Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
"Panwei (William)" <william.panwei@huawei.com> Wed, 20 March 2024 10:28 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A39C151086 for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 03:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMpw_p1fLv4S for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 03:28:30 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8039FC151084 for <ipsec@ietf.org>; Wed, 20 Mar 2024 03:28:30 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V04Sn6VHjz6K93h; Wed, 20 Mar 2024 18:24:09 +0800 (CST)
Received: from frapeml500002.china.huawei.com (unknown [7.182.85.205]) by mail.maildlp.com (Postfix) with ESMTPS id 7A7D31402CD; Wed, 20 Mar 2024 18:28:27 +0800 (CST)
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by frapeml500002.china.huawei.com (7.182.85.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 20 Mar 2024 11:28:26 +0100
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Wed, 20 Mar 2024 18:28:25 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: Steffen Klassert <steffen.klassert@secunet.com>, Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
Thread-Index: AQHabgXw2ORgzh79i06MkXh0+CozjrEo1fnw///F4ICABPAScIAEpZOAgAXB6YCACB5N0P//3FEAgACKDbA=
Date: Wed, 20 Mar 2024 10:28:25 +0000
Message-ID: <b7b44906db3240c78ee461bb8a95cebc@huawei.com>
References: <29bca8d122844180afc21cd6b353159a@huawei.com> <4C637D68-CD0C-47C1-8D34-36D01A2DBF1F@aiven.io> <e7bc176dafcd4a719b84842b685a9fc5@huawei.com> <c6dc7d13-2c1c-f5c7-290e-34a88a21d103@nohats.ca> <ZfP5SxlCueJ/aQt/@gauss3.secunet.de> <a80bed7fcd02445d8a75555b2764c3a4@huawei.com> <167439.1710926532@dyas>
In-Reply-To: <167439.1710926532@dyas>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.126.203.240]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/As-wxVQMXR2SkuB4RgFb2uF72VM>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 10:28:32 -0000
Hi Michael,
> > At yesterday's meeting, I think people basically understood and
> > accepted the problem statement itself, but also raised different
> > ideas regarding to the solutions. We'll try to do more analysis
> > and comparison of possible solutions, including what you
> > suggested.
>
> I think that one thing that is unclear to me is whether the different RANs
> can tolerate that all the different traffic share the same *IKE* SA.
[Wei (William) Pan] We did consider this before. Sharing the same IKE SA can partly release the pain, but not much.
Assuming there are N peer devices and M operators sharing the RAN, currently, at least (2* N * M) SAs are needed: (N * M) IKE SAs and at least (N * M) Child SAs. Sharing the same IKE SA will still need at least (N * M) Child SAs.
In our evaluation based on today's actual scenarios, the Child SAs needed will still be going to reach the base station's capacity if the base station is deployed in a crowded area.
We got from the customers that they want to double the number of operators sharing the RAN. Therefore, this solution isn't scalable enough for this need and future expansion.
> The next level is whether or not they can tolerate being in the same
> CHILD SA. We could put the "VPN ID" at another layer (inside the
> common tunnel), such as some kind of L3VPN, GRE, VXLAN.
[Wei (William) Pan] Do you mean first encapsulating the original traffic into a tunnel that can carry the VPN info and then encapsulating the tunneled traffic into the IPsec tunnel?
My initial feeling is that there may be operational and maintenance difficulties. We can have more thinking on this and reply later.
> > we'd like to know more if it's OK. Switching to a new protocol is
> > still a reasonable solution for us, although it has pains.
> > Developing a new protocol in IETF will cost time, we'd like to
> > adopt the new protocol after it's standardized. But we need to
> > solve our problem
>
> I don't think you need any new protocols, but maybe new ways to
> combine existing protocols. For instance, some IKEv2 support for
> configuring VXLAN.
> But, this depends upon the *security* and traffic isolation that you need.
> For instance, do you have issues of traffic accounting between the RANs
> that occurs on the outside (ESP) packets.
[Wei (William) Pan] Thanks for your feedback, we will put it into consideration.
This is why we think we need to do the analysis and comparison of solutions, to find out what is the most possible and reasonable solution.
Regards & Thanks!
Wei PAN (潘伟)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Steffen Klassert
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson