At 4:44 AM +0000 4/6/12, Xiangyang zhang wrote:
Steve,
Your understanding is partially right. Only that anti-replay window
could possibly be bigger if two paths go along the different routes.
If two paths go along the same route, it is no difference from the
traditional single SA. But the attacker does not know two paths
carry the same flow of traffic.
when you take a sequence of packets and spread them over multiple SAs, you
create new opportunities for the packets to arrive out of order at
the destination. They have to be merged at the destination, either at
the host or at an SG. If they are merged at an SG, new functionality
is required to buffer the packets and re-order them. If not, then
variances in traffic handling at each end creates new opportunities
for reordering or traffic, and/or added jitter. OOO arrival is not
good for TCP connections, irrespective of the IPsec anti-replay
window. Jitter is also not great, especially for some realtime apps
that run over UDP.
For security consideration, could you point out what is in error?
your text refers to multiple paths, when you mean multiple SAs.
Thanks,
Victor
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
