Hosting Provided By

Re: [Hipsec] One HIP session for multiple flows, or one per flow?

From: Pekka Nikander <pekka.nikander(at)nomadiclab.com>
Date: Wed Mar 19 2003 - 17:38:53 EST

Derek Fawcus wrote:
> My reading of the HIP specs suggests that one session (and SA pairs)

I don't quite understand your concept of flows and sessions. It would help if you would define them or be otherwise more specific.

If your concern is related to traffic classification, I would really recommend using the IPv6 flow label for that. In the IPv4 space, I think that SPI based traffic classification is probably not that good an idea. It creates overloaded semantics, and I don't like that.

Right now the HIP design assumes that you have only one pair of SAs between any hosts. However, I think we have to rethink that in the case the hosts have multiple interfaces. The different paths may have very different latencies and bandwithds, making it hard to deal with the replay protection windows. Thus, it looks like that we will need at least an SA per interface.

Based on that, it might be OK to create even more SAs. However, I'd like to see a compelling reason for that. Furthermore, I don't want to complicate the architecture nor the implementation too much. We are still very early in terms of what is the right final architecture, and keeping things simple at this stage probably pay off later.

--Pekka Nikander

Hipsec mailing list
Hipsec@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/hipsec Received on Wed Mar 19 18:03:49 2003

This message: [ Message body ]
Next message: Pekka Nikander: "Re: [Hipsec] comments on new HIP draft"
Previous message: Pekka Nikander: "[Hipsec] New version of the protocol draft"
In reply to Derek Fawcus: "[Hipsec] One HIP session for multiple flows, or one per flow?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:58 EDT

Do you need help?