I was forwarded this message. As a matter of fact, I've never left the list,
but very rarely read it.
Speaking as one of the original designers of ESP, I'm delighted that folks
are finally catching up to our original design of 25+ years ago!
There's no need to rename ESP. The Security Paramete
No firestorm on the previous message, so here's more fuel
On 7/22/20 6:26 AM, Michael Rossberg wrote:
* Allow multiple windows per SA to allow for scaling over CPUs, windows
per QoS
class & replay protection in multicast groups
In the SIPP (IPv6) IPng WG, where we were d
On 7/24/20 4:42 PM, Michael Rossberg wrote:
@William: The 16-bit sender ID is something we already get from protocols like
GDOI to do IV space
partitioning (details in https://tools.ietf.org/html/rfc6054). So the mistake
is already there.
My memory was 8 bits, ludicrously small. Reading more
On 7/24/20 2:28 PM, William Allen Simpson wrote:
Therefore, I'd recommend that IPsec instead implement a block of related SPIs.
Each SPI should have its unique session-key as usual, but all would have the
same next protocol header and TCP/UDP port associated with the same flow.
In the Pho
The comments thus far seem to be mixed. This is a perennial topic.
We spent much time on it in PIPE/SIPP/IPv6.
We agreed on leading for AH and trailing for ESP.
When I wrote the KA9Q NOS code implementing Van Jacobson's packet
buffers that eventually was ported to Linux by Alan Cox, the code kn
On 7/31/20 4:32 AM, Steffen Klassert wrote:
Architectures can change the 2 byte NET_IP_ALIGN if they prefer
DMA alignment over IP alignment.
As I mentioned in an earlier email, my most recent RFC work is RDMA.
While that would be possible for some algorithms, I've never seen that
a single c
On 7/31/20 4:37 AM, Michael Rossberg wrote:
Somehow associated SAs would perhaps allow us to derive/install a key locally
on demand.
Correct. In the original IPsec design, as we had specified that there could be
multiple SPIs per SA, the definition of SA was broader than later editors.
Ho
On 8/3/20 4:17 AM, Michael Rossberg wrote:
Unfortunately I develop systems for a customer who uses DS for some (maybe
non-technical)
reason.
Helpful to not use abbreviations. DS = storage Data Servers? AWS Directory
Service?
Microsoft Domain Services?
The issue I am struggling with: If
