[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DataStructure for Storing SPD,SA Entries

To: "Puja Puri" <puja.puri@cdac.ernet.in>
Subject: Re: DataStructure for Storing SPD,SA Entries
From: Steve.Robinson@psti.com
Date: Thu, 18 Oct 2001 08:25:20 -0400
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com, "ranjeet barve" <ranjeet_barve@yahoo.co.in>
Sender: owner-ipsec@lists.tislabs.com


I  use three tries in my implementation -- but it really isn't the relevant
issue here. It sounds to me like you are really glossing over the issue of
overlapping policy.  If you do not implement a decorrelation algorithm, you
are probably going to cause yourself some major problems down the road.
Are you going to be hardcoding the policy values in yourself, or are you
going to be selling a product that will have the policies loaded by a
system administrator after the sale?  Assuming the latter case is correct,
and you insist on using a hash lookup, then you really should guarantee
that your product will not overlap the policies ever -- don't blame the
system administrators for not using the product correctly if the initial
design is not robust and able to separate the policies dynamically in the
field.


Steve




                                                                                                                        
                    "Puja Puri"                                                                                         
                    <puja.puri@cdac.ern       To:     "ranjeet barve" <ranjeet_barve@yahoo.co.in>                       
                    et.in>                    cc:     <ipsec@lists.tislabs.com>                                         
                    Sent by:                  Subject:     Re: DataStructure for Storing SPD,SA Entries                 
                    owner-ipsec@lists.t                                                                                 
                    islabs.com                                                                                          
                                                                                                                        
                                                                                                                        
                    10/18/01 01:13 AM                                                                                   
                                                                                                                        
                                                                                                                        




hi
Its true that finding an efficient hash function seems to be a major
problem
but then once that is done, hash tables prove to be efficient. Rajesh, I
suggest u to do some r&d on hash function to find a suitable one for you.
For instance the hi/fn toolkit for IPSec uses hash tables. But
unfortunately
such implementations don't mention about their hash functions.

The selectors do contain a number of fields but remember that according to
RFC 2401 u can use one or more fields from selectors to map to ur policies.
This makes life simpler.

The queries with wildcards do create some problem but that can be sorted
out
with the way u implement.

As far as tries are concerned, I have no idea whether any implementations
use it or not.

I hope Rajesh that atleast i have tried answering all your queries.

regds
puja
----- Original Message -----
From: "ranjeet barve" <ranjeet_barve@yahoo.co.in>
To: "Puja Puri" <puja.puri@cdac.ernet.in>
Cc: <ipsec@lists.tislabs.com>
Sent: Thursday, October 18, 2001 9:51 AM
Subject: Re: DataStructure for Storing SPD,SA Entries


> hi,
> With Hash Table finding an efficient hash function
> seems to be a major Problem. Also as the Selector
> contains of a number of fields, it would make the task
> even complicated. Which Implementations are using Hash
> Tables for storing SPD and SAD? What kind of hash
> functions do they use??
>
> Also does the range queries with wild cards not create
> a major problem in formulating a Hash Function??
> Does any implementation use Tries for Storing SPD,SAD?
>
> Please help me with the above queries,
>
>  Regards,
>  Ranjeet Barve,
>  M.Tech IIT Bombay.
>
>
>
> --- Puja Puri <puja.puri@cdac.ernet.in> wrote: > hi
> > Hash tables seem to be good for SPD n SAD, since
> > search is faster than many
> > other data structures. It is used by many toolkits
> > which implement IPSec.
> >
> > Just need to take care that policies don't overlap
> > Correct me anybody if I am wrong.
> > regds
> > puja
> > ----- Original Message -----
> > From: "ranjeet barve" <ranjeet_barve@yahoo.co.in>
> > To: <ipsec@lists.tislabs.com>
> > Sent: Friday, October 12, 2001 8:10 PM
> > Subject: DataStructure for Storing SPD,SA Entries
> >
> >
> > > hi,
> > > I had a quesiton on the Data Structure to use for
> > > Security Policy Database and Security Association
> > > Entries.
> > > Which would be the most efficient Data Structure
> > for
> > > Storing SPD and SA entries ??
> > > Which Data-Structure is Most Commonly used?
> > > (I apologise if this question is already answered
> > in
> > > the mailing list.)
> > >
> > > Please let me know.
> > >
> > > Regards,
> > > Ranjeet Barve,
> > > M.Tech IIT Bombay.
> > >
> > >
> > >
> > >
> >
> ____________________________________________________________
> > > Do You Yahoo!?
> > > Send a newsletter, share photos & files, conduct
> > polls, organize chat
> > events. Visit http://in.groups.yahoo.com
> >
>
> ____________________________________________________________
> *NEW*   Connect to Yahoo! Messenger through your mobile phone   *NEW*
>        Visit http://in.mobile.yahoo.com/smsmgr_signin.html

Prev by Date: Re:
Next by Date: Re: DataStructure for Storing SPD,SA Entries
Prev by thread: Re: DataStructure for Storing SPD,SA Entries
Next by thread: Re: DataStructure for Storing SPD,SA Entries
Index(es):
- Main
- Thread