[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Increased sequence number in ESP/AH

To: Stephen Kent <kent@bbn.com>
Subject: Re: Increased sequence number in ESP/AH
From: "Derrell D. Piper" <ddp@cips.nokia.COM>
Date: Thu, 01 Feb 2001 12:22:41 -0800
cc: ipsec@lists.tislabs.com
In-Reply-To: Message from Stephen Kent <kent@bbn.com> of "Mon, 29 Jan 2001 18:15:44 EST." <v0422080ab69ba6410d70@[171.78.30.107]>
Sender: owner-ipsec@lists.tislabs.com

Steve,

>Well, I hate to add new fields to the packet format, but we may have 
>to do that at some point. However, the approach you propose here has 
>the advantage of being dynamic with less overhead (no QM exchange), 
>by allowing creation of new flows without creating new SAs. The flow 
>IDs separate out the sequence number spaces, each on a separate 
>crypto processor, right? So, the sequence numbers will be sequential 
>per flow, but packets for the same SPD-defined flow may be 
>distributed over various SA flows, to support parallelism.

Yes, that's right.  We probably only need six to eight bits for this.  You
could embed this in the upper byte of the new 64-bit sequence numbers.

Derrell

Prev by Date: RE: ipsec error protocol
Next by Date: lifetimes
Prev by thread: Re: lifetimes
Next by thread: IKE entropy issues with long keys
Index(es):
- Main
- Thread