IETF Logo Mail Archive

[IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05

Roman Danyliw <rdd@cert.org> Tue, 19 March 2024 05:55 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33346C14F5EF for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2024 22:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0WcQX53J2_9 for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2024 22:55:34 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0053.outbound.protection.office365.us [23.103.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3731FC14F60A for <ipsec@ietf.org>; Mon, 18 Mar 2024 22:55:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=eWGBz/hbih0yEK2jiDMfNJRrSJxzGpueNflySu7wRTHh+W435XgHg0oZR3kaurjFJPoIWFxJ1HM8Lg9+CxDbtP4QcR5NGr4bR59TF+YwVki8rHpI62GV2HkelgKKOnKzydRnDMKY00fPEHQTCytr6G52ixR3dyzaAmK/L4nPQZDhpmU4S+4mXrknDVQ4mM/YVSTqgPwVuRDGzD4imVZNzmbgr9VpsR+DFumrl3C7ppDBNF1ItQ1dft8RVjez2v9WFwKtBH2jwRj8iH2cK4yhxr8mx1ujT6hDvmmhQKaEg1cIFllhboXXSf9DTxHTnVlfqWtXDoTjXpIx8rpDqUGIPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=V7I1KX6L/MFAHYLhtESMnXUURLrGVC87lZ6UlyPrR1U=; b=ZhK9ctATahvRhwPbfBz72ND2VYESoncPzqYG0RkWevyxqJu6T1jT+ptHd5DpEko6cubk5ONXTySyMRwYaTEEQIIi1vvVzntCQFiogKtTgA5IoNR7VJNIhn2YM6cnPeQR1aIQG0BmjjcT9t59PMAShiGi99i770IxT7cMQkC8Y/GQ2sxSZvzdbpEbOR/EzatXdOaWZ3ay+uwLw+gTswZsvQGWAXIPM0BAVzYC2/0GbkOzOb5tVJrFaRzmeK5sdZPjQ72PRpziOEAuo+73maw3oTcCO+jWvU/+tWE0jTJdVqFZUwYYQl5ZqcOipjF2H5Dm9jCC2DAt5HYMr2Vf+EG4iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V7I1KX6L/MFAHYLhtESMnXUURLrGVC87lZ6UlyPrR1U=; b=KIuwwSDutjVlpf7cnMPpsRh9/ziVBF0TZeL9wMhfSl3iHZebq6ZINoLTL9ij63gzOV4fDGzbV3bMLs2GWCzF/8xQ5qrRshqm0n3jlt7zlqWoq9j4Ui0ZoIG4xVPPtfpcj5eXm8so4dtVCnFOcR9J65UkA0gauKdC6tcXEHAPS9g=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1495.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.27; Tue, 19 Mar 2024 05:55:26 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b%5]) with mapi id 15.20.7386.025; Tue, 19 Mar 2024 05:55:25 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-multi-sa-performance-05
Thread-Index: Adp5wLX5RVTTEXPYSJu7ZyhA3b3leA==
Date: Tue, 19 Mar 2024 05:55:25 +0000
Message-ID: <BN2P110MB1107C9B13992DEA871075535DC2CA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1495:EE_
x-ms-office365-filtering-correlation-id: b4b6e195-10fe-4e4e-6e53-08dc47d92c54
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KWBdpk5sRf6a9qq8qWTTyTCWBNxuToctbbcAf2huDL4kiJFYtvu0zPsvghMs1mCmGyxRtN9vhXK0YL9O4sZW4YZ7LAKyyfUQCy82GUSByWO+qqJeJqMyHNU9oBHolb3YD/SlDhWihJGPVaKX60wAl82Cx5V6sypGpydDjhb992v1hssbRZEsIRVP8uc2kqReGvhPUtF0h638JTXZh8O53a0AtSX44F4sauD39IaDRc3CUJkvSNVyFbaiIPpZJ5O1fo5xW+j/mfC1Psi/n2vJyAm3ZMvjV1+5MJvG87aqprDfGU4kNtLLz8CvL4dSsgZXqmr+uLzRa8yuxQXDXABgxlQcPJUmQg/5CXVw9nxbPgT/zUHMG3RG15iH0eSSPRnkuqKKsQ8Zyn8YjgSexuC2isD2tO0GxWf+aW6m8qcVrxucYUuPtFPHpMXH/Gw5TUW0Se/a4R5zXUNkMQ5mUoAvfYlUZm6586H52BRuoAl04leXjvUO4cQFbqy+cvy5DkfKeWT3DoFrDb6UlNa2NbS6nHbJ5pX5jDkFSA+HfXeERXA0de8MbBjS47KiZDeQwP3jez/wB5vT8ol9FJT1wixb5kVMQKp4s61caDs632gcgndXXQRJWK21rNwgnV9jrDv9j96YBK75RV1QtyOgneT8OmjEk0v+d6w4iQbd+b/Tb5EUJ/tjz+qhp8rLgar7D/LkawMR6qqq0Wp6Fl9fZv5e5+SylWxc5bybbzFKPViGDlA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(41320700004)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zz62V7ZzhF5nlq1jDPvBV/f/X9PHd26kBjxk5Wsjbn4xxOc5R/Je+WGxTyxT72LBSoodW11YnnTVitlrkYMUEXpyuYV/Zrbcsd3yoycgXm440mhbKST1LIQH95FVWxU6VrhHD/j0dANWWBE/EgHd+tPJ9JmpNTNjy9V8awL70F0oI3DBpIdoQ0SCYcnCyK5dKmguCyStHl6Lzgu5tPX2yMyqIWbDKyUMTTr3Qm8EcYZJtYBBUjOW5G2N+z5rqRNXULW1FgaiXlXKZe+d1ycRzjUu0tJ4BnQlIznmyiWosh4/ed8HM0IY5Iq2Dxkn8MHfO6bLxEL6lfjudO7YDmO4acw9B7OmFoPg7neZV+PdGYZK8Z+Hzr4udZXFQRNnEDqdOk/m4J3Nry+3d6SmuK0BICdx40neTBKrs0FhpMnNT2CcSBUJ5Tr9ocXUeMHp5Tr94ckkN1uqBKLiTYMuEmrjDnkyWIeufkPJq/khA0194lq1FHu3fcG7wf7ipHadLZ8+YYWWguokp+dl0Oxhu8EUly1HNgXkoddRZys6bLLMQOSoEipiooyPQOvCBdgqftEptyZmXTHvBknfdYf6eWvr4sqzxJQhxiFIHR6+KLmorioa3aYkOYJu31slrr5vL6yRKOJUi3eXErCYAdnD7F62n9SX+QZl5XJe/XPchKHwlCXh84Cx5Z6kM8YHUbTcMUYnA/HaN9FjoHWOmnVhbIK3kPBISyVCkSh1jfylvi02CczFeJps+JKxQvPXNpkO1IrHCLB848QcnFSwxQbPpaj8MtMFuh92sKv8zb5N4L3T7qnjCMff+FMOvjLqDXza9XlDDfY/8KxB73UZEnV6nMZBflqpB4haPgBIwHcZTukzETZ+nf0Az3pbTPivFQ07NVoVtj2zhTM+0DtzjnFY2nLB6Nq4geRS9CudRqQsfUecpIYkj42fmqX1XQTyGmXiT47cYXjqpAJ4/yWy6ZRYUQ/R5mlsL3/Dc2cwD3bmwcmHgS3YNdls+NsJG93q5Jj6T5/xZWlsfxvuD2V3EOdOJmfbzL13iO0V+C4DrYs2G1YuVTd0QQyAvM+RgStwq1EfZ+U5A5SFcKkPdgZ8swkjcThNUhe71kzaIzkURaVyJo1j01GS7iUtDakc+gqtGgiCGD37LkUqhixGJq+0qtfvMQgXEVJ5BZ5lQyKMrGWAZzcJjo49FR9zLXPHX91F9AZjWbWGX2D+zbu+r78sp78i1OF+IKqlslRlJzgbCkpfMJyuKxj1MUzvQlfpvtKIkGBFu5YvqXXP8gRrDmd0lzScei3YziKqHaICupI2nLz6VVnCZUVhd7ZQ78ohQKLVWUWd9aM8RV5kXCsfTUgNi9KQ9Nkrcaj++FbOTMcBMKNoP3gJIAoLpDlerAmz0rItWlx8pOJJClrTL7sTDy78C1BteTnw/BYBPR7/IbhNX2mSWxgclOXHYxV50FgB0zrDFa5l35gRJ9eWB3cSUVEuffIYIgYJE8MwFhLPGqvA/tZdFjsOZDs=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b4b6e195-10fe-4e4e-6e53-08dc47d92c54
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2024 05:55:25.6913 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1495
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7l1XHig3X5b5U84ATf7pclYOv4s>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 05:55:39 -0000

Hi 

I performed an AD review of draft-ietf-ipsecme-multi-sa-performance-05.  I have a mostly editorial feedback below:

** Abstract.  Editorial.  s/crypto/cryptography/

** Section 1.
   Most IPsec implementations are currently limited to using one queue
   or CPU resource for a Child SA.

-- (Editorial) What kind of queue?  Should it be “network queues”?

-- Why couldn’t implementations be changed to use multiple CPUs?

** Section 1.  Editorial.
   An
   unencrypted link of 10Gbps or more is commonly reduced to 2-5Gbps
   when IPsec is used to encrypt the link using AES-GCM.  By using the
   implementation specified in this document, aggregate throughput
   increased from 5Gbps using 1 CPU to 40-60 Gbps using 25-30 CPUs

-- Will this text age well?  

-- Can these statistics be cited?

** Section 1.  Editorial.
   While this could be (partially) mitigated by setting up multiple
   narrowed Child SAs, for example using Populate From Packet (PFP) as
   specified in IPsec Architecture [RFC4301], this IPsec feature would
   cause too many Child SAs (one per netflow)

Is it “netflow” or “network flow”?  “netflow” is a logging format.

** Section 1.  Editorial.
When an IKEv2 peer is receiving more additional Child SA's

It is “more additional Child SA’s” or “additional Child SA’s”?

** Section 3.
   If this initial Child SA
   will be tied to a specific resource, it MAY indicate this by
   including an identifier in the Notification Data.  

How does one tie the Child SA to the specific resource if the identifier is NOT included in the Notification data?  Wouldn’t it be mandatory to include this identifier?

** Section 4.  Is this section normative?  Why are RFC2119 key words used in an example?

** Section 4.  Doesn’t the example in the paragraph starting with “A simple distribution could be to install one additional Child SA on each CPU” violate the situation described in Section 2 (i.e., coordination across CPUs)?

** Section 5.  The diagrams in Section 5.* show “Next Payload”, a fields flags and a “Payload length”.  Where are those defined?

** Section 5.1.  Editorial. The diagram says “optional resource identifier”.  The description of the fields says “Optional Payload Data”

** Section 5.1
      The opaque data SHOULD be a
      unique identifier within all the Child SAs with the same TS
      payloads and the peer SHOULD only use it for debugging purposes.

-- Why is normative guidance being provided on the contents or semantics of an “opaque data” blob?

-- I don’t understand how to read the “SHOULD” in this text.  If not intended to be a unique identifier, what else should this opaque data be used for?

-- When and why should this be used for “non-debugging purposes”?

** Section 6.
   Peers SHOULD be lenient with the maximum number of Child SAs they
   allow for a given TSi/TSr combination to account for corner cases.

What does “lenient” mean here?

** Section 6.
   As additional Child SAs consume
   little additional overhead, allowing at the very least double its
   intended CPUs is RECOMMENDED.

Can this language please be clarified?  I don’t understand.  “Double” relative to what baseline?  Is this recommending the number Child SAs per CPU?  

** Section 6.
   An implementation MAY limit the number
   of Child SAs only based on its resources - that is only limit these
   based on regular denial of service protection.

Why can’t an implementation limit SAs based on any policy?

** Section 7.
   Similar to how an implementation should limit the number of half-open
   SAs to limit the impact of a denial of service attack, an
   implementation SHOULD limit the maximum number of additional Child
   SAs allowed per unique TSi/TSr.

Is it a SHOULD or RECOMMENDED?

** Section 7.  Editorial.
   Using multiple resource specific child SAs makes sense for high
   volume IPsec connections on IPsec gateway machines where the
   administrator has a reasonable trust relationship with the peer's
   administrator and abuse is unlikely and easilly escalated to resolve.

-- What makes a trust relationship “reasonable”?  Would it be clear to omit that word?

-- Typo.  s/easilly/easily/

** Section 7.  Typo. s/identifer/identifier/?

** Section 9.  Typo.  The registry names is incorrect (i.e., s/... Notify Messages/... Notify Messages Types/)

OLD

   This document defines one new registration for the IANA "IKEv2 Notify
   Messages - Status Types" registry.

NEW

   This document defines one new registration for the IANA "IKEv2 Notify
   Messages Types - Status Types" registry.

OLD

   This document defines one new registration for the IANA "IKEv2 Notify
   Messages - Error Types" registry.

NEW

   This document defines one new registration for the IANA "IKEv2 Notify
   Messages Types - Error Types" registry.

Regards,
Roman

v2.23.0 | Report a Bug | By Email