Re: How many spd records ?

[Steve.Robinson@psti.com]

Mahdavi,

The answer to your question, well, you won't like the answer, because it
isn't black and white.  It literally depends on the application, there is
no set "right" number.

And anyway, I like Jim's question better, as it is more relevant for the
forum that is the ietf ipsec working group -- it doesn't just address one
individual implementation.

So, 4 billion records.....

Just for fun.....
OK, the first thing that springs to mind is that this requires a dynamic
decorrelation algorithm, even though the number of records will increase,
it guarantees that each policy (or SPD node) is unique (so no more need for
total ordering).  Now the policy or SPD database can be kept in a tree, or
series of trees.  Four billion is a lot, so even though I'd like to use a
splay tree (so that last node accessed will be at the root) the amount of
processing required to reorganize the tree suggests that this is not a good
way to go.  So, a fixed binary tree of some sort -- but also look at the
traffic patterns a system like this is likely to face, maybe cache the last
20 - 30 entries in a splay tree (depending on the variety of traffic at any
one time).  Or maybe it's simpler to keep it (the cache, not the entire
database) as a linked list and just push the last accessed node to the head
of the list and remove the tail.

Of course this relies on the thought that we don't have race conditions
accessing the database.  If we have multiple processors (or barrels)
processing packets simultaneously, then the single cache idea won't work
well, since access will have to be restricted to a single lookup at a time.
-- So, how about a cache per processor?  Make true database lookups
reentrant, so multiple accesses are allowed, but this suggest that adding
and removing entries from the table are going to require a semaphore to
halt lookups during addition or removals...

Ok, enough fun,  I guess I should get back to work.....

Steve



                                                                                                                         
                    "mahdavi"                                                                                            
                    <mahdavi@sepahan.iu        To:     "James Tiller" <tiller@lucent.com>                                
                    t.ac.ir>                   cc:     "Derek Atkins" <warlord@mit.edu>, <ipsec@lists.tislabs.com>       
                    Sent by:                   Subject:     Re: How many spd recrds ?                                    
                    owner-ipsec@lists.t                                                                                  
                    islabs.com                                                                                           
                                                                                                                         
                                                                                                                         
                    09/20/01 08:47 AM                                                                                    
                                                                                                                         
                                                                                                                         




Hi dear James Tiller
I think you misundrestood my question.
I hope others tell me the answer .

----- Original Message -----
From: "James Tiller" <tiller@lucent.com>
To: "mahdavi" <mahdavi@sepahan.iut.ac.ir>
Cc: "Derek Atkins" <warlord@mit.edu>; <ipsec@lists.tislabs.com>
Sent: Wednesday, 19 September, 2001 4:00 кеб
Subject: Re: How many spd recrds ?


> mahdavi -
>
> I would like to add to this question from a different perspective...
>
> If you have a high speed IPSec system, how do you look up a possible 4
> billion records fast enough?
>
> -------------
> Best regards,
> -jim
>
>
> Tuesday, September 11, 2001, 12:24:40 AM, mahdavi wrote:
>
> mahdavi> Hi
> mahdavi> O my God. what I asked that you answered me so ?
> mahdavi> I did not asked about theorical maximum.
> mahdavi> I just said "Typicaly how many SPD  records are reqired ?".
>
> mahdavi> In Other sentence I said "I want to have an estimation of
maximum
SPD
> mahdavi> records that an administrator may  defines".
>
> mahdavi> It is funny to think an administrator may define 2^32 firewall
rules; and I
> mahdavi> know that.
>
> mahdavi> I mean regularly ( in average , typically  , ... ) how many SPD
record may
> mahdavi> an administrator define.
>
> mahdavi> Best regards
> mahdavi> mahdavi.
>
>
> >> There isn't any theoretical maximum.  It's like asking "how many
firewall
> >> rules could you have?"  The answer: unlimited.
> >>
> >> There is a practical limit of approximately 2^32 per interface per
peer.
> >>
> >> -derek
> >>
> >> mahdavi@sepahan.iut.ac.ir writes:
> >>
> >> > Hi all.
> >> >
> >> > Imagine we have a high speed security gateway (Giga bit). Typicaly
how
> mahdavi> many SPD
> >> > records are reqired ?
> >> > about 10 ?
> >> > about 50 ?
> >> > about 100 ?
> >> > about 1000 !!!???
> >> >
> >> > how much?
> >> >
> >> > I want to have an estimation of maximum SPD records that an
> mahdavi> administrator may
> >> > defines.
> >> >
> >> > sincerely yours
> >> > mahdavi
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >> --
> >>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >>        Member, MIT Student Information Processing Board  (SIPB)
> >>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >>        warlord@MIT.EDU                        PGP key available

---

• Prev by Date: Re: ESP and AH questions
• Next by Date: Re: How many spd recrds ?
• Prev by thread: Re: [Users] Re: cisco rsa key - openssl read
• Next by thread: main mode with signature authentication
• Index(es):
  • Main
  • Thread