[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How many spd recrds ?

To: James Tiller <tiller@lucent.com>
Subject: Re: How many spd recrds ?
From: Derek Atkins <warlord@mit.edu>
Date: 19 Sep 2001 10:18:23 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: James Tiller's message of "Wed, 19 Sep 2001 07:29:58 -0400"
References: <200109091405.f89E51Q04924@sepahan.iut.ac.ir> <sjmvgirnp69.fsf@rcn.ihtfp.org> <1401689058.20010919072958@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

Actually, theoretically, it can be even bigger than that.  You can
imagine a SPD that had multiple entries for each SPI.  Imagine a
system where each SPI implies N SPD rules, because you want to define
rules for, say, each and every port for each and every host out there
on the internet (because each host is _special_).

-derek

James Tiller <tiller@lucent.com> writes:

> Derek -
> 
> Just out of curiosity, why 2^32? Is this because the SPI is 32 bits?
> If so, wouldn't this be the limits of the number of SA's effecting the
> SAD, whereas the policy database (SPD) is supporting the "types" or
> attributes defining the SA's?
> 
> One more curious point. If the policy defines the accepted operations
> to apply, deny, or pass data - technically, wouldn't that be
> unlimited? Because I could build a policy that affects only certain
> selectors based on IP address or fully qualified name - which could be
> limitless.
> 
> Just curious. Thankx for any answer!
> 
> -------------
> Best regards,
> -jim
> 
> 
> 
> Monday, September 10, 2001, 9:36:14 AM, Derek wrote:
> 
> Atkins> There isn't any theoretical maximum.  It's like asking "how many firewall
> Atkins> rules could you have?"  The answer: unlimited.
> 
> Atkins> There is a practical limit of approximately 2^32 per interface per peer.
> 
> Atkins> -derek
> 
> Atkins> mahdavi@sepahan.iut.ac.ir writes:
> 
> >> Hi all. 
> >> 
> >> Imagine we have a high speed security gateway (Giga bit). Typicaly how many SPD 
> >> records are reqired ? 
> >> about 10 ? 
> >> about 50 ? 
> >> about 100 ? 
> >> about 1000 !!!???
> >> 
> >> how much?
> >> 
> >> I want to have an estimation of maximum SPD records that an administrator may 
> >> defines. 
> >> 
> >> sincerely yours
> >> mahdavi 
> >> 
> >> 
> >> 
> >> 
> >> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: How many spd recrds ?

From: "mahdavi" <mahdavi@sepahan.iut.ac.ir>

References:

How many spd recrds ?

From: mahdavi@sepahan.iut.ac.ir

Re: How many spd recrds ?

From: Derek Atkins <warlord@mit.edu>

Re: How many spd recrds ?

From: James Tiller <tiller@lucent.com>

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: How are Initiator's Proposals checked by Responder?
Prev by thread: Re: How many spd recrds ?
Next by thread: Re: How many spd recrds ?
Index(es):
- Main
- Thread