> On Jul 16, 2019, at 06:02, Sandeep Kampati <[email protected]> wrote: > > > If we send more number of cryptographic suits the percentage of saving will > increase
But for a rekey, the initiator could just send the currently used negotiated transforms. It knows these are accepted / favoured. If for some reason the currently used transforms are no longer accepted, it could do a new initial exchange after the rekey failed, or another rekey attempt with more ciphers. So the gain should not be measured against the 120 transforms. > Most if deployment scenario what I observed is initiator is sending at least > 5 cryptographic suits, in some deployment scenarios they are sending 120 > cryptographic suites Strongswan is known to send everything it got. Which is a giant amount. With debugging enabled, the entire code was so slow the exchange timed out. We had to rewrite proposal parser to be smarter. But I only expect such a large set on the initial exchanges - not on rekeys. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
