[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Performance

To: EKR <ekr@rtfm.com>
Subject: Re: Son-of-IKE Performance
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Thu, 06 Dec 2001 14:41:24 -0500
cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, Jan Vilhuber <vilhuber@cisco.com>, IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "05 Dec 2001 16:36:27 PST." <kjsnap422c.fsf@romeo.rtfm.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> The problem is that if the first encrypted packet arrives before the
> responder establishes the SA then the packet will be dropped.  

Not necessarily.

Before the sender can send anything on the SA, the receiver needs to
have allocated the SPI that the sender will use.

The receiver can thus buffer encrypted packets in a "larval" SA until
the keying material arrives.

Naturally, you need to apply reasonable limits for how much and how
long you're willing to buffer, but this is going to be very similar to
the buffering typically done while waiting for arp replies..

				- Bill

Follow-Ups:

Re: Son-of-IKE Performance

From: Jan Vilhuber <vilhuber@cisco.com>

References:

Re: Son-of-IKE Performance

From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: Re: compare-jfk-sigma.txt
Prev by thread: Re: Son-of-IKE Performance
Next by thread: Re: Son-of-IKE Performance
Index(es):
- Main
- Thread