[IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-04.txt
Tero Kivinen <kivinen@iki.fi> Mon, 18 March 2024 09:31 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC7FC18DB9E for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2024 02:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYcnMllp-tWj for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2024 02:31:58 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB64C18DB94 for <ipsec@ietf.org>; Mon, 18 Mar 2024 02:31:57 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 4TyqPR2RWYzyRx for <ipsec@ietf.org>; Mon, 18 Mar 2024 11:31:55 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1710754315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1xmBPSGVmPXbbFDSoeAaRLnvXkxMXF0a3+nwa1VksXc=; b=lY0gJ/0XC2eSmKs4sqcDvRKxmwXBUCzznFxxlMY+6NRMJkLTlbol9e6V7FXKi5bWJgXKOz U1w41cNYb70oTDRRJ8hj5CvMenUPfccqg7RGVeF8ca6qbcXWwbVJ2FD3drk86Qcz4xbj51 Kp96PDwXwrTe7tcmqotzcA+0pOyvrU8=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1710754315; a=rsa-sha256; cv=none; b=WY+ZuSOpRIwDHUbu/xu2RFSVuR8vo/lbXO97Zg0my21HRW5PIMRxlebOyn6B5+UoJRL4i0 QkoRMElrG/rHlYarv/nCvnEd0pZf4xpxAmIsiFknc6Yn+1dbKlIFsEcgW61GWkYuWrhKNE 55sD9HSFRoiZqrgzij/IhRBca9ijTd0=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1710754315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1xmBPSGVmPXbbFDSoeAaRLnvXkxMXF0a3+nwa1VksXc=; b=PRx+M3lh/y+7jlR8jJUGuQjvYfORuUTdNlqjva1etutkE6u7bRxM2f4Gzlg0cuzqFj/VyZ oDbpRuFvJN1skJMoP/Md4aeJ/gPTJh3b/bmjZ2E3QEFUsWsM8fSICK1BMULAsl7f1JjdXd CpYijfi52aZNmOlsNlWn+KVa0U1GvVA=
Received: by fireball.acr.fi (Postfix, from userid 15204) id D638A25C1311; Mon, 18 Mar 2024 11:31:53 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <26104.2569.794539.699857@fireball.acr.fi>
Date: Mon, 18 Mar 2024 11:31:53 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
In-Reply-To: <171074865844.55060.5287948192523319087@ietfa.amsl.com>
References: <171074865844.55060.5287948192523319087@ietfa.amsl.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 2 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/KVmCpS1wWBDYIxguBGq1mAr_Q38>
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 09:32:00 -0000
internet-drafts@ietf.org writes: > Internet-Draft draft-ietf-ipsecme-multi-sa-performance-04.txt is now > available. It is a work item of the IP Security Maintenance and Extensions > (IPSECME) WG of the IETF. > > Title: IKEv2 support for per-resource Child SAs This seems to cover my comments until section 5, but does not cover the changes for section 5.1, 6, and 9. Is there some issues with those comments? ---------------------------------------------------------------------- In section 5.1 you say that Protocol id MUST contain either 2 for AH and 3 for ESP, but on the RFC7296 says that "If the SPI field is empty, this field MUST be sent as zero and MUST be ignored on receipt." and as this notify is sent with empty SPI field, then the Protocol ID field MUST be 0 also. -- In section 5.1 add text saying that SPI Size MUST be zero. -- In section 5.1 fix s/opague/opaque/ twice. -- In section 6 there is text saying: If the IKEv2 extension defined in this document is negotiated with the peer, an implementation which does not support receiving per-CPU packet trigger messages MAY initiate all its Child SAs immediately upon receiving the (only) packet trigger message it will receive from the IPsec stack. On the other hand there is no negotiation of the this extension. What is this text trying to say? Perhaps simply remove change to say "If an implementation does not support ... it MAY ..." -- Section 9 the correct heading for the IANA registries 2nd column are Notify Messages - Status Types and Notify Messages - Error Types Currently the figure 2 is using status type header and even that does not match iana registry. -- kivinen@iki.fi
- [IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-p… internet-drafts
- [IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-p… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-multi-… Paul Wouters