Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
Paul Wouters <paul@nohats.ca> Mon, 11 March 2024 15:36 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6DCC14F69E for <ipsec@ietfa.amsl.com>; Mon, 11 Mar 2024 08:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kEx973hpF3hh for <ipsec@ietfa.amsl.com>; Mon, 11 Mar 2024 08:36:08 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCE96C14F618 for <ipsec@ietf.org>; Mon, 11 Mar 2024 08:36:07 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Ttgps3ltdzD0h; Mon, 11 Mar 2024 16:36:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1710171365; bh=pxM/MJdTDpj/Eo+PsqtR7NI/CQgH7kB/T25RkQ0v3Oc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=LqGhh5cMQMXIeV042Aqt3qmh7o5VXCyk7H+XHqz+xn4iPk1GYnSvaOFBzeF6g5iYr Eja/NMhU29meZLyZkr0wKI3nlfD+SQZVTXKx0aMFhx9zarhL+3OTaq4p2EZ9XxP5Vc JgTANUN/DsWdrFekG89H9Ncz/EJMWERNP6KpNujM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id roQGDuAKr3bU; Mon, 11 Mar 2024 16:36:04 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 11 Mar 2024 16:36:04 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9F9BF1187A3D; Mon, 11 Mar 2024 11:36:03 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 9CBF71187A3C; Mon, 11 Mar 2024 11:36:03 -0400 (EDT)
Date: Mon, 11 Mar 2024 11:36:03 -0400
From: Paul Wouters <paul@nohats.ca>
To: "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>
cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <e7bc176dafcd4a719b84842b685a9fc5@huawei.com>
Message-ID: <c6dc7d13-2c1c-f5c7-290e-34a88a21d103@nohats.ca>
References: <29bca8d122844180afc21cd6b353159a@huawei.com> <4C637D68-CD0C-47C1-8D34-36D01A2DBF1F@aiven.io> <e7bc176dafcd4a719b84842b685a9fc5@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AzOMXSmVrxzOne8F_mJiZtPqDLk>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2024 15:36:12 -0000
On Mon, 11 Mar 2024, Panwei (William) wrote: > Indeed, splitting the 32-bit SPI into two sub-fields, the VPN ID sub-field and SPI sub-field, may also be one option. This solution doesn't need to change the ESP packet format, but it also has some disadvantages. > The first one is the scalable issue. 256 VPN IDs may be enough for use for current RAN Sharing scenario, but when considering the service slicing feature, thousands and even more VPNs will be needed in the future. So, it's better to assign 16 bits to the VPN ID sub-field. Therefore, the SPI sub-field will be trenched to 16 bits, which means the available SPIs are 64k. This can have a negative impact on the expansion of usable scenarios in the future. > The second problem is the high possibility of packet disorder. Although all VPNs share one actual SA and the sender assigns sequence numbers in sequence to all the traffic no matter which VPN they belong to, different VPNs will use different SPIs in the ESP packets. This will interfere with the load balance process of the on-path routers because they usually look at the SPI field when doing the hash. This may lead to packet disorder at the IPsec receiver. > Therefore, we currently still prefer a separate field representing the VPN ID. But we are open to more discussions and future changes. Thanks, those arguments are clear. Perhaps Steffen can take these into consideration as well when thinking about ESPv4 / WESP :) > > The VPN ID could be done via notify instead of new traffic selector. Or > > you could add a new traffic selector type of just the VPN ID instead of > > copying and extending the existing v4/v6 types - similar to RFC 9478. > > We did consider this option before. > A new notify or traffic selector type of just the VPN ID is also acceptable but has some disadvantages. > When using the new notify or traffic selector type along with the existing traffic selectors of v4/v6 types, it will be impossible to differentiate which traffic selector of v4/v6 types is associated with which VPN. Therefore, all traffic selectors of v4/v6 types will be associated with each VPN, which may cause unwanted traffic to be included in the traffic selection result. > When using the new notify or traffic selector type alone, it will allow all the traffic (from any to any) of one VPN to be selected, which will also cause unwanted traffic to be included. > By considering this, our current design of copying and extending the existing v4/v6 types want to keep a more precious traffic selection. Indeed. That is also the reasoning for the Labeled IPsec traffic selector types. You could use those too, nothing prevents you from filling the label with simple 16 bit numbers :) Paul
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Steffen Klassert
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson