Re: Comments on draft-ietf-ipsec-new-auth-00.txt

[Steven Bellovin <smb@research.att.com>]

	 > Perhaps I am missing something important, but I've never understood 
	the
	 > justification for negotiating replay window sizes.
	 
	 I also agree, and have been disheartened by the number of times the
	 above question has been asked but not answered.  Indeed, it has been
	 my impression that the vast majority of IP packets are delivered in
	 order (one reason why TCP's header prediction works well in
	 practice). It is rare in practice to have packets arrive out of
	 order. Which begs the question of whether a window is even
	 needed. Does someone have data that argues otherwise?

Yes, there is data.  I've heard Vern Paxson's talk on his measurements,
and a reasonably high percentage of TCP connections do see out-of-order
packets.  Furthermore, since dropped packets have a very serious effect
on TCP throughput, it's really worth some effort to avoid any extra drops.

The incidence of out-of-order delivery seems to depend on the site
involved.  This suggests that it's useful if a site can tune its own
replay window.  (There was at least one incident where a window of *54*
would have been necessary to accept the packet!)

Vern felt that currently, a window of 32 was quite sufficient.  But it
does seem prudent to plan ahead for 64 some day.
	 
	 In any case, this is certainly a receiver issue *only*.

Yes.  I still don't understand what a sender can possibly do differently,
even if a receiver indicates that it needs a larger replay window.