IETF Logo Mail Archive

Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt

Paul Wouters <paul.wouters@aiven.io> Tue, 30 November 2021 19:42 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4E243A14FE for <ipsec@ietfa.amsl.com>; Tue, 30 Nov 2021 11:42:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgTo4Fp2YuOX for <ipsec@ietfa.amsl.com>; Tue, 30 Nov 2021 11:42:15 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B5913A1500 for <ipsec@ietf.org>; Tue, 30 Nov 2021 11:42:15 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id v15so43377724ljc.0 for <ipsec@ietf.org>; Tue, 30 Nov 2021 11:42:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CNHjhl3avnXgeMPkmYvVgytoH+4pZCUZ9PPhD5R5/UU=; b=E4KxynWP5AqH/izf60H7bS9IL36vPQ9CeJh8EbrsexplreCxDYxVUCInlPPD+9hEmA NzYuZQ+vwdr9GjRISpgzBj+6MuZ49FhDGX17Jym0xXLvUQFGQZSvL91abFroDc1Rb0v7 bG7lKy+ydigFwTH/kIG4/X38svZhL1zlI9sVU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CNHjhl3avnXgeMPkmYvVgytoH+4pZCUZ9PPhD5R5/UU=; b=zk6F//TpmkVjIEivmXBXyA26ZbK2/ZhtIjCD1fHEm4m3UcSLv2QVl3inXdS1qUDt25 3fvpGy8oMH9n+oNWBIIFT5qtcfyF/Wq6FfyG4ne8cOWwCVwnRsN3duzMtrMLOV5BDnDz fqEIQks8RFMzHFChKNBDU4v+CNjOk6PlwCOc4HUjakvQXk9NkS5bXkiwOodqaGcTAj77 6CzVnrNFkqYGvJIqhgCfmh/BEGfO+OoBs/TbuRcBXGOTsUg8Jz+SMaqUZwR8hgpeYk7t NBtkunpUWFbKv+ONHXwXkx2IFrCAsiW9UDpL/9FrGP7Hfj/XpwbzG5zQjllU/Vz9+Ygh ourw==
X-Gm-Message-State: AOAM530kFgT39EZc0jXaKf7xFDZzNJFLHA4xNvM+rC9/dDzakW1IHfr8 KCHT3YsUl8snsmGYADdFp2gApg4vhfg1E+R9jTlU8g==
X-Google-Smtp-Source: ABdhPJwEvZt0hoaOlEEleOtcmS6AY1RZHJwdEshzwsRHWD7GGyKcq8ch8VOqO+Fx6JnauiPSGRXT8Qg/kg07RjXuMRk=
X-Received: by 2002:a05:651c:1049:: with SMTP id x9mr942368ljm.121.1638301331316; Tue, 30 Nov 2021 11:42:11 -0800 (PST)
MIME-Version: 1.0
References: <163756302647.16358.8631436336190852796@ietfa.amsl.com> <AM6PR07MB6056A9CCECA59F8035D04543EB9F9@AM6PR07MB6056.eurprd07.prod.outlook.com> <fc922cce-fdf2-62c1-8b66-588886479864@nohats.ca> <AM6PR07MB6056906966D25383E9B61D31EB619@AM6PR07MB6056.eurprd07.prod.outlook.com> <c0ad1622-c9f7-448e-b3d8-aa17e47acc1@nohats.ca> <1a7d01d7e14b$b79aeee0$26d0cca0$@gmail.com> <CADZyTkmmfyG9mqU+BaMSW1Jz9uDWJT7z-eVvCKwA45FAWsu59w@mail.gmail.com>
In-Reply-To: <CADZyTkmmfyG9mqU+BaMSW1Jz9uDWJT7z-eVvCKwA45FAWsu59w@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 30 Nov 2021 14:42:00 -0500
Message-ID: <CAGL5yWbuZV_GNk9_aXfH1zz_S3RubYUh8SDgiYh-fxBMKTPz5A@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Harold Liu <harold.liu@ericsson.com>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e386dc05d206c0e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/70pAm6L7CHDLpHMezVkX8JvsC0g>
Subject: Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 19:42:21 -0000

On Tue, Nov 30, 2021 at 8:21 AM Daniel Migault <mglt.ietf@gmail.com> wrote:

>
> Thank you all for the comments. I believe there is a misunderstanding of
> the resource issue we are facing, so please find below a more detailed
> description.
>
> The resource in question is neither related to the CPU nor the memory, nor
> the bandwidth as comments seem to suggest but instead related to the number
> of table entries that perform the IPsec processing that varies between 720
> to 4000 depending on the hardware chip.
>

Okay.


Randomizing the SA lifetime is a probabilistic approach we - and our
customers - do not want to rely on even if the probability of collision
decreases with the SA lifetime.

So now I am a bit confused. If you are mostly concerned able table length,
then 1 double IPsec SA won't hurt you, but 4000 will. So removing a random
percentage amount of seconds from the initiator would actually
probabilistic fix your issue. 4000 connections with a lifetime of 3600s,
that all start at the same time with a 20% fuzz on initiator would cause
you an extra 5 or 6 SAs. If your code recognises the new SA traffic, and
there is frequent traffic, these double SAs would go away in seconds. So on
a unit that can do 4000 SAs, you can now do only 3994 SAs.

Am I making a mistake here ?

Paul

v2.23.0 | Report a Bug | By Email