Hi Sam, On 01/19/2011 10:13 AM, Sam Hartman wrote:
"Michael" == Michael Barnes<[email protected]> writes:Michael> Hi Sam, Michael> On 01/14/2011 04:34 AM, Sam Hartman wrote: >> We could have separate authentication challenge packets. >> However, the advantage of the current approach is that I think we >> can get to a point where we have one or two extra packets total >> for a cold-start situation, rather than an extra packet or two >> per neighbor. I don't know that the current rules for receiving >> and sending packets actually achieve this, but I believe we can >> get there with some minor changes. Michael> I've been giving this some thought, and I think exchanging Michael> a couple of additional packets in the cold start situation Michael> is more desirable than overloading the Hello packet with an Michael> additional security role. The Hello packet already services Michael> two very important purposes - discovery and keep alive. It Michael> is highly desirable not to add to the processing overhead Michael> for these packets. I'd like to understand your concerns here. Are you concerned about CPU for processing the hello packet? Bandwidth of the hello packets? I'd like to actually get educated about the tradeoffs enough that I can have an intelligent discussion.
I don't think the bandwidth is really an issue, but CPU is. It is important that processing of these packets can be completed as quickly as possible. We are constantly being asked to scale to ever larger number of neighbors and adding overhead to Hello packets could make this security mechanism undesirable in those settings.
Regards, Michael _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
