Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance

["Paul Ponchon (pponchon)" <pponchon@cisco.com>]

Hi,

Tero Kivinen writes:
> [Replying to this email, but commenting about the others also]
>
> Paul Wouters writes:
> > On Oct 21, 2022, at 03:37, Steffen Klassert <steffen.klassert@secunet.com<mailto:steffen.klassert@secunet.com>> wrote:
> > > Another possibility would be to use the same keymat on all
> > > percpu SAs
> >
> > You cannot do that. You need to ensure unique IVs for AEAD so you
> > would need to subdivide the IV space. You would also still reach max
> > operations on these SAs on different times AND things like FIPS puts
> > an operational max count on the key usage which you can’t do if the
> > key is used by multiple different states.
> >
> > Using different real child SA’s was needed to ensure the
> > cryptographic security properties.


Is this requirement only based on not reusing the same IV on different cores or is there an additional factor I missed?

> This is something that is really a important. The keymat between the
> CPUs can't be same, but we could in theory create a new key hierarchy
> that generates keys for each sub Child SAs for each CPU, but I think
> that will just complicate things more, and having real Child SAs for
> each cpu is the correct solution.

We're are currently facing some scalability issues with using multiple Child SAs and we think it is possible to reuse the same keymat on all the per cpu SAs.

For this to work and respect the uniqueness of the IV, some mechanism would be needed. But that can be implemented without per-packet locks for most ciphers (e.g., by splitting the IV space, or making bulk IV allocations). And we would also ensure that the keymat is used in a FIPS compliant manner.

Would there be any other concerns in reusing the same keymat between multiple SAs ?

> […]

Thanks,
Paul