[IPsec] Why ipsecme-anti-replay-subspaces is needed.
"Pierre Pfister (ppfister)" <ppfister@cisco.com> Mon, 04 December 2023 08:53 UTC
Return-Path: <ppfister@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188DEC14F605 for <ipsec@ietfa.amsl.com>; Mon, 4 Dec 2023 00:53:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.605
X-Spam-Level:
X-Spam-Status: No, score=-14.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="aWdZEjLL"; dkim=pass (1024-bit key) header.d=cisco.com header.b="SK6Fn0FP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAHVCBzhV8wL for <ipsec@ietfa.amsl.com>; Mon, 4 Dec 2023 00:52:56 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB106C14EB17 for <ipsec@ietf.org>; Mon, 4 Dec 2023 00:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10927; q=dns/txt; s=iport; t=1701679976; x=1702889576; h=from:to:subject:date:message-id:mime-version; bh=XGIAZDsHdhGQa78LIeNX67gSzl2G94d4r9IYFmEamdQ=; b=aWdZEjLLMl2u6F9zSOYZc1ZCRhHV84tNciqKofsPf56EkSat9gW3pB4a ///TOAYny7IHAoOn4leJuI87gMqSP07ERvyD7by1dLixaeFVrOiukfgRP gkLz071b1BWJlb6Eyl4ZrR2aT7bvE6GbwpL8MbSFtRo0UfSN+AIXHFYo2 Q=;
X-CSE-ConnectionGUID: NCXVvEvGR1WWC+h4MrZEFQ==
X-CSE-MsgGUID: YI2FaTLxRNOaXgqyHw2ucw==
X-IPAS-Result: A0BAAgDpkm1lmJ1dJa1agQklgSqBNjFSeQJZKhJIiB4DhS2GRIIilzGGUIElA1YPAQEBDQEBOQsEAQGFBgKHKQImNAkOAQICAgEBAQEDAgMBAQEBAQEBAgEBBQEBAQIBBwQUAQEBAQEBAQEeGQUOECeFaAEMhl4uAQE4EQGBACcEGxMHgl4BghZIAwEQoxwBgUACiih4gTSBAYIJAQEGBAWycAMGgUiEW4MzAYFOhAmENycbgUlEgVeBSYQ+AgKBNSsrg2eCL4NogWGDVQMEMoVzkA1/R3AbAwcDfw8rBwQtIgYJFC0jBlEEKCEJExI+BIMqCoECPw8OEYI+KzY2GUiCWxUGOkp1ECoEFBeBCQhuGxMeNxESFw0DCHQdAjI8AwUDBDMKEg0LIQUUAUEDRQZJCwMCGgUDAwSBMwUNHgIQLCcDAxJJAhAUAzsDAwYDCzEDMFVEDE8Dax82CTwPDB8CGx4NJyMCLEIDEQUSAhYDJBYENhEJCygDLwY4AhMMBgYJXCYWCQQnAwgEAy8DRB1AAwttPTUUGwUEgT0Fn3YPhE9TIAItLEogWDqTDI4xoy8KhA8FoT0XqSJkmEIgqA8CBAIEBQIOAQEGgWM6gVtwFYMiUhkPjiwNCYNWhRSKZXY7AgcLAQEDCYhugXMBAQ
IronPort-PHdr: A9a23:0ms5phHwp69zefPZgHTNfZ1Gfu4Y04WdBeZdwoAsh7QLdbys4NG+e kfe/v5qylTOWNaT5/FFjr/Ourv7ESwb4JmHuWwfapEESRIfiMsXkgBhSM6IAEH2NrjrOgQxH d9JUxlu+HToeVNNFpPGbkbJ6ma38SZUHxz+MQRvIeGgApbcjt+r2vqa8JzIaAIOjz24Mvt+K RysplDJv9INyct6f78swwHApGdJfekeyWJzcFSUmRu9rsvl9594+CMWsPUkn/M=
IronPort-Data: A9a23:U4if5aPCVa6UeyfvrR3bl8FynXyQoLVcMsEvi/4bfWQNrUp0hDZUx jYXCm6CP6zZM2fye4p/a9/l8x9T7MDXmoNrHXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCdaphyFjmF/kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/W1/lV e/a+ZWFYwb/g2Isawr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQNbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WG4Z2xqHqP1eF6POs5A7GL1728dhANRRjVWEY0r4f7WBm7 /cULnUGaQqOwrzwy7OgQe4qjcMmRCXpFNpA4Tc7kneIVrB/HM+rr6bivbe02B8ons5PBurTf eISaCFka1LLZBgn1lI/Uc9kwL7w3CanG9FegGO0/4Q+30zD9ipW2YjiKcv1ZYaXTtoAyy50o UqdojymWUtFXDCF8hKE6mmhjcfOkD/1HoUIG9WFGuVCmlafwCkYDwcbEAX9qviigUn4UNVaQ 6AJxsYwhY4ZxHK1Y8fSZUSHn1XHvkI5Qeh9PdRvvWlh1ZHoywqeA2EFSBtIZ9onqNI6SFQWO rmhwYuB6dtH7uX9dJ6Nyop4uw9eLsT8EIPvTTUPQQ1A6N75rcRtyBnOVd1kVqWyi7UZ+A0cI RjU/EDSZJ1K0abnMplXG3ib21pAQbCVF2YICv3/BD7N0++ATNfNi3aUwVba9+1cC42SU0OMu nMJ8+DHs7hXU8vdznzVELhUdF1M2xpjGGOE6bKIN8d4nwlBB1b6JOi8HRknfRg2bJ5cEdMXS BSL51I5CGBv0IuCNvIvPNnrVKzGPIDrFM/uUbjPf8FSb51qPA6B92cGWKJj9z6FraTYqolmY c3zWZ/1VR4yUP07pBLoHL11+eFwmUgDKZb7GMqTI+KPi+TOPRZ4iN4tbTOzUwzOxPja8V6Oq ocCZpDiJtc2eLSWXxQ7OLU7dDgiBXM6Hpvx7cdQc4a+zsBOQQnN19e5LWsdRrFY
IronPort-HdrOrdr: A9a23:VmIP4K8RhqxWT6Ex9Z1uk+GEdr1zdoMgy1knxilNoENuA6+lfp GV/MjziyWUtN9IYgBdpTnhAsW9qADnhOFICOgqTP2ftWzdyQmVxe5ZnPHfKlHbakrDH41mpO pdmspFeaDN5DFB5K6QjnjcYrIdKbK8gdmVbJLlvgxQpHZRGtldBmlCe2CmO3wzbjNrQbA+E5 2R7NdGoT2PRVQ7B/7QOlA1G8L4i5nujpzJXT4qbiRL1OCJt1yVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1kfIhq4m1+fJ+59mPoihm8IVIjLjhkKDf4J6QYCPuzgzvaWG9Esqqt /RuB0tVv4DpU85P1vF4CcF6TOQkwrG2EWSi2NwRkGT5PARcQhKS/apQ7gpNicxpXBQ++2Um5 g7oV5x/6AnfC8o2h6Nq+Qhk3pR5xOJSb1Iq59Us1VPFYQZc7NftooZ4QdcF4oBBjvz7MQ9HP BpF9y03oceTbq2VQGvgoBU+q3bYl0jWhOdBkQSsM2c1DZb2Hh/0ksD3cQa2nMN7og0RZVI7/ nNdv0ArsAEcuYGKaZmQOsRS8q+DWLABRrKLWKJOFziUKUKIWjEpZL76Kg8oOuqZJsLxp0vn4 mpaiIRiUciP0b1TcGe1pxC9R7ABG27QDT208lbo4N0v7XtLYCbRRFriGpe5vdIj89vcPEzAc zDSK6+K8WTXlfTJQ==
X-Talos-CUID: 9a23:w644EmmrlLjdhCdc16BbC7syVUDXOVv2/EnODlGXMz9Wd5bWSQO14pFJvfM7zg==
X-Talos-MUID: 9a23:Sjh30QpV5kcK5aK2AkAezwBDbulh34C+MmYqmKUJotikKnZtMCjI2Q==
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 08:52:54 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 3B48qsCH030799 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <ipsec@ietf.org>; Mon, 4 Dec 2023 08:52:54 GMT
X-CSE-ConnectionGUID: YCw9pC0BSKWrDcFqxED4JA==
X-CSE-MsgGUID: SQTzZjEBQAKSmHbJTdOaXw==
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=ppfister@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.04,249,1695686400"; d="scan'208,217";a="13756095"
Received: from mail-dm6nam10lp2101.outbound.protection.outlook.com (HELO NAM10-DM6-obe.outbound.protection.outlook.com) ([104.47.58.101]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 08:52:54 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X1WuGkW63+GWvOEwq9M5CpVM3tqoipChoiK+VqR0QiM8a62cDGfP6IMP7OyBQz04Yzht8SPe/TZFRQhZ2FgIYlvU3oVQBxKf9ZDN1bi76q9CcDiRM/JFnvN6/PFpeuz2jpIHRxi2APxT5NkC8dKK1FueJrgwBUs5bRTkU8v8cAm5ZlT7/XLtpzeyRJwHEv9+Wt24aTPJGmWygwEG9D1rvQbOSml+7R437rMtGjm7suNZonp1Xdi5sXXcr/vb42xfEM0H6Ei5DPvSpwX2q1GjwRG9qz/WBUVSWAyHDTyL3jgQD0kgbjYXpfEMgKVN4VJcSqVRGlv2ja4LTA/EWOONeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/s1MuM7SyPv4QaxL/nnykYy5Y+qiiOCYvbNK4OV5cbI=; b=a3F1tB6pNG2bMH81fSWWYv18yG2Oan7U17LJ7qXJ71gc38kiVmyKsNI9Z+UjakJsylCf1Z2ezSedxNEh2tAEylAUCaibQhgwBV0KmanONi7EhuDoeXbK+3BxhQxbiuijXinisLcChnomnv4ZHScYxW4bgkwWqWmbmbjpnTYnqU4U0of/lcNPZss0aEHI7pzwIP/+7vVucm3MimY1KzNzvCMzOwcTto3VMjrrYCizxC7RgMEGIFGVaz2D/2C1apdZyT0BZGO300FP1WZ/BLiMfUuWh/fEn4kq34w+GHJxk+wZF61MsGp/Th1P7bFnw1NJCv8ZX4FqmtCuwiXbMHXFxA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/s1MuM7SyPv4QaxL/nnykYy5Y+qiiOCYvbNK4OV5cbI=; b=SK6Fn0FPUekFiBYz58115vz7ynD/4RCL0VLagC45D8D9/ZmN1kYpHxBYrrz6uUK6ZL3bvzvtxcFen1jhUvPU4780ICqd/SAk9B3evjHqeLl+UUEg8lvf5M1wLyaNzvZdZ4OeT7638+X35kFyL6IDzY9JVgCngZRYMQJUUzMXBuA=
Received: from CO1PR11MB4946.namprd11.prod.outlook.com (2603:10b6:303:9e::6) by SA1PR11MB7062.namprd11.prod.outlook.com (2603:10b6:806:2b3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7025.27; Mon, 4 Dec 2023 08:52:53 +0000
Received: from CO1PR11MB4946.namprd11.prod.outlook.com ([fe80::adbd:2434:85c:5d29]) by CO1PR11MB4946.namprd11.prod.outlook.com ([fe80::adbd:2434:85c:5d29%4]) with mapi id 15.20.7046.033; Mon, 4 Dec 2023 08:52:53 +0000
From: "Pierre Pfister (ppfister)" <ppfister@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Why ipsecme-anti-replay-subspaces is needed.
Thread-Index: AQHaJo7lSgsMq/3iYEmTU1ZTNeX/YQ==
Date: Mon, 04 Dec 2023 08:52:52 +0000
Message-ID: <CO1PR11MB49461176E5106D8965E5610DDF86A@CO1PR11MB4946.namprd11.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB4946:EE_|SA1PR11MB7062:EE_
x-ms-office365-filtering-correlation-id: 960a743f-c318-4cc9-b57e-08dbf4a666d5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sVXzh3YQqfdDmLxg3R3idMujBsEmMjkvGCcDHMVYawummedHCK1rW+sUUSgOQIE2hKOitTgilAxkIVrL+5wIM/UXVEkJKdmkBMa5PBIgOJNtVOjd+fgtsWC8ZIsa2uDoXTGcxrCuTHAgUL87aZ7QGESZDVC8UOSl8HKPGiVAuMom9Y7lUbUffsu2tlcdX15xzbUcFuR3I/lUsu+jqSIn/0QZiYty4UqynYTthT68bZ4Ebr6FVVmVaP5LtLZARbVGIutgPtB3+pzC0pGFReXZgxXeI+rLnFztr1X/2GvmOkeRYutxJ9ePRK6pyaE8pPJ6FL5RTHut4HhIsGdbkRFwpstAE9j8bwEMQmB99DbsTJEJvrc+pUeov23dvYM3pIwbvAVlsqHFons+e73RMCbGRxpnHtvpCKvlxsHufpEXpZ1rZAvRLgelR+XSbhxDT8xJHPTNEn00+DXydD4JgjnP+RZozlzN0uFhNLkXxX6blaBBbrqrxieV2DSpTZu5f7gYTCagYieE8QiJT9Ab2E4m+PucwPRHBEe9t+fupmdto84zBd+9gsvb7OY3P5dKQGMMunJuWLqDOhfdYVGZwyxQfVmQGoCbJ1xZi/IOIu457r8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB4946.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(346002)(376002)(39860400002)(396003)(230922051799003)(64100799003)(186009)(451199024)(1800799012)(55016003)(26005)(41300700001)(9686003)(83380400001)(6506007)(38100700002)(122000001)(33656002)(38070700009)(86362001)(166002)(8936002)(2906002)(7696005)(5660300002)(8676002)(478600001)(52536014)(71200400001)(6916009)(66946007)(966005)(64756008)(66446008)(76116006)(66476007)(66556008)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zmfRE2QVWFQovLvol6a9K1sfzOy6BUF8RrQMXIdeovRGDYri/oTXWXDtwIM4el9NeVDjVet1qLPhn0g+65nOaxXwSYkHaW7oKL91/kE/9KdRb2p8/MEnjAUwsRNBdCwDOQ3CR/GjUBGS6Mo9Uc15PX6M0sEVHVQz/DjLUYjm6B2iQSJaPQJ3mmsrI9YhGtqFDwXgoLTu0FKEw73VtUIM3+VQtvzISh/STyJdzr8GPMQb8MDxLqGg86YlgDLZhrIeE0Vll1LikBBZsmxTOJjgiq7iwwuVGGP2cqtuZqi0s593eN5ssHckWTI/9BKGqAiso1m0/wmi6uA7yLAmqdgP9pkl4xCrXy/TUbh52CA0tpFi1GmayQLGLKhFEc9K981kV7RnaKAU/Qru4utqMbI/FRLNaHoG96eo+zwjGMwbbNgYY0uklNGMWdojG/PLl9Hw5JRyBBqG7f2QLlL0ifooPq3Ex0nPLuDV/Yve4FXV/+oY6ZdrJwoQivO/utXBSPjFyOH+7LUbSvpn6Qne6sD7UjrQ15IN1Ce7l5fNgw349We1okcnQqcMB1uU5hgnXx2D00SOs+zXR+TrpKjvE6OVxr2QJV6Hr5FeW6x0qKPg5kdPGBpMxfQI8QyBusJL2idhJ6WNpbWEkIw2TbLDRHFOkY3sXUx7VnTBPy9Y/JqsuQZcfk/n+hvvXxuOvT3v5Lh9K7hEixVRn+hTPMRJmlTxTT4MEixrYG9x5ZSGD+vExMktki+SC8Obz7rLft1e7LcGjqmj92JVeWHcTQ4vo8n4IgKz4Hb4og8qT5g/o+QO/JdqRj349DBiuYn2rHch5enBAIiPpHoK/hHxT53TBKz6AAdNKoqyoA0u4VPThBom+WlDWfxlPcONTDZJRF3HMUyxliOGCilNqQ27q0gW61CJFoLgOayez7EIBpA0i5P6pAZfIonhOoBqGnDPVAcQnpZabQdLlw0tlh9MlPufm/d70MuD6J+eQRH6kLcQvf+e8z7CMJKwcNrPc3hDXMAc98th0IKPuGW/4WbJo4Wi3skaKF6F1IYGxtrpuMF+8/Q46r7gTKGIkyy/zp8yU3zOheJean22CCpIHUl31GS+NnaDDaj2eCgbcFUERoo9PNlZVC4X7IyPC9LLTVyrWEjTOuA0ivhqf0WsVEGurt8ECwLPY9FmL4EWR7LFAie93Ovl6R0HhO3ECLzzlSKp9FEgYcQqeQuw1OCBMdcl/vF1dvw8f3ONhDjB75AhNuPpr1oCVMZTEy25ELUFx4haZ78cadUZ4Co71M7LJdQTQcTSd6HmA/+tvgnm4/omtt587tJo5Q5U527UYkf5fFGJYd5+bEK0j1F0yigIhlda1qr0UipzDc4Y+/WnJhIVNxoEEcNzKlsZTyM/jWoJRij5alVjogXsfgWKUa5dxvCv+cZva/CMcUvxrIsUPXXQ88qawHGJoJHj3N5Haj/xfyMP6tkQ7aYfl+8M8cC/5/ZIMRaDCfIGmwIHQjOG9nJCK3VcCkH1rfBEQ9GxibTzAZ2nU51xmKnqLxRbytGuYbT2pRDPRB73lQRFUoZSXisrXcEQJ8MHrI6moWe4xGmUrnJ8h/JPW8WY
Content-Type: multipart/alternative; boundary="_000_CO1PR11MB49461176E5106D8965E5610DDF86ACO1PR11MB4946namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4946.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 960a743f-c318-4cc9-b57e-08dbf4a666d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2023 08:52:52.9506 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3vPGl5+x5EwZzGzFv5FdUsiVqVcLzfZZ04Z0CTKqkZei8LJCRaYkxfprcFCl4rYNAeXj7YfmrA3I2KKaSt3cJA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB7062
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/BWHPmxQWIDYeiWnVxXgAAJ5Oscs>
Subject: [IPsec] Why ipsecme-anti-replay-subspaces is needed.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2023 08:53:01 -0000
Hi all, I'd like to encourage a discussion here around why the solution described in draft-ponchon-ipsecme-anti-replay-subspaces is needed, and why draft-ietf-ipsecme-multi-sa-performance is not sufficient for us. So far, we have received feedback from people supporting our work, and sharing the same need. I'd like to encourage those people to take part in this thread. We have received pushbacks from Tero. But I am curious to know if other people share the same opinion, or not. To bootstrap the conversation, I'd like to answer Tero's comment (from the recording, with little paraphrasing): "Creating 144 IPsec SA should take less than tenth of a second. IKEv2 have windowing mode. With really big systems, creating more SAs is not an issue." We unfortunately cannot afford to throw more cores at every scaling issue that we have. IPsec hardware is pretty much limited today by how many keys you can store. And IKEv2 by how many SAs you must negotiate (Big concern when PFS is enabled). We need to establish peerings with 10k peers. All our control-plane daemons, routing protocols, IKEv2, must run on one or two cores to leave room for the actual data-plane features. What exactly did you mean by "big systems" ? To give a more concrete example: One of the reasons for IKEv2 design was to support multiple traffic selectors per SA (See point 9 in https://www.rfc-editor.org/rfc/rfc7296#appendix-A). In IKEv1, the design was also to throw more SAs at the problem. Someone who needed multiple different traffic selectors would create multiple SAs. We are repeating the same historical mistake now but with cores instead of traffic selectors. The multi-sa draft is not bad and surely solves some of the problems. However, it also emphasizes that we're back to the same issues as IKEv1 trying to solve our modern performance problems by adding more SAs.
- [IPsec] Why ipsecme-anti-replay-subspaces is need… Pierre Pfister (ppfister)
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Ben Schwartz
- [IPsec] Why ipsecme-anti-replay-subspaces is need… Tero Kivinen
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Paul Wouters
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Paul Wouters
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Pierre Pfister (ppfister)
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Pierre Pfister (ppfister)
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Michael Pfeiffer
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Paul Wouters
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Scott Fluhrer (sfluhrer)
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Paul Wouters
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Tero Kivinen
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Paul Wouters
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Michael Rossberg
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Michael Rossberg
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Antony Antony
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Tero Kivinen
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Antony Antony
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Tero Kivinen
- Re: [IPsec] Why ipsecme-anti-replay-subspaces is … Daniel Xu