IETF Logo Mail Archive

Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance

Paul Wouters <paul@nohats.ca> Thu, 27 October 2022 12:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EE10C1522D4 for <ipsec@ietfa.amsl.com>; Thu, 27 Oct 2022 05:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOESkXjCA0j9 for <ipsec@ietfa.amsl.com>; Thu, 27 Oct 2022 05:46:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB517C1522D6 for <ipsec@ietf.org>; Thu, 27 Oct 2022 05:46:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4MylmN3QYrz1bd; Thu, 27 Oct 2022 14:46:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1666874788; bh=PS6E1lF09fhhBOwyKyB3JvxeLGMO/qYkciIywsVIpwo=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=js2L1JZojJTe9MR9l+0F6ONjktXjPofi7ge2+kupFg7iJDzSici+YEPKGJEI5sKu6 2GSZ2Pc6gl+r38/xFQmzKVYbX7QLuWXaCFqDHj4dshphY/UUKxSsgPEVsE3h/CKSIM N1n6m8QoT5ooo0cgn+HxqXiFlCpNuMCiRKYSQTVo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id L6pdmRb_G9qH; Thu, 27 Oct 2022 14:46:27 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 27 Oct 2022 14:46:27 +0200 (CEST)
Received: from smtpclient.apple (unknown [193.110.157.208]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 0B48F3FE111; Thu, 27 Oct 2022 08:46:25 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-69B9EE89-4959-48A8-A95F-8B8F0948B49B"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Thu, 27 Oct 2022 08:46:23 -0400
Message-Id: <E7B7E898-DD1D-4737-9FFF-7558F1C5EE78@nohats.ca>
References: <DM6PR11MB4531023D4E06E619BAC9935DCB339@DM6PR11MB4531.namprd11.prod.outlook.com>
Cc: Tero Kivinen <kivinen@iki.fi>, Steffen Klassert <steffen.klassert@secunet.com>, Valery Smyslov <smyslov.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, IPsecME WG <ipsec@ietf.org>
In-Reply-To: <DM6PR11MB4531023D4E06E619BAC9935DCB339@DM6PR11MB4531.namprd11.prod.outlook.com>
To: "Paul Ponchon (pponchon)" <pponchon=40cisco.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JgfkeDq0UJ3JGGy0XoTuvtmQpa4>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 12:46:35 -0000

On Oct 27, 2022, at 08:40, Paul Ponchon (pponchon) <pponchon=40cisco.com@dmarc.ietf.org> wrote:
> 
> 
> 
> Is this requirement only based on not reusing the same IV on different cores or is there an additional factor I missed?

For AES-GCM there is a 2^32 max operations per private key as well.

>  
> We're are currently facing some scalability issues with using multiple Child SAs and we think it is possible to reuse the same keymat on all the per cpu SAs.

On 100gbps links the counter is already super low, splitting the IV space further wouldn’t work well I think.

>  And we would also ensure that the keymat is used in a FIPS compliant manner.

How would you keep track on the 2^32 max operations (this happens in minutes on 100gbps links)

>  Would there be any other concerns in reusing the same keymat between multiple SAs ?

See above but also right now userland pushes keys and wipes them. Anything that needs to remember private ipsec keys in userland would be undesirable.

Paul

v2.23.0 | Report a Bug | By Email