[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD Cache in 2401bis

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: SPD Cache in 2401bis
From: Stephen Kent <kent@bbn.com>
Date: Mon, 8 Mar 2004 11:31:40 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: <p0602040dbc712de311ca@[63.202.92.152]>
References: <p06020412bc6e9ae5a081@[128.89.89.75]><20040306130924.A1D2958@coconut.itojun.org><p0602040dbc712de311ca@[63.202.92.152]>
Sender: owner-ipsec@lists.tislabs.com

At 11:55 AM -0800 3/7/04, Paul Hoffman / VPNC wrote:
>Reading through the current draft, I have to agree with Itojun and 
>Bora. It's hard to say that the cache is optional when it appears in 
>MUST statements, such as in section 5.1. There should either be 
>parallel discussions (simpler ones with the cache, more complicated 
>ones without the cache), or the main document should describe only 
>the mandatory features, and an appendix or different document 
>describe the improvements you get with the optional cache.
>
>--Paul Hoffman, Director
>--VPN Consortium

paul,

Fair criticism.  It would be ideal if we could provide parallel 
descriptions, or relegate one to an appendix, but it is additional, 
non-trivial work.

In 2401 we did not do an adequate job of describing how to handle 
some cases, e.g., named SPD entries and PFP entries. Even for simple 
SPD entries the notion of going back to the SPD to lookup each 
outbound packet is clearly something that scales poorly for bigger 
SPDs and/or high speeds. (Of course all of this is only a concern for 
BITS/BITW/SG implementations. native host implementations have an 
intrinsic form of caching anyway.)

A motivation for introducing caching was to offer a model that scales 
better, as well as describing a simpler model. Decorrelation is 
needed for caching. For named SPD entries, there is a need to create 
a new entry to match outbound traffic, and if we create it in the 
SPD, we have to address the question of exactly where it belongs 
relative to the named entry that gave rise to the transient entry.

The processing model for IPsec is not a proscription for 
implementation. It gives details of one way to implement IPsec. The 
intent is that a compliant implementation should behave in an 
identical manner, as viewed by the IPsec peer and by the user/admin, 
no matter how it is implemented locally.  We need at least one model 
to provide a reference, and it is preferable if the model is as 
simple as possible, to make it easy to describe and to understand.

Steve

Follow-Ups:
- Re: SPD Cache in 2401bis
  - From: Tero Kivinen <kivinen@iki.fi>

References:
- Re: SPD Cache in 2401bis
  - From: Stephen Kent <kent@bbn.com>
- Re: SPD Cache in 2401bis
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)
- Re: SPD Cache in 2401bis
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: SPD Cache in 2401bis
Next by Date: Re: SPD Cache in 2401bis
Previous by thread: Re: SPD Cache in 2401bis
Next by thread: Re: SPD Cache in 2401bis
Index(es):
- Date
- Thread