[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Son-of-IKE Performance
On Thu, 6 Dec 2001, Bill Sommerfeld wrote:
> > The problem is that if the first encrypted packet arrives before the
> > responder establishes the SA then the packet will be dropped.
>
> Not necessarily.
>
> Before the sender can send anything on the SA, the receiver needs to
> have allocated the SPI that the sender will use.
>
> The receiver can thus buffer encrypted packets in a "larval" SA until
> the keying material arrives.
>
> Naturally, you need to apply reasonable limits for how much and how
> long you're willing to buffer, but this is going to be very similar to
> the buffering typically done while waiting for arp replies..
>
If you talk from the perspective of a workstation, this may be an option
(although it's not one I like). If you start talking about gateways/routers
that terminate large numbers of flows, caching packets for a LOT of budding
flows just doesn't seem palatable, especially when the solution is so utterly
simple: An ack. I believe this is optimizing in the wrong place.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: