Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <> Wed, 25 November 2009 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 999CE3A690C for <>; Wed, 25 Nov 2009 06:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.519
X-Spam-Status: No, score=-2.519 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fhbpyuePTyEP for <>; Wed, 25 Nov 2009 06:32:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AB6AC3A6AB1 for <>; Wed, 25 Nov 2009 06:32:03 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.63) (envelope-from <>) id 1NDIuU-0007qu-Ap; Wed, 25 Nov 2009 09:31:58 -0500
Mime-Version: 1.0
Message-Id: <p06240808c732ed309450@[]>
In-Reply-To: <>
References: <> <> <> <p06240805c7272bb53718@> <> <p06240804c729109c4f93@> <> <p06240804c72ef7906c90@> <> <p0624080cc7309f6414a0@> <>
Date: Wed, 25 Nov 2009 09:31:52 -0500
To: Jack Kohn <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "" <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2009 14:32:04 -0000

At 9:05 AM +0530 11/25/09, Jack Kohn wrote:
>  >
>  >...
>Assume we dont have WESP.
>The end router having scores of OSPF adjacencies will have following
>rules in its database for *each* adjacency:
>Incoming Pkt carries SPI X, then look at the nth bit and if its a OSPF
>HELLO, put it in Ospfv3HighPrioQueue.
>Incoming Pkt carries SPI X, then look at the mth bit and if its a OSPF
>ACK, put it in Ospfv3HighPrioQueue.
>This is assuming that SPI X corresponds to ESP-NULL and one can
>disambiguate OSPF Hellos/ACKs from other OSPF packets by looking at
>the nth bit and the mth bit (Please note that n could also be equal to

These packets are arriving on a multicast SA, so the preferred way to 
do the lookup, to make certain that the packet is from a relevant 
router is to perform
the lookup as described in section 4.1 (pages 12+13) of RFC 4301. 
That means that these SAs generally are uniquely identified based on 
both the SPI value and the source and/or destination addresses.  So, 
you would need to refine the matching algorithm described above based 
on the rules from 4301.

>Now, if this router has N adjacencies then the # of rules required = 
>2 x N = 2N
>Thus the # of filter entries scales up linearly with the # of adjacencies.

I've always found the 4552 discussion of SA use a bit confusing, but 
my recollection is that it called for reusing SAs in a way to avoid 
this problem (see Figure 3, section 7, page 7). But I am not 
completely confident about this, based on the wording in that RFC.

>Now, assume that we were using WESP.
>You would need just two rules in your filter database saying the following:
>Incoming Pkt is WESP integrity Protected, then look at the nth bit and
>if its a OSPF HELLO, put it in Ospfv3HighPrioQueue.
>Incoming Pkt is WESP integrity Protected, then look at the mth bit and
>if its a OSPF ACK, put it in Ospfv3HighPrioQueue.

This is much simpler, but also potentially inaccurate. Specifically, 
because it pays no attention to the SAD info, it would grab ANY 
packet that passes through the router, uses WESP, and that matches 
the bits that one uses to decide of a packet is an OSPF HELLO or ACK.

>Thus one now needs only 2 rules in the HW to prioritize packets for
>*all* OSPF adjacencies.

Unless you used some other rules to narrow down the set of packets 
subject to these quick checks, other packets may be grabbed.