IETF Logo Mail Archive

Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance

Paul Wouters <paul.wouters@aiven.io> Thu, 24 November 2022 03:54 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3FEC14F692 for <ipsec@ietfa.amsl.com>; Wed, 23 Nov 2022 19:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gugHg7RKexO for <ipsec@ietfa.amsl.com>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CFFC14F743 for <ipsec@ietf.org>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id i64-20020a1c3b43000000b003d016c21100so3014804wma.3 for <ipsec@ietf.org>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=D0y+M1yT0GwttbXKdbxUOdEdInSf7dc+nyszxduDivU=; b=Zb37R4EoMln78/TPeSpIdmGqizwca+Fd+mj1dUNO5G+nedZJj8sxYgPMaF1o8RWHXQ IqK1X1ZioLoVL6tb9PsDPIvg0/7v78h9T+5Lsn82csgUlWXOEtcudSdAD8ejGzr59XDb tuuUT85fp8tb4IQF+oWyp/87igyeIEqy04uuY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=D0y+M1yT0GwttbXKdbxUOdEdInSf7dc+nyszxduDivU=; b=0x+mWOZvlSEvLY/tiIAmH7qchlf3mbE00Zs716wMZ3QQcHxiv9TTB47Rkij638EoNi 40mN1Dy96qWuCDhcdSqQllbDOnXAwj9x5jklVdbLT1GNikdJChEuBV2MJzxJwIe44HXa qrrCC1ynArBJu1It2S8gmqscJalyPEd73HTXyiqb7YTxKtXyDSOe9PGx+zPqhwDt2dOb PDz+exH5Fe2fi/gOpvVI+AOme2jkXJLNfShdXhXDY8ltGJcLgFFakL2bx3QPfNn1mEhD OUnwnTmAQ0R6ZgmiQkth7vCV42Bt7xfqyZP6emUnUMZaVzRDCnNYktBtHCGS7GdYLU4D 9ObQ==
X-Gm-Message-State: ANoB5pkNLNvh4ra14i6Y6SXWbCEC45GaXd3ahyIkrk4zxTSIuXFTR0zT LGjaWQuzVDW7LvUJMWaAs+2jxFZJBpkep5KvfyTWvw==
X-Google-Smtp-Source: AA0mqf7L2cSIS7g8qUmt0gfbMNMMYnCZd3xk/wKGx/SwofwxtRDfqyiBLak6DIhQ0m7f28nLOt5ApF1SqcZcsJa3iic=
X-Received: by 2002:a05:600c:4e06:b0:3cf:703e:1d88 with SMTP id b6-20020a05600c4e0600b003cf703e1d88mr10971695wmq.155.1669262075514; Wed, 23 Nov 2022 19:54:35 -0800 (PST)
MIME-Version: 1.0
References: <25451.58560.690380.833165@fireball.acr.fi> <0fa86a3b220940f2abdd310ec9b829f2@huawei.com> <CADZyTkk6tuUgTZuivJNkj20tOqJreVu+hRFfuL=3w1wFqikcPQ@mail.gmail.com> <20221123063631.GI424616@gauss3.secunet.de> <CADZyTkkac3r48rk0VmfGHyADZjD6xivGKe27mqyxNU=yY_k8Nw@mail.gmail.com>
In-Reply-To: <CADZyTkkac3r48rk0VmfGHyADZjD6xivGKe27mqyxNU=yY_k8Nw@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 23 Nov 2022 22:54:24 -0500
Message-ID: <CAGL5yWbWTVE6iYibcJEBC-rNoJdYmif_w2dnWANnUqJYz_16aw@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>, "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>, Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c683805ee2f5de7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DpvgKN-1wmIHSiSTWzDEyAZ3ARs>
Subject: Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 03:54:41 -0000

[speaking as individual]

On Wed, Nov 23, 2022 at 9:32 AM Daniel Migault <mglt.ietf@gmail.com> wrote:

> I agree but in my opinion the draft has some scalability limitation and to
> be useful needs to be combined with something else
>

That is not true. Perhaps for your use case, but not other people's use
cases, such as highspeed (eg 10gbs+) DC interconnects with devices with
multiple CPUs. It is very much "useful" without "something else" as we
presented in the past with our benchmarks.

- at least this is my understanding. Maybe I am biased as the use case it
> may address is not the one we have. Do not get me wrong, I think the work
> has been useful and should be documented. But I think that the alternative
> that limits the number of SA is very attractive, especially for our
> hardware implementations with a limited number of SA.
>

That is a very different use case.

I agree that the advantage of the draft is that it is a very ow
> hanging fruit but on the other hand - at least as I see it -
> -ponchon-ipsecme-anti-replay-subspaces provides a complete solution to the
> scalability concern we have.
>

See my previous posting to the list. There might be IPR issues to address
first before a solution like that draft can be adopted to the WG.
Regardless, it is a different solution that does change the security
properties and the Child SA properties. I believe this work does fall under
the "ESP update" work, independently of this draft, that requires no update
to ESP.

I agree ESP-v4 should be considered natively, but I would like
> -ponchon-ipsecme-anti-replay-subspaces to be implemented with the current
> ESP mostly so we do not wait ESP-v4 to have it. Actually at Ericsson we
> would like to implement the standard version of
> -ponchon-ipsecme-anti-replay-subspaces in a reasonable delay -- i.e. next
> year.
>

Provided the IPR issues are resolved, the WG surely can look at this.
Although as has been pointed out, if anti-reply is your only issue, then
perhaps the easiest thing to deploy right now would be ESP without replay
protection enabled? And trust that the application layer (TCP, QUIC, UDP
applications) handle out-of-order or duplicate packets themselves.

To clarify my position I am not opposed to the adoption of the draft. My
> position is that it gets published as soon as possible as an experiment
> that paves the way for a more complete solution. In other words, I think we
> should not have the document being discussed for years in the WG.
>

That is generally true for every document in every WG :)

I think people in the WG have shown that there is some urgently to
addressing ESP performance issues. But the WG is all of us, so all of us
need to keep the speed going on this. I think it would be good to get a
problem statement doc out as Steffen indicated, so that we know all the
issues we want to address in ESP.

Paul

v2.23.0 | Report a Bug | By Email