[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: Chris Trobridge <CTrobridge@baltimore.com>
Subject: RE: Simplifying IKE
From: Arne Ansper <arne@ats.cyber.ee>
Date: Wed, 8 Aug 2001 14:01:59 +0200 (Israel Standard Time)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <F86F34FDF1F9D411B7A40008C74C27B8028A29@hhdata3.cdsemea.baltimore.com>
Sender: owner-ipsec@lists.tislabs.com



> I'd also like to see all IPSEC traffic between two hosts carried by just one
> SA.  I can't see any value in using multiple SAs between to hosts.  IPSEC

there is. and it's not related to security at all.

suppose you have slow internet connection that is used only for VPN
traffic. your access router has no way to distinguish between different
sessions inside your VPN so it will put all the packets into same queue.
if somebody is moving large file using ftp your telnet connection will be
very very slow.

without encryption the routers will put packets from separate sessions
(defined by src&dst IP, protocol and ports) into seprate queues (cisco
calls them classes IIRC) and even if you are downloading some huge file
your telnet session is still usable.

with encryption the SPI is the only parameter that can be used to classify
the packets. if you are using a single SA between two hosts it's
impossible for routers to distinguish between packets from different
sessions and the interactive applications suffer really bad.

arne

Follow-Ups:

RE: Simplifying IKE

From: Henry Spencer <henry@spsystems.net>

References:

RE: Simplifying IKE

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
Next by Date: Re: Simplifying IKE
Prev by thread: RE: Simplifying IKE
Next by thread: RE: Simplifying IKE
Index(es):
- Main
- Thread