IETF Logo Mail Archive

Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces

Aseem Choudhary <achoudhary@aviatrix.com> Fri, 06 October 2023 21:10 UTC

Return-Path: <achoudhary@aviatrix.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC188C15C294; Fri, 6 Oct 2023 14:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aviatrix.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUQbvBnoSXKj; Fri, 6 Oct 2023 14:10:01 -0700 (PDT)
Received: from outbound-ip7a.ess.barracuda.com (outbound-ip7a.ess.barracuda.com [209.222.82.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9AFC15C292; Fri, 6 Oct 2023 14:09:57 -0700 (PDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2043.outbound.protection.outlook.com [104.47.56.43]) by mx-outbound9-62.us-east-2a.ess.aws.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 06 Oct 2023 21:09:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dUhOqX04hnfZuhyykFB7ksyxQz4kLUIzxevwUmM/c2qQHlzYtRWvr2aNBN1vKco4g0pQIVUCpPF11NoMdirj8JHTCKKWr32wfYXSHnCab3VTy5iewxfchwP9+iFiZq1yngNfre5o+NRPTcwCciN4VXIzULFOe4MEbbgPtSPHv1asbYwaVz2CUxWZAODWp3xzQ4AcLoy/YteSBslB7F/jWPpXIbPgaYSJsildwX4qF0Q9PYvhqmyj0Rj4cxMdN7jZgZ8Cj/HCmprMSg2iQMaHt3Y++EM9roQTWZeQysxo/lCaIkIwBeZDCVkd7/Jib8gfSn3/gLN9h/rRL/rGSdbRzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xznYDWIRjWoROJfyDBDEBLIqWEicEb8W+5oPbNSB8+U=; b=bUEDcn9M1J6W57WnIuPycUjUjVHy11GHmzq9n2aXBcdjhA5rxHwTKAzNNx43M3qtWBHvf4aIJnIKnomNzq35tx8cFkHAJf43l65FAitq77Vc1tgKEe+qc/xZ9Ja951ennFIZklW+anaR+i3QOxvIxsXqfC9SGohWAWdG4zbvtzw1LvLz0n5ut+01T5M5Xqfnsuba8NgRs71AkIUgb45mXJFa+INeF1KQhTsU2nhG47zvbUsPPaWAF5pdQnherIvpZpfvJKK+p5RNTXevKStGA60zOq4AcRXT5NhsqAuy2sil1pBnjdYOtg3jczDpvkTV5/Qx4frDc0uR7fQHUiaChQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aviatrix.com; dmarc=pass action=none header.from=aviatrix.com; dkim=pass header.d=aviatrix.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aviatrix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xznYDWIRjWoROJfyDBDEBLIqWEicEb8W+5oPbNSB8+U=; b=NjWeBdEidjuglIsZXMZf0y8EZCgK5AhRsQP2wnBKrbW3mh8qt+O8RcJTev69Tkd9/D6ldiVUaKbbwrrCLQY2jQxdEGw6xt10H5IgIjke2yvKIQWBd4YFdu6jI7qy2r02uJDUc2nJEb+ybVAQ6+9Oo0l7aHiUJb52rUKbCDnz5qY=
Received: from MW3PR11MB4697.namprd11.prod.outlook.com (2603:10b6:303:2c::15) by IA0PR11MB7353.namprd11.prod.outlook.com (2603:10b6:208:435::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.37; Fri, 6 Oct 2023 21:09:53 +0000
Received: from MW3PR11MB4697.namprd11.prod.outlook.com ([fe80::3e95:24a2:8583:d3a5]) by MW3PR11MB4697.namprd11.prod.outlook.com ([fe80::3e95:24a2:8583:d3a5%7]) with mapi id 15.20.6838.033; Fri, 6 Oct 2023 21:09:53 +0000
From: Aseem Choudhary <achoudhary@aviatrix.com>
To: "Paul Ponchon (pponchon)" <pponchon@cisco.com>, "draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org" <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thread-Index: AQHZznvw3YK9W6++MEKLvhHk3j6Rh6/qA1KJgAAPn/CAU25kyg==
Date: Fri, 06 Oct 2023 21:09:53 +0000
Message-ID: <MW3PR11MB46979276CAF14F280B003ABFABC9A@MW3PR11MB4697.namprd11.prod.outlook.com>
References: <MW3PR11MB4697F948E5F548FE4A1E6590AB17A@MW3PR11MB4697.namprd11.prod.outlook.com> <DM6PR11MB453129152AC683BA4AE8464FCB17A@DM6PR11MB4531.namprd11.prod.outlook.com> <MW3PR11MB46974F028FF777DBB7549E80AB17A@MW3PR11MB4697.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB46974F028FF777DBB7549E80AB17A@MW3PR11MB4697.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=aviatrix.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW3PR11MB4697:EE_|IA0PR11MB7353:EE_
x-ms-office365-filtering-correlation-id: 833adb5d-9698-495c-f14a-08dbc6b095cf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: S/ZPuzaEt7WAEOcPkBsSpJCbq2Yor8n4yu/gui5rDdK9URmcfNXeEXTXVkjh82QUF8r1NKGBuWYfsDHYAkC96cGBwES2ZwsFg0qFobrg8kwqPQa9EEB+FP8jVtufeCIFcF8HOk2r2oT3AzDhwHmp2o3snntNfqKlAr/gQgsOnC0oKb50EtQAzG4AIgAzfgWNaum1+UsFy1NvuXTSqCuJFto/H4swdwIfHQ0k3Cqq7S716jeyTsIlSAKK7eryHk/RDwGeLoQ0q6/dBnYBxQlaYPJgt8TZyIHhf/wtlkwv78KdMbdZFn+7OJSB2GCvWsMKRHiPQqzhSNl0PLH27hl7Fg3JfUoUiIZ3ifc7eJZzpBP8SpFwFuBDq+eBfXD+1+6V+CzqeJcrymzZzA7t2lno0ohNquHOKqzxXoUZNBchVgn2FWYyP/E29P2Dwk2Tn8uFGiYZwBIR2FrDFlNKg9nB71BIjS//KcGWGspkZSDpfT35OhCvf+cTt00BxwMxQXoq3snetfvUU/W6RZDO9qjjrKuOfNgJfD0ta33qws5x6vP3A3NGRt/tF4kVz6gTRd/31L/lhk89g8Eov7Qwaeo8ZYXg42GEWBVDxIZCZjCHFbE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4697.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(366004)(346002)(376002)(39840400004)(230922051799003)(64100799003)(186009)(1800799009)(451199024)(316002)(66446008)(64756008)(66556008)(66946007)(66476007)(66899024)(41300700001)(478600001)(53546011)(9686003)(33656002)(6506007)(71200400001)(7696005)(166002)(38070700005)(86362001)(122000001)(83380400001)(38100700002)(110136005)(76116006)(55016003)(21615005)(2906002)(8936002)(9326002)(4326008)(8676002)(5660300002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4/uXT4m4vr7MPi1k7/mwrzyn04dHRjZyziohGer1TcFh28nwuKLv6SVwPNPxG7BJdCIjuwdL+dUHuRDl3Kl65s1Ir4z9ta/rDe+jJTqglYdEEQMCRhBH82tM5FvEWpt5QPRy2xxj7doIrZL9NxRJv7zf+pKWjhs4MaRDEBFecgolOPXTKbJu9hPyFuz/UdVQElJ9IPc+Jd9qgpQt6MEFzi6cCPLhL6Kdv7r4LMrcWL4iiBqAtu6Iu17Nlch/gbQUHeX9P5zAFeLtTa8uFdCFSdEoisB7X8Qli3gX66Vu4Aj480OgNr0w46yBCGQYfi7qU08NmaYlT3dGhEMBnf3PqQSti/KvO/Alwh3mSEXZig7pkd7BsyEHg5IHPETLnTizwS4h7USxgYEwNJXSylM9/oyqWyMRPWotlCHctlOH8eZF035MyEYO2lQV5HbSzpthoYrmURWNhxbpHI40pl9N7UBX0xvLGxem3TARRpnJDjug01+B9KkCeeMk6eaOO5aU/FKbpfsdFmvq87CLvL4jGKtQ2355VCamnzgp3p3DSMGqCjSbK+cob77+8z0K3AYDIwy261rzifzdhJdgYP4UAeeCdpkNMXfa5mD2S0BzCNakgE/b7qIC6RmOYSP3GK+Q4/bd/2dLyPuIaaDpQzNkm0Rs4FNjDl1Z5Lrt+MJmLbarl2tbWUlASymTUufA/8unJkxzp2p4ULMFmWa8T3VOqjvZ7BCJswUjbc0vJItK1NuOgnc5A6jY2MNKUsm+1CGV7B2dK6wpq3jvNXcElLIjdcc9bs62ZZyPUaLdvlLM2qdTq6A8ZpnXQAzvf+IMXxZYsG8WCJQ+LK3h8BonruG6gylqrhqlWL0yhMf6t2j5XCKjQqVn24lZRPNgO5DYoLa0XdgQTLk7eshhwjla2fAqvo9yuSuhmHJAcqQZaJWB673wjz3U53SDpTS8PzNzIjBeIRru6yvLNcVPEYZJfwaeh9NmHUCBXST4NeeB1Lz4N+nazrXYbs89o4CRpmC9g4kfshcKJ2dKUc4VHGaZfvAQZO16TPccZU4QDkoSJ3ePGoDvEX3bQzehPoA17iMSKlf9P0prxSuWEgGmMRLptdLFBPu45rBWYrvuYRZeN08Sr+FAKI3KnTCfssp3VZt4kMN60COPppHVecSyuMUohc1zm+iKuzsheuTM4oYcg9HGCHRC11wwOhlteIUPtxDK5GghL1VZmIEZ6eEqC2p01NRqHbL8YFWwGhfPOmx0lC9pOJI0khRkip1n8uQkCiPgf2j3lM4/ZSsk8jBmf0qmjOT7wVI/4eQ+pBn4cXa3rr26p2jETRTSLthtm7eaAGyNNGaD0ow+ybOn6blf4kyKEZZiV+Ib+IHY1z9qCVzQ/LRFn7ee2sObJAv7B6p80satyqb1H6DoHWybWQsFD4ZUlD2xHBrgDzjIiKYM8DxSw4C3IOCJlcXqAS/Y89dppmk4MlZhmflIJwUDwHs1ijQyhH/pBhtdx8wUmwKyXCEXQ2C49A33bq798w4ySmu3gySR6tq2DfInkZGvKWdtWSmIXf3ZuBMxB0i20foUBwRvI/VNjsadMfxZUQBWSlO5xujk4UaGixJD8JRRQYpc7YFEHSYhaOLITebalLrgbvu5LxcBitqs8UuPZgwhxzgUKEizU6vlJH9H20nsPjW7hMAkapZpahRWowvTKqGMWQ7/xElFDQo=
Content-Type: multipart/alternative; boundary="_000_MW3PR11MB46979276CAF14F280B003ABFABC9AMW3PR11MB4697namp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: OiLVChOBQCb8qdOTOFA63CWAP8rqbD/XPLBdroNqOlegJyHMdsCCiAC6iAX/PNu+HBIl02CAcGWVG1ViHgz1ec+xYAhno567mVcuTk35AHiqXxgJ2MkvCD+fun7sQPbLs8tHywPHVOVycoM6yYAb6N8V0xMmJ2cynrWnnl7Zpyqq6Vnb6hOfMczqwaqNtLTURL0/H8V1cqBTvVH1UGKFwFXPTugoiYznNueXoYzAgUuFlZkpC2mLo73XpofpXJQTEJ3ZXThyHMTwRob7q2x0BSVxq8iDadFP16OdBACHm3sGCKxJwGwpnRTUCRAFJw8vGthSthH2EFW47JY/ddksZJaliLn48I2JviP4Y81JBtlxJmV/DL1GkVnKX9mW2+FXI0TsTynlzPaTFqGv6CtF7yruhz8fYKr5yl+HzMe68ofEJ1DosJTsM7GG2WkzunaYu6L2gTg2Ee7gs5MlhJF/EVdC0gkIYN2V8DjzWjt45H4YBRyWp20obJKl3VqhY1kgVhrsP3qd2VsbNjFiisWHOn179ecV4VLezalTIqEmx1MQ9FodVnMjVRj8cOHKnKZu4hOJeyipvZdSu6mroo3NhIXaC7a3t6wkZR4REDbN0psUXG0SO10WhJrWQ79NOqQcw1LUWISAqnTgowoABf5Ah9qN0MdnF8r3s0iGmf619JGOdCdTY2J5Uu5FdklvH1DkX3NyXoZxiJm2ivFA8MV/b+lE0MqaPx7PSwuBiobVr5ghmCSj7s3/DY0YKxArm1MEohzIPLDSGyvWQuSxmdgskgALoCzkfZC5LiLyRTIG/fxHxxfhpI4oDjtEni8uiUlccJAyr7YHAU4cPnOKT6WqAw==
X-OriginatorOrg: aviatrix.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4697.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 833adb5d-9698-495c-f14a-08dbc6b095cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2023 21:09:53.2892 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4780055e-ce37-4f02-b33d-fdad8493a4b6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sL9n6LJkpWoaRji3bamgD88KTGRin7W0oKuaD4jAWro5kWmYcA+2myi3Yfjuj2hh9IcoPevb93NY7HUmffwESA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB7353
X-BESS-ID: 1696626595-102366-12592-11322-1
X-BESS-VER: 2019.1_20231004.1615
X-BESS-Apparent-Source-IP: 104.47.56.43
X-BESS-Parts: H4sIAAAAAAACAzWMOw6EMAxE7+KaIk4mxnAVtIXzEw2i2BQrIe6+KaAZzTzpzX ZR/XVaqY+c6PzSCgeMtg+I0FQ1MOdYUs5oKt4kZQcx+AK6p9ff+/H4DB+X58DcLCzVio BtsRRQq5cSWpSoY9H9+QO6Z78HggAAAA==
X-BESS-Outbound-Spam-Score: 0.00
X-BESS-Outbound-Spam-Report: Code version 3.2, rules version 3.2.2.251323 [from cloudscan23-96.us-east-2b.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 BSF_BESS_OUTBOUND META: BESS Outbound
X-BESS-Outbound-Spam-Status: SCORE=0.00 using domain:214149 scores of KILL_LEVEL=7.0 tests=HTML_MESSAGE, BSF_BESS_OUTBOUND
X-BESS-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7uvqU_-s0bG93HP32rPxS8M3NyU>
Subject: Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2023 21:10:05 -0000

Hi Paul,

Further to this discussion, section 4.2 “Sender Behavior” doesn’t talk about how subspace ID will be calculated. Like, for QoS, how a unique subspace-id can be mapped to a queue-id with some of QoS pipeline (classification, shaping etc) procedures. I think section 4.2 should describe it a bit. But, if not in section 4.2, can it be described in section 6 and for the Implementation, in some more details in section 6.2?
For some of the QoS solutions (like local video CAC<https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/qos/configuration/guide/b-qos-cg-asr9000-64x/b-qos-cg-asr9000-64x_chapter_01010.html> with redirect), queue may be selected based on availability of bandwidth.


Also, section 4.6 talks about per-QoS-queue, per-path and per-core but section 6 only mention multi-path and multi-core.

Describing more on QoS behavior will certainly help.



-thanks,

Aseem


From: Aseem Choudhary <achoudhary@aviatrix.com>
Date: Monday, August 14, 2023 at 10:55 AM
To: Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thanks Paul, appreciate your response!

From: Paul Ponchon (pponchon) <pponchon@cisco.com>
Date: Monday, August 14, 2023 at 10:00 AM
To: Aseem Choudhary <achoudhary@aviatrix.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces

Hi Aseem,
Thanks for your questions.

1. Yes, you're correct there is still reordering potentially happening between the endpoints of the tunnel. However, the intention behind using the subspace is to limit the potential reordering of packets at the tunnel endpoints. By assigning packets to specific subspaces based on factors such as CPU core or QoS, the aim is to manage and mitigate the reordering within each subspace, thereby improving the utilisation of multiple cores and QoS classes at the endpoint. The reordering happening in between the endpoint is less easily controllable and just like with using an SA today, would be handled by the replay window of each subspaces but they don’t need to be very big.

2. At the moment, we are leaning towards not splitting the subspace for CPU and QoS, as this could introduce unnecessary complexity and overhead in maintaining and managing unused subspaces. We however don’t impose any constraint on how to use the subspace IDs as long as they are between 0 and <max negotiated subspaces> - 1. We are actively exploring the best approach to distributing the subspaces between sender and receiver. Any insights or suggestions from the community on this matter would be highly appreciated.

3. While we haven't implemented this solution with strongSwan, we are currently working on an implementation for the IPsec stack of VPP. We have updated the latest version of the draft to reflect what we found during the implementation. While the main focus remains on defining a proper way to distribute subspaces to maximise the performance and compatibility aspects in the open-source implementation.

Thank you for your feedback and questions. We appreciate your interest and welcome any additional input or insights you may have.
Paul

Aseem Choudhary <achoudhary@aviatrix.com> writes:

Hello Authors,

Thanks for writing the document. It is good work!

Few questions:


1.       Looks like packet mapping to subspaces either for the CPU core or QoS or combination is tunnel source local decision. Since packet along the path can be marked/remarked reclassified, mapped to different queues, reordering is still possible.

2.       Since subspace is 16 bit, any plan/suggestion favor/against to split space for CPU and QoS?

3.       Any implementation experience/plan with  strongSwan?

-thanks,
Aseem

v2.23.0 | Report a Bug | By Email