[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DataStructure for Storing SPD,SA Entries

To: Puja Puri <puja.puri@cdac.ernet.in>, ranjeet barve <ranjeet_barve@yahoo.co.in>
Subject: Re: DataStructure for Storing SPD,SA Entries
From: Saroop Mathur <saroop1@yahoo.com>
Date: Thu, 18 Oct 2001 08:54:57 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

IPSEC policy data structures need two properties: handling overlapping
policies and maintianing an ordered list. Hash tables generally do not
have these properties, although they could be designed for this
purpose.

Trees are the most efficient data structure that I have found for
storing IPSEC policies. I have seen an implementation perform policy
lookups with an average time of less than 10 microseconds with
1,000,000 policies in the SPD. Of course, in real deployments, you are
unlikely to have that many policy entries.

For best performance, my sugggestion would be to break up a policy into
selectors and organize the selectors in a tree. For very high
performance, you can use hardware to lookup policies.

-Saroop Mathur

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

Prev by Date: Re: DataStructure for Storing SPD,SA Entries
Next by Date: RE: A short letter about VPN security
Prev by thread: Re: DataStructure for Storing SPD,SA Entries
Next by thread: RE: DataStructure for Storing SPD,SA Entries
Index(es):
- Main
- Thread