RE: iSCSI and the IPSEC replay window

To: aboba@internaut.com, ips@ece.cmu.edu
Subject: RE: iSCSI and the IPSEC replay window
From: Black_David@emc.com
Date: Tue, 9 Jan 2001 18:08:05 -0500
Content-Type: text/plain
Sender: owner-ips@ece.cmu.edu

Hmm ... I would have thought that the separate
TCP connections for the alternate paths
would use separate IPsec SAs and hence would
not share a replay window, making this a non-
issue.  Steve Kent had a number of things to
say in the ipsec WG about running IPsec at
gigabit speeds, all of which are probably
applicable to iSCSI, but best left to the
ipsec WG.

--David

> -----Original Message-----
> From:	Bernard Aboba [SMTP:aboba@internaut.com]
> Sent:	Tuesday, January 09, 2001 12:33 PM
> To:	ips@ece.cmu.edu
> Subject:	iSCSI and the IPSEC replay window
> 
> At IETF 49, we had a presentation on use of IPSEC in
> iSCSI. While I'm generally positive on the concept
> of re-using IPSEC in this way, there are some things
> to think about. 
> 
> One of these is the effect of the IPSEC replay window
> on TCP behavior. At the 1+ Gbps speeds of iSCSI, it
> strikes me that even a small variation in delay 
> between two alternate paths will result in falling
> outside the IPSEC replay window if it is set to a
> small, fixed value (say 64 packets). 
> 
> So the size of the IPSEC replay window should probably
> scale with transmission speed. 
> 
> Do we understand how this ought to work and is there
> a potential for some unforseen effects?
> 
> Inquiring minds want to know ;)

Follow-Ups:
- RE: iSCSI and the IPSEC replay window
  - From: "Bernard Aboba" <aboba@internaut.com>

Prev by Date: RE: markers
Next by Date: Re: iSCSI : On the subject of R2T and Task Tags.
Prev by thread: Re: iSCSI: header digest error at initiator
Next by thread: RE: iSCSI and the IPSEC replay window
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:56 2001
6315 messages in chronological order