[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Increased sequence number in ESP/AH
Dan Harkins wrote:
>David Wagner wrote:
>> How about keeping N independent
>> (appropriately spaced out) replay windows, where N counts the degree of
>> parallelism you want at the sender?
>
>The problem I'm (having trouble) describing is on the sender side. The
>sender must keep its counter in sync among all the active nodes to whom
>the work load can be dynamically load-balanced or actively failed-over.
No, you missed the the point of my proposal. My proposal eliminates
the need for the sender's nodes to be in sync.
Imagine you have two nodes at the sender. The first node transmits
packets with sequence numbers 0,1,2,3,...; the second uses
2^31,2^31+1,2^31+2,...; so they don't need to be in sync. Today's
receivers wouldn't be happy to see this, because they have only a
single replay window. But, if we introduce two replay windows at
the receiver, everything will be fine. The first window will be a
32-bit bitmap of all sequence numbers seen in the range 0..31; the
second will cover 2^31..2^31+31; and of course each window range
will shift appropriately as packets are received.
This proposal has several nice features. First, the security properties
of today's IPSEC are preserved. Second, parallelization incurs no overhead
at the sender. Third, there's not much burden on the receiver: receivers
could start with just one replay window per SA, and introduce extra replay
windows only as needed (up to some reasonable limit).
By the way, Sommerfeld's suggestion of generating N SA's for N degrees of
parallelism sounds even better -- it requires no changes to the standard
whatsoever. I had thought that, for some reason, you wanted to keep all
the traffic on the same SA, but if you're happy with with Sommerfeld's
solution, so much the better!
Follow-Ups:
References: