[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Performance

To: Bill Sommerfeld <sommerfeld@east.sun.com>
Subject: Re: Son-of-IKE Performance
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Thu, 6 Dec 2001 12:55:48 -0800 (PST)
cc: EKR <ekr@rtfm.com>, Hugo Krawczyk <hugo@ee.technion.ac.il>, IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <200112061941.fB6JfOjM004355@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 6 Dec 2001, Bill Sommerfeld wrote:

> > The problem is that if the first encrypted packet arrives before the
> > responder establishes the SA then the packet will be dropped.  
> 
> Not necessarily.
> 
> Before the sender can send anything on the SA, the receiver needs to
> have allocated the SPI that the sender will use.
> 
> The receiver can thus buffer encrypted packets in a "larval" SA until
> the keying material arrives.
> 
> Naturally, you need to apply reasonable limits for how much and how
> long you're willing to buffer, but this is going to be very similar to
> the buffering typically done while waiting for arp replies..
> 
If you talk from the perspective of a workstation, this may be an option
(although it's not one I like). If you start talking about gateways/routers
that terminate large numbers of flows, caching packets for a LOT of budding
flows just doesn't seem palatable, especially when the solution is so utterly
simple: An ack. I believe this is optimizing in the wrong place.

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

Re: Son-of-IKE Performance

From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: Please kill public key
Prev by thread: Re: Son-of-IKE Performance
Next by thread: Re: Son-of-IKE Performance
Index(es):
- Main
- Thread