Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
Paul Wouters <paul.wouters@aiven.io> Thu, 24 November 2022 03:54 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3FEC14F692 for <ipsec@ietfa.amsl.com>; Wed, 23 Nov 2022 19:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gugHg7RKexO for <ipsec@ietfa.amsl.com>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CFFC14F743 for <ipsec@ietf.org>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id i64-20020a1c3b43000000b003d016c21100so3014804wma.3 for <ipsec@ietf.org>; Wed, 23 Nov 2022 19:54:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=D0y+M1yT0GwttbXKdbxUOdEdInSf7dc+nyszxduDivU=; b=Zb37R4EoMln78/TPeSpIdmGqizwca+Fd+mj1dUNO5G+nedZJj8sxYgPMaF1o8RWHXQ IqK1X1ZioLoVL6tb9PsDPIvg0/7v78h9T+5Lsn82csgUlWXOEtcudSdAD8ejGzr59XDb tuuUT85fp8tb4IQF+oWyp/87igyeIEqy04uuY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=D0y+M1yT0GwttbXKdbxUOdEdInSf7dc+nyszxduDivU=; b=0x+mWOZvlSEvLY/tiIAmH7qchlf3mbE00Zs716wMZ3QQcHxiv9TTB47Rkij638EoNi 40mN1Dy96qWuCDhcdSqQllbDOnXAwj9x5jklVdbLT1GNikdJChEuBV2MJzxJwIe44HXa qrrCC1ynArBJu1It2S8gmqscJalyPEd73HTXyiqb7YTxKtXyDSOe9PGx+zPqhwDt2dOb PDz+exH5Fe2fi/gOpvVI+AOme2jkXJLNfShdXhXDY8ltGJcLgFFakL2bx3QPfNn1mEhD OUnwnTmAQ0R6ZgmiQkth7vCV42Bt7xfqyZP6emUnUMZaVzRDCnNYktBtHCGS7GdYLU4D 9ObQ==
X-Gm-Message-State: ANoB5pkNLNvh4ra14i6Y6SXWbCEC45GaXd3ahyIkrk4zxTSIuXFTR0zT LGjaWQuzVDW7LvUJMWaAs+2jxFZJBpkep5KvfyTWvw==
X-Google-Smtp-Source: AA0mqf7L2cSIS7g8qUmt0gfbMNMMYnCZd3xk/wKGx/SwofwxtRDfqyiBLak6DIhQ0m7f28nLOt5ApF1SqcZcsJa3iic=
X-Received: by 2002:a05:600c:4e06:b0:3cf:703e:1d88 with SMTP id b6-20020a05600c4e0600b003cf703e1d88mr10971695wmq.155.1669262075514; Wed, 23 Nov 2022 19:54:35 -0800 (PST)
MIME-Version: 1.0
References: <25451.58560.690380.833165@fireball.acr.fi> <0fa86a3b220940f2abdd310ec9b829f2@huawei.com> <CADZyTkk6tuUgTZuivJNkj20tOqJreVu+hRFfuL=3w1wFqikcPQ@mail.gmail.com> <20221123063631.GI424616@gauss3.secunet.de> <CADZyTkkac3r48rk0VmfGHyADZjD6xivGKe27mqyxNU=yY_k8Nw@mail.gmail.com>
In-Reply-To: <CADZyTkkac3r48rk0VmfGHyADZjD6xivGKe27mqyxNU=yY_k8Nw@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 23 Nov 2022 22:54:24 -0500
Message-ID: <CAGL5yWbWTVE6iYibcJEBC-rNoJdYmif_w2dnWANnUqJYz_16aw@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>, "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>, Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c683805ee2f5de7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DpvgKN-1wmIHSiSTWzDEyAZ3ARs>
Subject: Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 03:54:41 -0000
[speaking as individual] On Wed, Nov 23, 2022 at 9:32 AM Daniel Migault <mglt.ietf@gmail.com> wrote: > I agree but in my opinion the draft has some scalability limitation and to > be useful needs to be combined with something else > That is not true. Perhaps for your use case, but not other people's use cases, such as highspeed (eg 10gbs+) DC interconnects with devices with multiple CPUs. It is very much "useful" without "something else" as we presented in the past with our benchmarks. - at least this is my understanding. Maybe I am biased as the use case it > may address is not the one we have. Do not get me wrong, I think the work > has been useful and should be documented. But I think that the alternative > that limits the number of SA is very attractive, especially for our > hardware implementations with a limited number of SA. > That is a very different use case. I agree that the advantage of the draft is that it is a very ow > hanging fruit but on the other hand - at least as I see it - > -ponchon-ipsecme-anti-replay-subspaces provides a complete solution to the > scalability concern we have. > See my previous posting to the list. There might be IPR issues to address first before a solution like that draft can be adopted to the WG. Regardless, it is a different solution that does change the security properties and the Child SA properties. I believe this work does fall under the "ESP update" work, independently of this draft, that requires no update to ESP. I agree ESP-v4 should be considered natively, but I would like > -ponchon-ipsecme-anti-replay-subspaces to be implemented with the current > ESP mostly so we do not wait ESP-v4 to have it. Actually at Ericsson we > would like to implement the standard version of > -ponchon-ipsecme-anti-replay-subspaces in a reasonable delay -- i.e. next > year. > Provided the IPR issues are resolved, the WG surely can look at this. Although as has been pointed out, if anti-reply is your only issue, then perhaps the easiest thing to deploy right now would be ESP without replay protection enabled? And trust that the application layer (TCP, QUIC, UDP applications) handle out-of-order or duplicate packets themselves. To clarify my position I am not opposed to the adoption of the draft. My > position is that it gets published as soon as possible as an experiment > that paves the way for a more complete solution. In other words, I think we > should not have the document being discussed for years in the WG. > That is generally true for every document in every WG :) I think people in the WG have shown that there is some urgently to addressing ESP performance issues. But the WG is all of us, so all of us need to keep the speed going on this. I think it would be good to get a problem statement doc out as Steffen indicated, so that we know all the issues we want to address in ESP. Paul
- [IPsec] IPsecME WG Adoption call for draft-pwoute… Tero Kivinen
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Valery Smyslov
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Pierre Pfister (ppfister)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Michael Richardson
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Christian Hopps
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Panwei (William)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Steffen Klassert
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters