Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Steven Bellovin <smb@research.att.com> Fri, 18 April 1997 14:24 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA01377 for ipsec-outgoing; Fri, 18 Apr 1997 10:24:12 -0400 (EDT)
Message-Id: <199704181426.KAA08328@raptor.research.att.com>
To: Thomas Narten <narten@raleigh.ibm.com>
cc: dpkemp@missi.ncsc.mil, ipsec@tis.com
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Date: Fri, 18 Apr 1997 10:26:58 -0400
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> Perhaps I am missing something important, but I've never understood the > justification for negotiating replay window sizes. I also agree, and have been disheartened by the number of times the above question has been asked but not answered. Indeed, it has been my impression that the vast majority of IP packets are delivered in order (one reason why TCP's header prediction works well in practice). It is rare in practice to have packets arrive out of order. Which begs the question of whether a window is even needed. Does someone have data that argues otherwise? Yes, there is data. I've heard Vern Paxson's talk on his measurements, and a reasonably high percentage of TCP connections do see out-of-order packets. Furthermore, since dropped packets have a very serious effect on TCP throughput, it's really worth some effort to avoid any extra drops. The incidence of out-of-order delivery seems to depend on the site involved. This suggests that it's useful if a site can tune its own replay window. (There was at least one incident where a window of *54* would have been necessary to accept the packet!) Vern felt that currently, a window of 32 was quite sufficient. But it does seem prudent to plan ahead for 64 some day. In any case, this is certainly a receiver issue *only*. Yes. I still don't understand what a sender can possibly do differently, even if a receiver indicates that it needs a larger replay window.
- Comments on draft-ietf-ipsec-new-auth-00.txt Rob Glenn
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt David P. Kemp
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Thomas Narten
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Naganand Doraswamy
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Steven Bellovin
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Thomas Narten
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Daniel Harkins
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Vern Paxson
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt C. Harald Koch
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Thomas Narten
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Norman Shulman
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Daniel Harkins
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Angelos D. Keromytis
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Bill Sommerfeld
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Perry E. Metzger
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Daniel Harkins
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Steven M. Bellovin
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Steven M. Bellovin
- Re: Comments on draft-ietf-ipsec-new-auth-00.txt Stephen Kent