IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt

"Panwei (William)" <william.panwei@huawei.com> Tue, 05 March 2024 08:55 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EB0BC14F68B for <ipsec@ietfa.amsl.com>; Tue, 5 Mar 2024 00:55:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.185
X-Spam-Level:
X-Spam-Status: No, score=-4.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZ4UjTi_kS1o for <ipsec@ietfa.amsl.com>; Tue, 5 Mar 2024 00:55:13 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A952C14F68A for <ipsec@ietf.org>; Tue, 5 Mar 2024 00:55:13 -0800 (PST)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Tpq6X2DZtz6J7Pq for <ipsec@ietf.org>; Tue, 5 Mar 2024 16:51:16 +0800 (CST)
Received: from lhrpeml100001.china.huawei.com (unknown [7.191.160.183]) by mail.maildlp.com (Postfix) with ESMTPS id 69569140E5D for <ipsec@ietf.org>; Tue, 5 Mar 2024 16:55:11 +0800 (CST)
Received: from kwepemi500009.china.huawei.com (7.221.188.199) by lhrpeml100001.china.huawei.com (7.191.160.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 5 Mar 2024 08:55:10 +0000
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi500009.china.huawei.com (7.221.188.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 5 Mar 2024 16:55:09 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Tue, 5 Mar 2024 16:55:09 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
Thread-Index: AQHabgXw2ORgzh79i06MkXh0+CozjrEo1fnw
Date: Tue, 05 Mar 2024 08:55:09 +0000
Message-ID: <29bca8d122844180afc21cd6b353159a@huawei.com>
References: <170953741568.40277.5255672271292143803@ietfa.amsl.com>
In-Reply-To: <170953741568.40277.5255672271292143803@ietfa.amsl.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.52]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/25UgVj5UliBuKLjuIuAYxoJ_4zs>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 08:55:22 -0000

Hi folks,

We've encountered a real problem when using IPsec in the Multi-VPN environment.
We find that separate IPsec tunnels (i.e., different IKE SAs and different Child SAs) are needed for each VPN to distingue the traffic from different VPNs.
But, due to the number of peer devices and the number of VPNs increases, the number of IPsec tunnels needed is also explosively growing and exceeds the device's capacity.

Therefore, we are considering whether different VPNs can share the use of the same IPsec tunnel, i.e., the same IKE SA and Child SA.
We've prepared a draft to present the problem and our considerations: https://datatracker.ietf.org/doc/draft-he-ipsecme-vpn-shared-ipsecsa/

We'd like to get comments and feedback from you experts. Thanks a lot in advance.

Regards & Thanks!
Wei PAN (潘伟)

-----Original Message-----
From: I-D-Announce <i-d-announce-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Monday, March 4, 2024 3:30 PM
To: i-d-announce@ietf.org
Subject: I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt

Internet-Draft draft-he-ipsecme-vpn-shared-ipsecsa-00.txt is now available.

   Title:   Shared Use of IPsec Tunnel in a Multi-VPN Environment
   Authors: Qi He
            Wei Pan
            Xiaolan Chen
            Beijing Ding
   Name:    draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
   Pages:   18
   Dates:   2024-03-03

Abstract:

   In a multi-VPN environment, currently, different IPsec tunnels (i.e.,
   different IKE SAs and Child SAs) have to be created to differentiate
   and protect the traffic of each VPN between the device and its peer.
   When the number of neighbors of a device and the number of VPNs
   increases, the number of IPsec tunnels also increases considerably.
   This results in the need for a large number of SAs, which exceeds the
   device's capacity.

   This document proposes a method for different VPNs to share the use
   of a single IPsec tunnel, which can greatly reduce the number of SAs
   required in a multi-VPN scenario.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-he-ipsecme-vpn-shared-ipsecsa/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-he-ipsecme-vpn-shared-ipsecsa-00.html

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce

v2.23.0 | Report a Bug | By Email