On 7/31/20 4:37 AM, Michael Rossberg wrote:
Somehow associated SAs would perhaps allow us to derive/install a key locally on demand.
Correct. In the original IPsec design, as we had specified that there could be multiple SPIs per SA, the definition of SA was broader than later editors.
However, due to the combinatorial explosion, these blocks of SAs may easily become pretty large, ie. with a reservation for multicast senders and QoS groups SPIs may be a little short.
Wow, what architecture are you implementing? After all, 2^32 SPIs by 2^32 packets per SPI are more than the estimated number of silicon atoms! When I originally designed PIPE and reserved v6, that initial draft eliminated the IP ToS field. I've never seen the need, and believe that history has validated my view. Since then, "integrated services" and "differentiated services" and other efforts have long been marketing points to extract money from naive customers, but have had little practical effect. As some folks know, once upon a time I founded one of the first ISPs in 1994. In more than a decade, I'd never had a customer who needed QoS. CoDel did far more for active queue management than QoS. (I was involved in the CeroWRT bufferbloat project, too.) IMnsHO, those who want to shoot themselves in the foot with QoS deserve the complexity and overhead. Still, I've no idea how you'd run out of SPIs. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
