At 9:34 PM +0200 1/6/10, Yaron Sheffer wrote:
Hi Steve,
[No hat.]
Thanks for the analysis, I hope this'll help the discussion to converge.
You are taking an either-or approach in the last
paragraph below. But assuming that WESP is
useful (bear with me), there will be a gradual
deployment within any given network. I agree
that heuristics will still be needed, until the
last endpoint is WESP-enabled (i.e., forever).
But if we adopt W*, during the migration less
and less heuristic processing will be needed.
Much of this discussion is about performance, so
quantitative arguments are also useful.
Thanks,
Yaron
Yaron,
So, is the argument that use of W* would reduce
the quantity of traffic that requires heuristic
processing at some stages in the deployment
process, because as the number of WESP-capable
nodes increases, cases 3 & 4 predominate? if this
is the argument, why did it take this long to get
a clear articulation of the argument (and why was
I the one who had to do the analysis to support
it :-))?
That argument makes sense, but only in the
context of other assumptions about deployment
(which have yet to be articulated).
For example, if an enterprise deploys an
intermediate system that can perform packet
inspection on IPsec traffic before most of the
nodes are WESP-capable, then that system will
have to use heuristics to deal with the vast
majority of traffic initially. Such a system
could continue to use those heuristics until
WESP-deployment is complete. So that scenario
does not motivate use of W*.
However, if the traffic load grows a lot during
deployment, it might exceed the capacity of the
intermediate system before WESP deployment was
complete. In that case use of W* would help, if
encrypted traffic were a lot more common than
integrity-protected traffic.
Or, one might argue that use of W* would allow
deployment of an intermediate system that uses
WESP, but still incorporates heuristic support,
at an earlier stage in WESP-deployment, though
not initially. Of course the (earlier) point at
which such deployment could take place is very
context-specific.
These could be reasonable arguments, but I've not
seen them articulated clearly. Nor have I seen
any rough estimates of ratios of traffic types
and the processing burden of heuristics to
provide some quantitative basis for arguments of
this sort. So, I think the WG needs to do more
homework on this if we're going to make such
arguments.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec