Re: [Last-Call] [secdir] [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

HI Joe,

 

On Jun 2, 2022, at 12:55 AM, Valery Smyslov <svan@xxxxxxxx> wrote:

 

HI Joe,

 

one more question:

 

          You can also note that there are ways to mitigate the cost of resync when

          this implementation is tightly coupled with TCP, e.g., by ensuring every Nth

          IPsec packet starts at the beginning of a new TCP packet.

 

         How would this help? Can you please elaborate?

 

If every 4th IPsec packet is always aligned to the TCP segment data start, then resync checks could be simple and rapid - check only the first bytes for a known pattern.

 

That makes resync happen with lower overhead, i.e., rather than searching the whole payload.

 

          Interesting idea, but how the receiving node would know that sending node employs this method?

          And, in my understanding some middleboxes can re-arrange TCP segments, merging and splitting them,

          so the beginning of IPsec packet may still appear in the middle of TCP segment (the same can happen

          with retransmissions, but I guess you assume that sending TCP/IP stack would take care in this case, but it adds complexity).

 

         So, I think that the idea is interesting, but the additional complexity and unreliability makes it not so attractive.

 

          Regards,

          Valery.

 

Joe

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux