At 9:05 AM +0530 11/25/09, Jack Kohn wrote:
>
>...
Assume we dont have WESP.
The end router having scores of OSPF adjacencies will have following
rules in its database for *each* adjacency:
Incoming Pkt carries SPI X, then look at the nth bit and if its a OSPF
HELLO, put it in Ospfv3HighPrioQueue.
Incoming Pkt carries SPI X, then look at the mth bit and if its a OSPF
ACK, put it in Ospfv3HighPrioQueue.
This is assuming that SPI X corresponds to ESP-NULL and one can
disambiguate OSPF Hellos/ACKs from other OSPF packets by looking at
the nth bit and the mth bit (Please note that n could also be equal to
m).
These packets are arriving on a multicast SA, so the preferred way to
do the lookup, to make certain that the packet is from a relevant
router is to perform
the lookup as described in section 4.1 (pages 12+13) of RFC 4301.
That means that these SAs generally are uniquely identified based on
both the SPI value and the source and/or destination addresses. So,
you would need to refine the matching algorithm described above based
on the rules from 4301.
Now, if this router has N adjacencies then the # of rules required =
2 x N = 2N
Thus the # of filter entries scales up linearly with the # of adjacencies.
I've always found the 4552 discussion of SA use a bit confusing, but
my recollection is that it called for reusing SAs in a way to avoid
this problem (see Figure 3, section 7, page 7). But I am not
completely confident about this, based on the wording in that RFC.
Now, assume that we were using WESP.
You would need just two rules in your filter database saying the following:
Incoming Pkt is WESP integrity Protected, then look at the nth bit and
if its a OSPF HELLO, put it in Ospfv3HighPrioQueue.
Incoming Pkt is WESP integrity Protected, then look at the mth bit and
if its a OSPF ACK, put it in Ospfv3HighPrioQueue.
This is much simpler, but also potentially inaccurate. Specifically,
because it pays no attention to the SAD info, it would grab ANY
packet that passes through the router, uses WESP, and that matches
the bits that one uses to decide of a packet is an OSPF HELLO or ACK.
Thus one now needs only 2 rules in the HW to prioritize packets for
*all* OSPF adjacencies.
Unless you used some other rules to narrow down the set of packets
subject to these quick checks, other packets may be grabbed.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
