Re: [IPsec] WESP - Roadmap Ahead

Jack Kohn <> Thu, 26 November 2009 00:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0862D3A67CC for <>; Wed, 25 Nov 2009 16:17:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0t8MEIOSyRrH for <>; Wed, 25 Nov 2009 16:17:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 193793A67AF for <>; Wed, 25 Nov 2009 16:17:47 -0800 (PST)
Received: by yxe4 with SMTP id 4so261976yxe.32 for <>; Wed, 25 Nov 2009 16:17:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=44XtFcxBPKn/obXUUk/YCui+jSjqwTnAqzwSy65t1dA=; b=WI0fBL7lRlFqs/gOKmP41tIjjJhDAVQ1kmLiIbUtUX4qztI6XH3cKVA0XQ7sEifAfM kszuOPJ14DpReLCvo8/0Fb0tL0IAqgQe2uXMMBsN90dDWnjD42A4kgH0L2ZUj8N5Id1A SnjgaHlU/dBcmR7XGLlo1sDfJE3eanp77D01U=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=yFH7kYVkmVE89R5yjKvTJ5u0QVbjSrMYRVAeB8ELC9+Q6bAjku2iWsOhXXzRzHnUGe MmjpmSegWwmXaWIvt06RMAYNWDZU9qHhMVwJoYs/df459cO3SkWZz6z2V4uKxzytI+GA Nz1qy002e9bthB0zeFi6yF8KJmQvcMWic9zmU=
MIME-Version: 1.0
Received: by with SMTP id 9mr11178314agp.11.1259194653500; Wed, 25 Nov 2009 16:17:33 -0800 (PST)
In-Reply-To: <p06240808c732ed309450@>
References: <> <p06240805c7272bb53718@> <> <p06240804c729109c4f93@> <> <p06240804c72ef7906c90@> <> <p0624080cc7309f6414a0@> <> <p06240808c732ed309450@>
Date: Thu, 26 Nov 2009 05:47:33 +0530
Message-ID: <>
From: Jack Kohn <>
To: Stephen Kent <>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "" <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Nov 2009 00:17:48 -0000

>> Now, assume that we were using WESP.
>> You would need just two rules in your filter database saying the
>> following:
>> Incoming Pkt is WESP integrity Protected, then look at the nth bit and
>> if its a OSPF HELLO, put it in Ospfv3HighPrioQueue.
>> Incoming Pkt is WESP integrity Protected, then look at the mth bit and
>> if its a OSPF ACK, put it in Ospfv3HighPrioQueue.
> This is much simpler, but also potentially inaccurate. Specifically, because
> it pays no attention to the SAD info, it would grab ANY packet that passes
> through the router, uses WESP, and that matches the bits that one uses to
> decide of a packet is an OSPF HELLO or ACK.

Obviously the following rules would only be applied if the IP packet
was addressed to the router that was doing these checks. This way it
will not trap the other packets passing through this router.

>> Thus one now needs only 2 rules in the HW to prioritize packets for
>> *all* OSPF adjacencies.
> Unless you used some other rules to narrow down the set of packets subject
> to these quick checks, other packets may be grabbed.

Same as above. It is trivial to find out if the packet is locally
bound, or needs to be routed.