Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: "Dragan Grebovich" <dragan at nortel.com>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: Tero Kivinen <kivinen at iki.fi>
Date: Fri, 6 Feb 2009 13:19:17 +0200
Cc: ipsec at ietf.org, Yoav Nir <ynir at checkpoint.com>, "Grewal, Ken" <ken.grewal at intel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <34B3EAA5B3066A42914D28C5ECF5FEA4187EE433 at zrtphxm2.corp.nortel.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <9FB7C7CE79B84449B52622B506C78036130846B597 at il-ex01.ad.checkpoint.com> <34B3EAA5B3066A42914D28C5ECF5FEA418762175 at zrtphxm2.corp.nortel.com> <9FB7C7CE79B84449B52622B506C78036130846B6BC at il-ex01.ad.checkpoint.com> <C49B4B6450D9AA48AB99694D2EB0A4830CDF23BA at rrsmsx505.amr.corp.intel.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FCAB at il-ex01.ad.checkpoint.com> <C49B4B6450D9AA48AB99694D2EB0A4830CDF2C73 at rrsmsx505.amr.corp.intel.com> <34B3EAA5B3066A42914D28C5ECF5FEA4187EE433 at zrtphxm2.corp.nortel.com>

Dragan Grebovich writes:
> I looked for some traffic stats in a real, large enterprise network and
> I found that UDP comprises 25-30% vs. TCP 70-75% of all traffic.  The
> stats were measured on multiple places in the network, and multiple
> samples were taken over the past 6 weeks.  Also, there is a slow but
> consistent growth of UDP traffic over the past couple of years, pointing
> to a long term trend.

Can you provide information what kind of UDP traffic that was? I would
except DNS, and different voip protocols, but what else? 

> IMHO heuristics would require more frequent inspections than just the
> first few packets in a flow, and would require more heuristics rules on
> a per app basis, instead of relying on fixed TCP immutable fields.

For heuristics it is enough to do just to inspect first few packets.
After we have found out the parameters, then we just use them. The
deep inspection that is using the results of the heuristics (i.e. to
find the actual protocol data) will of course need to inspect every
packet.
-- 
kivinen at iki.fi

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Yoav Nir
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Yoav Nir
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Yaron Sheffer
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich

Prev by Date: Re: [IPsec] Feedback on the interim session's format
Next by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.