The comments thus far seem to be mixed. This is a perennial topic. We spent much time on it in PIPE/SIPP/IPv6.
We agreed on leading for AH and trailing for ESP. When I wrote the KA9Q NOS code implementing Van Jacobson's packet buffers that eventually was ported to Linux by Alan Cox, the code knew it had an incoming Ethernet or PPP frame, and offset the head on a 16-bit or 32-bit boundary as needed with enough space at the tail for all trailing bytes. The IP header was always on a 64-bit boundary. Hopefully, that code is still present. In modern CPUs, there's always an issue with cache lines. But for a parallel implementation, it really isn't going to matter. The CPU that finishes last and needs to check the ICV isn't particularly likely to be the CPU that processed the initial header anyway. As a matter of historical record, this was also a long debate for TCP. The default is leading, and there is a TCP option for trailing checksum. Might it be a non-default option negotiated per SPI? _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
