feature for high-speed
> devices that may
> > >need additional SA lifetime?
> > >
> >
> > OC-192 -- deployed in some of today's backbones -- is roughly 1
> > gigabyte/second.  Multiply by whatever you think is the average packet
> > size, and multiply again by 4 -- but it's not a large number for the
> > duration of an SA.
> >
> >                 --Steve Bellovin, http://www.research.att.com/~smb
>
> Yes, but do we expect those backbone devices to be doing IPSEC?
> Perhaps a limited
> amount for management functions -- remote admin login, ICMP,
> routing protocols --
> but I wouldn't expect them to be doing it for bulk traffic.
>
> Methinks bulk traffic encryption needs to be as near end-to-end
> as practical, if not
> on the end user systems, then on local routers and firewalls.
> Almost by definition,
> that excludes backbone routers. You want them just shuffling
> packets. Routing is
> hard enough without adding IPSEC to that mix.
>
> OC-3 is the largest pipe I'd expect near enough to the edges that
> we want to see
> IPSEC on it. 155 Mbit/sec, ~ 20 Mbyte, certainly less than 1 M
> packets/sec, so
> over an hour between re-keyinga. No problem.

ISPs that provide network-based VPN services could use more than 155 Mbps
IPsec processing capability.  E.g., take a look at the service switches from
Cosine Communications, SpringTide (Lucent), Shasta (Nortel), Quarry
Technology.

>
> If we're contemplating any changes to the protocol, we want some
> that bring us
> nearer to the end-to-end goal, IPSEC on end-point systems.
>

Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com

BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD

References:

Re: Increased sequence number in ESP/AH

From: Sandy Harris <sandy@storm.ca>

Prev by Date: Re: A tale of three transforms
Next by Date: Re: Increased sequence number in ESP/AH
Prev by thread: Re: Increased sequence number in ESP/AH
Next by thread: Re: Increased sequence number in ESP/AH
Index(es):
- Main
- Thread