Hi,
2004-10-29, p keltezéssel 14:58-kor jamal ezt írta:
> To take a rough estimate of 5K users, how often do you think
> these replay messages will be generated?
>
> Is there a (clever) way to avoid transporting them and still achieve
> an accurate failover?
There is, provided that you do not want replay detection to work after
a failover. The more often you would send sequence number updates the
smaller the possible replay window will be. If you sacrifice scalability
you get more accurate replay detection.
To play with numbers: say that you have 5K users, so let's suppose
there are at most 20K IPSEC SAs. If you decide to send an update per
second, that would mean 20K updates/second. If each update message is 20
bytes long, that means that on Ethernet you can transmit all of them in
about 280 packets. That's not too much. (I suppose the 20K pfkey
messages would be much more of a problem, though...)
--
Regards,
Krisztian KOVACS
|