IETF Logo Mail Archive

[IPsec] Comments on draft-pwouters-multi-sa-performance

"Panwei (William)" <william.panwei@huawei.com> Fri, 29 October 2021 02:19 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE023A0959; Thu, 28 Oct 2021 19:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZRESOKMaRDE; Thu, 28 Oct 2021 19:19:43 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94F1D3A0954; Thu, 28 Oct 2021 19:19:43 -0700 (PDT)
Received: from fraeml705-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4HgQxn4Vw8z67WcW; Fri, 29 Oct 2021 10:15:25 +0800 (CST)
Received: from kwepeml100004.china.huawei.com (7.221.188.19) by fraeml705-chm.china.huawei.com (10.206.15.54) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Fri, 29 Oct 2021 04:19:39 +0200
Received: from kwepeml500004.china.huawei.com (7.221.188.141) by kwepeml100004.china.huawei.com (7.221.188.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.15; Fri, 29 Oct 2021 10:19:37 +0800
Received: from kwepeml500004.china.huawei.com ([7.221.188.141]) by kwepeml500004.china.huawei.com ([7.221.188.141]) with mapi id 15.01.2308.015; Fri, 29 Oct 2021 10:19:37 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "draft-pwouters-ipsecme-multi-sa-performance@ietf.org" <draft-pwouters-ipsecme-multi-sa-performance@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Comments on draft-pwouters-multi-sa-performance
Thread-Index: AdfL2PwR5lphcqWoSvCzgV2vdsvQZA==
Date: Fri, 29 Oct 2021 02:19:37 +0000
Message-ID: <cc0b5528e7c047e0a9073f637218f013@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.99.246]
Content-Type: multipart/alternative; boundary="_000_cc0b5528e7c047e0a9073f637218f013huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/KdE3xM08uJyLnOIK63HeuEWv3t0>
Subject: [IPsec] Comments on draft-pwouters-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Oct 2021 02:19:46 -0000

Hi authors,

I’ve read the recent version. This is an interesting solution. I think it should be adopted. Below are some comments.

1.
The CPU_QUEUES notification value refers to the number of additional
resource-specific Child SAs that may be installed for this particular
TSi/TSr combination excluding the Fallback Child SA.
Is it necessary to limit the amount of additional SAs at the beginning while TS_MAX_QUEUE can be used to reject the request of creating additional SA at any time? In the virtualization scenario, the new VMs can be launched on-demand, in other words, it may be seen as the number of CPUs isn’t fixed, so maybe limiting the addition SAs at the beginning will damage the flexibility.

2.
The CPU_QUEUES notification payload is sent in the IKE_AUTH or
CREATE_CHILD_SA Exchange indicating the negotiated Child SA is a
Fallback SA.
Before additional SAs are created, is there any difference between using this first/Fallback SA and using other normal SA? I think there is no difference. So maybe we don’t need to add this notification payload when creating the first SA. When the initiator wants to create an additional SA, it can directly send the request with CPU_QUEUE_INFO notification payload. There are 3 ways that the responder may reply: 1) The responder doesn’t support/recognize this notification, it will ignore this notification and reply as usual. 2) It supports this function and is willing to create the additional SA, so it will reply with CPU_QUEUE_INFO notification too. 3) It supports this function, but it isn’t willing to create more additional SAs, so it will reply with TS_MAX_QUEUE. Therefore, it seems like that CPU_QUEUE_INFO and TS_MAX_QUEUE these 2 notifications are enough to use, and the draft can be simplified to only use these 2 notifications.

3.
Both peers send
the preferred minimum number of additional Child SAs to install.
First, I think sending the number of additional Child SAs is unnecessary. Second, when using “minimum” here my first impression is that it means 0, so in order to remove ambiguity I suggest just saying “the preferred number” (if you think sending the number is necessary).

4.
If a CREATE_CHILD_SA exchange request containing both a
CPU_QUEUE_INFO and a CPU_QUEUES notification is received, the
responder MUST ignore the CPU_QUEUE_INFO payload. If a
CREATE_CHILD_SA exchange reply is received with both CPU_QUEUE_INFO
and CPU_QUEUES notifications, the initiator MUST ignore the
notification that it did not send in the request.
I think there is ambiguity here. When the initiator sends the CREATE_CHILD_SA exchange request containing both a CPU_QUEUE_INFO and a CPU_QUEUES notification, and the responder also adds CPU_QUEUE_INFO and CPU_QUEUES notifications in the reply, the initiator doesn’t know how to process with this situation, should the initiator ignore the CPU_QUEUE_INFO payload or notify an error to the responder?


Regards & Thanks!
Wei Pan (潘伟)

v2.23.0 | Report a Bug | By Email