[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Simplifying IKE
Please be aware that from a hardware point of view, and I suspect also from
a software point of view, processing 2 SAs per packet will definitely
degrade the performance, as opposed to including both authentication and
encryption in a single SA a la ESP. This is because of the extra lookups and
repeated packet processing, as opposed to the cryptography.
David Blaker, CTO
NetOctave, Inc.
P.O. Box 14824
Research Triangle Park, NC 27709
Phone (919) 463-9903 x.206 / Fax (919) 463-9905
email mailto:dblaker@netoctave.com
website http://www.netoctave.com
-----Original Message-----
From: Steve.Robinson@psti.com [mailto:Steve.Robinson@psti.com]
Sent: Wednesday, August 08, 2001 9:36 AM
To: Joe Touch
Cc: ipsec@lists.tislabs.com; owner-ipsec@lists.tislabs.com; Sandy Harris
Subject: Re: Simplifying IKE
Hi Joe,
Please look a little closer, all my comments are prefaced by "STEVE:" I
cut the other sections from Sandy's original e-mail. I have no problems
with including NULL mode, but what I don't want to see is a situation where
we are using ESP for one thing on a packet and AH for another, simply for
what I perceive as political reasons. I'd much prefer to use a single
protocol and simplify our efforts.
Take Care,
Steve
Joe Touch
<touch@ISI.ED To: Steve.Robinson@psti.com
U> cc: Sandy Harris
<sandy@storm.ca>, ipsec@lists.tislabs.com,
owner-ipsec@lists.tislabs.com
08/08/01 Subject: Re: Simplifying IKE
08:56 AM
Steve.Robinson@psti.com wrote:
>
> A few comments:
>
> 2a: eliminate ESP authentication
> 3a: require AH on all packets. No choice, no null mode. An IPsec
connection
> authenticates all packets, period.
Null mode is useful, if only for debugging and performance measurement.
Jor