Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPsec anti-replay algorithm without bit-shifting
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 19 May 2011 13:44 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E582E06D9 for <ipsec@ietfa.amsl.com>; Thu, 19 May 2011 06:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.141
X-Spam-Level:
X-Spam-Status: No, score=-102.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JB0QWme+neV for <ipsec@ietfa.amsl.com>; Thu, 19 May 2011 06:44:39 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 54F52E06AC for <ipsec@ietf.org>; Thu, 19 May 2011 06:44:39 -0700 (PDT)
Received: by wyb29 with SMTP id 29so2275594wyb.31 for <ipsec@ietf.org>; Thu, 19 May 2011 06:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=Ccc165jyMiS7bvIAlfuoH2wA7dklUxeV1VfY/jNq8sU=; b=ffLfRJVcT5Cq0q36vWBpFwSYzd5m/rExm98jNYtMiiFW5dB5/GJL1EkhTeaCrKF7k+ O4EGZB4W2H4hUhoKTYRjVHrexrFXOC4rj7XxjTCpcvpCn5WNXJFvDWWYJiJN5ZTtcG4+ Zb1nSK5X/6hnN2YxyKqX3vbT1wFOlBgIMtIHA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=fde65JdIkKF2nrEM6tjeBW2VvhrB+jX0noAz7/ANsXQ1/+hXV9hBOpSrykQQd+AWl4 ca/84G7cIspbemyXJJtU2XNNlpwhcSAZe1qpb/2c/WqHCejXShAJu70YFQYKHdbnE1DB cqB1uG102hyYL8sb1mdjDv0kn3vXbHtvXS4Wg=
Received: by 10.227.5.193 with SMTP id 1mr3283456wbw.33.1305812677942; Thu, 19 May 2011 06:44:37 -0700 (PDT)
Received: from [10.0.0.5] (93-173-12-70.bb.netvision.net.il [93.173.12.70]) by mx.google.com with ESMTPS id k12sm1361445wby.33.2011.05.19.06.44.36 (version=SSLv3 cipher=OTHER); Thu, 19 May 2011 06:44:37 -0700 (PDT)
Message-ID: <4DD51EC2.2030709@gmail.com>
Date: Thu, 19 May 2011 16:44:34 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <20110506091501.19592.66261.idtracker@ietfa.amsl.com> <00E6CDB229A4CF4487D6E0326EDE5A030C3A073B@dfweml502-mbx.china.huawei.com> <19925.6746.823649.293241@fireball.kivinen.iki.fi>
In-Reply-To: <19925.6746.823649.293241@fireball.kivinen.iki.fi>
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Xiangyang zhang <xiangyang.zhang@huawei.com>, "ipsec@ietf.org" <ipsec@ietf.org>, Tina Tsou <tena@huawei.com>
Subject: Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPsec anti-replay algorithm without bit-shifting
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2011 13:44:40 -0000
Thanks,
Yaron
On 05/19/2011 04:25 PM, Tero Kivinen wrote:
Xiangyang zhang writes:This proposal addresses two major issues in IPsec anti-replay service: 1. Some high end security router can configure thousands of bits for anti-replay window. For example, Juniper can configure up to 4096 bits. The bit-shifting for this window is a tremendous burden, resulting in the performance drop. 2. High-end network processor could have multiple crypto cores to access the window. In order to check and update the window, the exclusive lock must be obtained.If I have understood correctly the algorith listed in the rfc4302 etc is only for illustrative pseudo-code, the actual implementations may be different (and at least our implementation do not use bit-shifting at all as it would be way too inefficient). The anti-replay checking in the IPsec is local matter to the implementation and does not have any interoperability requirements in addition that the sequence number field is always present. This draft provides nice alternative algorithm to the one provided in the RFC, but as the algorithm listed in the current rfc is not mandated anyways and there is no externally visible differences in the algorithms I do not see reason to document this as RFC. This would be better as techinal paper about providing faster algorithm for the anti-replay checking.
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Yaron Sheffer
- [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha-pro… Internet-Drafts
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Xiangyang zhang
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Tero Kivinen
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Xiangyang zhang
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Xiangyang zhang
- Re: [IPsec] Draft-zhang-ipsecme-anti-replay: IPse… Tina Tsou