[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec Standard - No Flow Control?

To: "Michael Thomas" <mat@cisco.com>, <Rett_Walters@payless.com>
Subject: RE: IPSec Standard - No Flow Control?
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Mon, 23 Jul 2001 12:35:56 -0700
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <15196.25905.942643.173464@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Hello,

Are you saying the packets are arriving far enough out of order that some
are being discarded because of the sequence number checks?


Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Michael Thomas
> Sent: Monday, July 23, 2001 10:56 AM
> To: Rett_Walters@payless.com
> Cc: ipsec@lists.tislabs.com
> Subject: IPSec Standard - No Flow Control?
>
>
>
> It may be what you're seeing is an artifact of the
> replay sequence number processing not allowing the
> full TCP receive window's worth of in flight data.
> Typically, the replay window is about 32-64 bits,
> which may be on the edge of interfering with your
> TCP window. Adjusting its window upward may help,
> but it's possible that there may be some limits to
> the size.
>
>        Mike
>
> Rett_Walters@payless.com writes:
>  > I have a question regarding IPsec inner workings.....
>  >
>  > Is there a provision for Flow Control in the IPSec Standards?
>  >
>  > I understand that IPSec essentially runs at Layer 3 which does
> not include
>  > flow control algorithms (usually left to Layer 4 protocols
> such as TCP);
>  > however I have noticed in live implementations of the
> protocol, long delay
>  > networks (250ms round-trip) suffer serious performance issues
> when compared
>  > to non-encrypted TCP communications such as Ftp's, using large
> (64k) TCP
>  > Receive Windows.  Trace analysis shows a large percentage of time spent
>  > waiting for ACKs to transmitted ESP packets.  Is there no way
> to control
>  > the amount of data "in flight", ie setting a higher Window?
> Using IPSec
>  > Encapsulation seems to override or Break the TCP Windows set in the
>  > encrypted packet headers, do to its own method of flow control (or lack
>  > thereof).....
>  >
>  > I am wondering if this was overlooked?
>  >
>  > Thanks,
>  >
>  > ___________________________________
>  > Rett D. Walters
>  > Network Architect
>  > Payless ShoeSource Inc.
>  > Phone: 785-295-2049, Fax: 785-295-6666
>  > Email: rett.walters@payless.com
>  >
>  >

BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD

References:

IPSec Standard - No Flow Control?

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: IPSec Standard - No Flow Control?
Next by Date: Re: What does SIT_IDENTITY_ONLY mean?
Prev by thread: IPSec Standard - No Flow Control?
Next by thread: Re: IPSec Standard - No Flow Control?
Index(es):
- Main
- Thread