IETF Logo Mail Archive

Re: [IPsec] Why ipsecme-anti-replay-subspaces is needed.

Ben Schwartz <bemasc@meta.com> Mon, 04 December 2023 15:19 UTC

Return-Path: <prvs=57026cbf38=bemasc@meta.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB60FC14CE5F; Mon, 4 Dec 2023 07:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_Y58a7Xe0Fp; Mon, 4 Dec 2023 07:19:11 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DDF2C14F686; Mon, 4 Dec 2023 07:19:08 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3B4BD1TJ023691; Mon, 4 Dec 2023 07:19:08 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=A5d9cg5Lk057RUsICmecDl7tsmwmKI58gUmv4gIs1B0=; b=ib63DrT9N755H36B56F4S6gTcalAq4oVjRpwz1QLqMm0G3uTxamWD/okhHIQdy8FMCYC MedJZMw2X30QeErk58oD2pEUqHiDZR9Hs0cdfhxZcJSB/l6rFsrW0JBrWX06r4Q2xl7j +vCs6Cd7jwnx6vltzArvGHRGfHPFywioX6P6KG2Xm/uvCXrjsGeRhMMlRnwmyrTSgKQ/ NbxI4AKrtWEhMNJLDPIIhESIgwOXdRdvAXHmG07zqBfDh3YlKCuX8UPAdOOqs6sLI80/ k7VP1J5k3LBxJYjnn6IJUFikgnkmljWXkW0U1gi0y5ZXF42rz9o5RgxtwWZSvOmxmZTT Wg==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3urr817m83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 04 Dec 2023 07:19:07 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N7hDYkW0dTF7LaSdeoMFf2vjKRKbXZoTvB8dX/a6XlBdkI1dleIo3l1R/PC2NRsIvL5CUb2t/TTrraC9a9Skd9WLAw64VOAUvxZSOmD9y1Su2RUNHq2S6amzYFWgHWG05xiKD6oEvHDnPOzpH7PY9Krj9zt0TW1XNya1z54j9qF6aRQaQ7rGopQkMUiUx+chJqnRCBXe4fjEtc8Nvsss6y4RvSj7PW3bnCilwiCMwv6fjeSk+dofM1n0S5hnjjyYiGiooXXZ8l8wpP6+Yio5uQ3VpC11yjVp5sBZ+bF7VFmB0O3kFB9haBiSXyBHQc/wDPw9vHBfpmoGDRYrKWoEJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tCSeGmg4e9+WKe4GKJqIm9hQFn13yUfi5h2esGn6dQ4=; b=XPtV1u8mwd6ixRpbpd/hGhWk/fbW3FNngZPMdDTe26TtEfRwsGqELfCXcduOrVXZn2ePd0d6Eeh2uH+B+c8hRNjmHaI+bohfRyjZuk/cMOObFdv+vcpwid1pr1g9NJdY2GhsP+qlDyxEOmn9ckV0B2Jg7BuT8A5ZsNarCafqVMwcnQQHYEF9uTFL5NUMDi+tWIOKn+hQBYK4u/TZDR3OQm5w3Vj+61CaV1tBe0zhWPDroYB/cdZGZyYJb8nROx6+3mMwdCxVWXF8TMYtJO5pGVC9QSRiZL6m6S4vDgN+DmBVmdTTg0N8Ie6f2SXNYrT6pu4NaMQHjV2SxkQNFSpggw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by MW4PR15MB4347.namprd15.prod.outlook.com (2603:10b6:303:bc::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.23; Mon, 4 Dec 2023 15:19:05 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.7068.022; Mon, 4 Dec 2023 15:19:05 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "Pierre Pfister (ppfister)" <ppfister=40cisco.com@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Why ipsecme-anti-replay-subspaces is needed.
Thread-Index: AQHaJo7lSgsMq/3iYEmTU1ZTNeX/YbCZO+wv
Date: Mon, 04 Dec 2023 15:19:04 +0000
Message-ID: <BN8PR15MB3281F0E49E1658F0E3DFE01AB386A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <CO1PR11MB49461176E5106D8965E5610DDF86A@CO1PR11MB4946.namprd11.prod.outlook.com>
In-Reply-To: <CO1PR11MB49461176E5106D8965E5610DDF86A@CO1PR11MB4946.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|MW4PR15MB4347:EE_
x-ms-office365-filtering-correlation-id: ba77cb53-873c-4959-97cb-08dbf4dc5a6a
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4YatwsqXHdXNu40W2HfCYIyt9psjdyeBsyE/UDrkA9neG1ZkSriCHLilvXeeyJYVxw2dWmbSr1rjfXcBu/ZPD2m94Glmw0QwMTIZiGRQYC+RXKUt9wcR507GULpCu2GtEBS9WqMt5rNHVJC3CluUapnb4Oc5DtcZnCT8qRDoAjDZsQMfVTMr0UW34xum1m7A6KsmaSd7crRPJGmc3VLKNgvt4abejcCLcNlKlo84fl3Awzeanlfik4JPDHcvA7eo0DkY5j/qPqBGECqZ4mcu/kC0/dWcx3qN2W/FSxSneAOqUqdkUF66Y6CFClCeEiW7SWfekE9RB9PuCc+FNla7WwnNn+VDMYbjYcAhpVf+6q40ZGjsjqeE5ZDDxDekB6Ikaosk2GeiKiN0t63QXUAyXHY+lXxACN9O3erxw8LAaKerdIGgKWZCy25NivUBr/78NZqYtbyvd+K2k7MUdsDvSrQEpYGNsmJHh3uVTgzMyByht53iNieIAu7Jyn5etV9bwmrg0OaQE/xUim/NWgKyacr2pNbDxNSBlAmoQRgMEf25TF42DLLjwY/ol2nl7Z1a8alXNbqrM+dXvVIndJsiiauneg81TGmApVOc56tRhLPY8QZUiUdxHu22192cQPyEzS6UG8yOABYVYlKjsjx/DA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(396003)(346002)(39860400002)(376002)(230173577357003)(230273577357003)(230922051799003)(64100799003)(451199024)(186009)(1800799012)(19627405001)(5660300002)(19627235002)(55016003)(316002)(110136005)(66946007)(66446008)(91956017)(64756008)(66556008)(76116006)(66476007)(38100700002)(41300700001)(83380400001)(8936002)(33656002)(86362001)(7696005)(52536014)(8676002)(71200400001)(166002)(2906002)(38070700009)(966005)(6506007)(122000001)(53546011)(9686003)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cXhdaYcqsyfDBu9G/or67XBWfaIyZnjALP2KvDXvazSUVbv7aSncw5lPgDfh7x9DWX2cqZQeUefL86jyilWw945ZIexbkvHoE+dnBXzRemOYiQCXQF12dSByqTtRw93NeAriosRN6Av/lLRgCHIxjEFdcmhcRC2+lIzGJQEzPuykCWpWD6vl+iVbzXxZASULj64W9SpeH7PaX2jn4fih7nkAhLXnAIUH0jd7/mwnx/SLLkCYI/icwH+eZFnk15ZS0y0kQC68Zh4b8Zt2djMCuYz27k1UhWiPU4gklbNNMYk8jBrAvZk2zhiQPWhOzQvwPQ8lM742On7HA66i4+7mZ6XVT2ONoVD+2j2UTOxG6PpddSjyhHAmBAlCyiPxswK7UZzMMaWke59k6DLhazSt3G1Q0Jh1fk4R0APf3HsEf5ORYMyVLr1QChvNM8GvC04GlN/qmbfXw0Be7Xeqc1yKZdHrB3VRvQqMQNQDf8Q8lg3sRZTCjPnPrn4TOpB8D9jfPZmMwJVhw4bCDp7ps/Dn1b/p7OoAmHnRrNDSco9AHqcaXS+Gxu3ZbRbZKgK6jlkLt+IzIv6ukoOWKMfjMPoS8qlhtDt6y4dbaLnXU9QObq1mX9ht5T7BUu6HfjSzYF3i9eQ9EuQ3vjjKISMq2G+8HsClJN4DZCT/yIyxIad2I9NiR/kr8vkTJ7sSaPH0/XZjSiv/tqS2BHkCc3+IPKWN1+TdoD3Tuhn8it/j4fbcYcwBNkzpD9+7z980XclV+EtyE5TQziw2IEGMyH5lL23GBy4bD2+kT6zoIbyItiF93OhEQjO0CpIH1XbCpNlR1tEEYLs6snfxPCRdRh46h9QHIDV+zlXAuDGAjAdH7vovF8Fktg5flbeXwLLH+ngKLSR+Jj1LykVaxuoTAfPbDhNda16TNF6QdH2uvwj+qrMUh49ZR4yNhKlYYjAEqWEiet1An/nsySGfLp6Z3zZLlWIgO+bIacy72b+CqZUt09LREddJKJGgPL0o/rhPXG2zMSD8j8RqRpQuax926KFYPGF7KkqOoCfuO/4MPBRDO6y9nOz5VToL//4Sz92/wVzpmiDfeE0ExTz9Chfl+PAJc+FiTAJ6Ps4vSJ2ry0sFsFHeFpRWXpkyzI2IMrIq8oz9OSXHNfBnIrVr7VQl/9Akin1mN4b3U8mMw9KcoIWu3SFDb7jSbBclC3QppM7CFR7NuJIX7ErgJFRD2k3Ldf7Hl7hSDdwv9uOSlsus5Kcu+zVrQq7K231zeOwKX03g6P40A5FoX3PJMSTNI69ctYbG3dngmEWzC1NaTcZf5cKbyarj8y/5D/9ij56fbbMD7ZdGQ8l+Qdn02EAgtKNGrVm96PFUFeVVmPquZiunU6PR71pNM1I2tCRPQHN1j8liBlgv41UBKjTRsGWOpeSb3P1AMk/Y2A4Y2jsJgkRp365I5AqkGTFzG9SPWcHWXPLFGgoL7avHbX9xqgkI+BHO/8WzYzExmk7vYsUniTOA5wrJBoBKmjbPC2noZLB4P7OJx1kDkv8JhfQfSq703sAGuCN2KtFaQSe16Qed0iW5iRfI0bS1zxUdIvezjekFyHtNtO8bcVpX
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281F0E49E1658F0E3DFE01AB386ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ba77cb53-873c-4959-97cb-08dbf4dc5a6a
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2023 15:19:04.9816 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pgtDoyCVP9hTT3jtP46qucCZd+bojYgCrFfRaVZ3NQeD07W+U5ak3sNQO2h1UYQp
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4347
X-Proofpoint-GUID: 09PKvyFwtiZb556I6wDadn1pXpCfOBi4
X-Proofpoint-ORIG-GUID: 09PKvyFwtiZb556I6wDadn1pXpCfOBi4
X-Proofpoint-UnRewURL: 2 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-04_14,2023-12-04_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IFA38kdi851Ai30xhM_suTSD0ns>
Subject: Re: [IPsec] Why ipsecme-anti-replay-subspaces is needed.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2023 15:19:15 -0000

As I've mentioned previously, I think this draft is valuable for "network-to-network" tunneling, where the sender and receiver are both represented by a large (and evolving) collection of gateways (perhaps sharing IPs via anycast).  This situation requires O(N^2) SAs in the current protocol, but with sequence number subspaces it can be arranged with O(N) or even O(1) SAs.

--Ben Schwartz
________________________________
From: IPsec <ipsec-bounces@ietf.org> on behalf of Pierre Pfister (ppfister) <ppfister=40cisco.com@dmarc.ietf.org>
Sent: Monday, December 4, 2023 3:52 AM
To: ipsec@ietf.org <ipsec@ietf.org>
Subject: [IPsec] Why ipsecme-anti-replay-subspaces is needed.

Hi all, I'd like to encourage a discussion here around why the solution described in draft-ponchon-ipsecme-anti-replay-subspaces is needed, and why draft-ietf-ipsecme-multi-sa-performance is not sufficient for us. So far, we have received feedback
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd

Hi all,



I'd like to encourage a discussion here around why the solution described in draft-ponchon-ipsecme-anti-replay-subspaces is needed, and why draft-ietf-ipsecme-multi-sa-performance is not sufficient for us.



So far, we have received feedback from people supporting our work, and sharing the same need. I'd like to encourage those people to take part in this thread.



We have received pushbacks from Tero. But I am curious to know if other people share the same opinion, or not.



To bootstrap the conversation, I'd like to answer Tero's comment (from the recording, with little paraphrasing):

"Creating 144 IPsec SA should take less than tenth of a second. IKEv2 have windowing mode. With really big systems, creating more SAs is not an issue."



We unfortunately cannot afford to throw more cores at every scaling issue that we have. IPsec hardware is pretty much limited today by how many keys you can store. And IKEv2 by how many SAs you must negotiate (Big concern when PFS is enabled).



We need to establish peerings with 10k peers. All our control-plane daemons, routing protocols, IKEv2, must run on one or two cores to leave room for the actual data-plane features.

What exactly did you mean by "big systems" ?



To give a more concrete example:



One of the reasons for IKEv2 design was to support multiple traffic selectors per SA (See point 9 in https://www.rfc-editor.org/rfc/rfc7296#appendix-A<https://www.rfc-editor.org/rfc/rfc7296#appendix-A>). In IKEv1, the design was also to throw more SAs at the problem. Someone who needed multiple different traffic selectors would create multiple SAs. We are repeating the same historical mistake now but with cores instead of traffic selectors.



The multi-sa draft is not bad and surely solves some of the problems. However, it also emphasizes that we're back to the same issues as IKEv1 trying to solve our modern performance problems by adding more SAs.

v2.23.0 | Report a Bug | By Email