Jack Kohn writes: > Do folks have to implement this RFC since its of the INFORMATIONAL > type?
No, and same applies to WESP. You need either (or both) them only and only if you operate in enviroments where they are suitable, and where you require features provided by them. > If Yes, then i would like some sort of resolution to the issues raised in > http://www.ietf.org/mail-archive/web/ipsec/current/msg05471.html I do not see any explicit issues raised in the that email, mostly I see comments saying mixing up TCP/UDP flows (which can be short lived) and IPsec flows (which usually are not short lived), and comments that it is not suitable for certain limited platforms. > As a developer i would like to understand as to how i am required to > do cache management, etc and some pointers to this effect would be > appreciated. This is engineering problem that does not really affect the heuristics that much, and there is lots of algorithms that can be used there. Which of them is best depends quite a lot about the network environments. In some environments one alrogithm works best, and on some other environments some other algorithm is better. There are already devices which solve much harder problems, for example deep inspection engine devices (intrusion detection and/or preventation systems). The problems they solve are much harder than what heuristics needs to do as they need to keep track on each UDP and TCP flow separately. Heuristics only need to keep track of IPsec SAs. Usually single IPsec SA has multiple TCP/UDP flows inside, so the problem of keeping track IPsec flows is easier than keeping track of TCP/UDP flows. As this problem of keeping track of TCP/UDP flows has already been solved by multiple vendors, in multiple products, I do not think we need to start writing text about the cache management or algorithms. This problem is not specific to the ESP-NULL heuristics, it is generic flow management problem, which have been solved before. > I also think that we need to mention that this does open up a window > for DoS attacks as explained in the above post in the Security > Considerations section. What DoS attack you are talking. If you can provide me some text I can put to draft, I am happy to do so, but anyways I would first need to know which DoS attack you are talking about. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
