The Issue
Since small-packet performance is so critical, if an
IPsec algorithm for encryption or MAC requires a
large context, and if one cannot load that context
quickly enough, the performance of the entire system
may suffer. For example, given a 64-byte packet, the
typical context size for an ESP tunnel transform us-
ing triple-DES and HMAC-SHA is on the order of
100 bytes. This includes 24 bytes for triple-DES key,
8 bytes for IV (if saved from packet to packet within
the SA), 40 bytes for the precomputed HMAC in-
ner and outer loop values, and 20–30 other bytes,
including protocol, SPI, sequence number, tunnel
header information (e.g., IP addresses), and other
per-session configuration information (e.g., tunnel
vs. transport mode, byte counts for session lifetime,
etc.). In such systems, these parameters may all
vary from SA to SA and must thus be loaded as
The IssueSince small-packet performance is so critical, if anIPsec algorithm for encryption or MAC requires alarge context, and if one cannot load that contextquickly enough, the performance of the entire systemmay suffer. For example, given a 64-byte packet, thetypical context size for an ESP tunnel transform us-ing triple-DES and HMAC-SHA is on the order of100 bytes. This includes 24 bytes for triple-DES key,8 bytes for IV (if saved from packet to packet withinthe SA), 40 bytes for the precomputed HMAC in-ner and outer loop values, and 20–30 other bytes,including protocol, SPI, sequence number, tunnelheader information (e.g., IP addresses), and otherper-session configuration information (e.g., tunnelvs. transport mode, byte counts for session lifetime,etc.). In such systems, these parameters may allvary from SA to SA and must thus be loaded as
การแปล กรุณารอสักครู่..