[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Protocol and port fields in selectors

To: <andrew.krywaniuk@alcatel.com>
Subject: RE: Protocol and port fields in selectors
From: sakari.poussa@nokia.com
Date: Thu, 10 Oct 2002 16:25:30 +0300
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcJvvZJ7q1lozel/RhKUye9/Za+TAgAokdOA
Thread-Topic: Protocol and port fields in selectors

sakari.poussa@nokia.com wrote:
>> That is actually the whole idea; to reduce the number of SAs. Since
>> we are talking about several hundred thousands of SAs,
>> cutting the size
>> in half reduces the memory requirements (a lot) and improves
>> performance.
>

andrew.krywaniuk@alcatel.com wrote:
>This is essentially the argument against port and protocol based SAs in
>general. If you just used a firewall rule to block stray packets you
>wouldn't have this problem. Trying to reduce the memory footprint after
>mandating port-constrained SAs is like optimizing bubble sort.

I agree. But the way the 3GPP/IMS has specified the SIP IPSec protection,
we need to use the port numbers in the SAs. That is, some traffic
will be sent in clear (unprotected port) while other traffic is
IPSec protected (protected port). Too bad ;(

>Andrew

-sakari

Prev by Date: RE: Protocol and port fields in selectors
Next by Date: ISAKMP Exchanges and IKE Modes
Prev by thread: RE: Protocol and port fields in selectors
Next by thread: Merged IKE - suites and negotiation
Index(es):
- Date
- Thread