IETF Logo Mail Archive

Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05

Roman Danyliw <rdd@cert.org> Wed, 20 March 2024 05:33 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C92C15106F for <ipsec@ietfa.amsl.com>; Tue, 19 Mar 2024 22:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-kPvPKfe948 for <ipsec@ietfa.amsl.com>; Tue, 19 Mar 2024 22:33:18 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0071.outbound.protection.office365.us [23.103.208.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 411A8C14F619 for <ipsec@ietf.org>; Tue, 19 Mar 2024 22:33:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=JIVfMWuo5tCyOXttRBaJnLAbX3GH1yyGc+CIWoREkY/dcH0h/6GyYWKmvz9rWsH/TOm+/4E2MxZsfm/tkGrQtQGO/g+SOLfxt2R6mbHJt9qc3E/eWhKKwd/gWyybsU+hRpySqK7HHJKNfFu7Sk4N0N1g8rbchdhlZYkE2LiF5+fHlVclTja6BvKT63gSjBaitX8NeGsHdOIqUO70kWmHDL956u2YQ5x2TuXCWQI1dA94Be3XJk4IBC+GyuLZX/lBbU83wWVch4aB/qCAdQepb4CmfaMsqvV3RLLxAn3lIdSgXrJSfpnv+IDbN+yMUtgZLluxd4pUqYoVZ1Id8p18pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OC4xjuuW7AgbBxZ6mIEoLo8gCw3C3bMFF+W5CexE3yc=; b=bl9vCFPwAAJkATJUSFArMbYS20Mu+GzsMO9zo4JXlxjYZYpGyqWt6TKKcHZ8AmCS9EKcD7ZhySH/hrWIHaGzLp582X6uMPYSKhZl8VFK449xoV9ZjNfG1P1dqBdby2jVjt5ysr3YByPqgqXFG7UOG+lavafnxregsMQJ5VrR9WlCibHkGsX0tbKFcj7afHLOHpg6+CKsJPA6oV+Xv47wMNq1jIxSpxpjCIaH+onPI5KONGH5is0V5mnya40w8kyt8xhmu8tRWJvoRSyV7pGY2On/l2mxEuN+GPJCRSpRQ8++FMXcP6KAch5HN0ahHkwU4pxXNxynALXgW+s0X9VjqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OC4xjuuW7AgbBxZ6mIEoLo8gCw3C3bMFF+W5CexE3yc=; b=R4atQr1g4LzMObLLr0qO4497fMCfkRVacOMvVHuGCQbGSD3vz6U4Sh2fUnjNFvsBKQQkyEFtD7xKzjBoqQ19L6HCa24zaRXQ+lNpMdYfuV1QXYCxOPtTs3/V3nxw2Dku5r0dnABX0pAQ1yhUg94ioDFXLSFeCw6XYydUK2Yw46g=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1042.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.27; Wed, 20 Mar 2024 05:33:15 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b%5]) with mapi id 15.20.7386.025; Wed, 20 Mar 2024 05:33:15 +0000
From: Roman Danyliw <rdd@cert.org>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
Thread-Index: Adp5wLX5RVTTEXPYSJu7ZyhA3b3leAAvgwEAAAGPc6A=
Date: Wed, 20 Mar 2024 05:33:15 +0000
Message-ID: <BN2P110MB1107AC8AA10D8303A655EC43DC33A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107C9B13992DEA871075535DC2CA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <9b6434ab-8c41-cc4c-65c9-ee61d44d4cf7@nohats.ca>
In-Reply-To: <9b6434ab-8c41-cc4c-65c9-ee61d44d4cf7@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1042:EE_
x-ms-office365-filtering-correlation-id: f592c177-8079-42b6-7f95-08dc489f3e03
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RyDQ4lVdUX81A10W7o4s/wbyjPOLUJwqj5E9FtiNN7ue0yH/tjwnN7+RH+vQ3bmL3/OnEhqDGT44kLMyNopXqsFJxQiU/l7VEHeGZ+gfFSHCq1A8uALEW9LPyl5MsqFe0+lJp+26nI/Nc8eVyMLuOtVFnp/387hD4iDGNf/WnR4BHaAUDTH44ujO/IYH8M8f1fZXLkRKlCKuKdyGt9mfk9XSxIcOpBpb4Hi14IgWUPBlcETvWqDwmSMYMKg7RrM8qIwfORoPt7+dHJ9uVsldfKKs9eo3mEER/d2h/tIpGfSWPM/7b59Acw88u0wlzYmOCo7I4HuvmNuE4BU+AyImDPFmzP7RAz7ETQZCuNz+NwinPpeXsSAvG7rrtlSJD7PaPG9I6IU1NrS+t6HIVfbYFGbWWmdidhJsQB0Q36YNYAOdJc9soq/V8wbwd/9kE4XTaZboTf25O5KaGbJPLqZgmywbW2ORAURgw/Vz8ODHuuyYJ4qRnU4NJB1rTpnt3p7AfwbGfSfT3W56yC1oC/PanfeqcA+rYpYPNH3u4J5JSDSFwHmSCBeqJ3HxXgfy37oZ3nJcigtLn5UG8V3PjxXm5hxfmgHZdVq6bMiy+a3TCFJyocSTHQ+mQVEzPRSEDQWd86O6/z/oly1YSeZvLXZ2wPoCZ6dYcSepvATdzMrBw0kvw79ueJSOT7RhSfYAYi9Kzv4WqoE18ASxGswpEKKXFlv4njA76kSbNwVV586hsW0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(41320700004)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ey3aJa/y5AcBdj20TKYCm3VKJyhgix/0EtyNM2TQk8mmKyv2vOlxIFPKbdErGrbgKestH1gCxAyZsvHtGUJL8oBCM47tz7NwuZz6T4K8bHr8bNjgghJcGUTSZT8Cn//dZI1c8I0rxcwgEFeux7JFfeFv8Ta0z0FegUvGGgMmoDGLrR42bHu0Jl5xoea0G0cNiMZ71D6El75OAEXFQXZw6PP1+gYzMbToXz07qqcBiuE+i2WDEUrC8cMTnmvXXOzsQ6p8frcNyoAJCRvJbPZsfPrc+DMJdJ/hfqj3KuGu7biRgTvyyhholMUcS3QhALG4n6RsbIhnCnqZgY666A3c3QlMJwWXdUm8CPEozcUoO4gbyYX4kcN46tI/sadMCHUyQgp+DKb1YAaK3UePGt9+CXyIZWVYV6lpCecJbYlAm7N6Tjl9XyIV5ikM7zvjUjjBkbYnokfDMCFeSOlBPcF32u4OI1Bt88wJ3dmJ6BYRR7tF80zw4LbA0E/w0aOnrQaENIVhR/foXLaQXCmzsctObloLPBIHXoIEmK9ET2XI2k/CjaqbvJz2LlRaMBYXp+5mJ5dGykvZ+r1w2pQBRtz9Xx4Ejzw/BD3TQbEhxrUexivgSkJP0tpmpGSifW/hHsgNSKorip9kvlB91KmNOGm3d+z2639dJOhIv1ySXwc5L0I6hMkHsZYwHb4uDNRPjuoPEK2ju10LHA77oXXBeY6/e9JmQN+yOHKg+2eQFDSPN9cLwEGRVL4/oP3ib3AKOZdBQAkCIfIL9fPTSqKzrXwnRrtVWlNQzVZS6JjUkWDXgEbfFbsl/FD3ZMWkEJIiBIXCuf+NGgzjgABrqQ840HkMRUXEpnglNkMjdbHBE7T+0wgSIjS585TY7xNxCyoopf7boQqrc0umOXGpyOAm6BMyTYspp2oaQtI2VAeWmVjWjL6kl2GB8C3oieqoqD+UP9osWUFYWWKrwg0oH1fW64NY5Jfnj6OxljL6SS60QZ3ZQxDyGg/FFdWj02I0XVnEqkvmiuQkZNEfpC/Pug0IJ78GeLhjfRyKHL0WiyxMtK2XU+rMcX0+xSAvxXOtLjskzJ713QMGQJkTuDX3fvXH4VJbx5Qo1jYHbDMEhD/bLOPmKiozEomkpN88MRlo0A3ef/8V/cjypZ9ZnXenfjc1hNXq5XHpKAfrJa8cLEovXl0C57TcSnzwhLqWCJJhpsy0tYimJOYPaNYbdFHgwwUi1QT3INiUEqRQqO+ysoGaM4IHPnIUx+9t9SwTjbN4uvmjwkNpa4UXW3oUTc0qrWdLvoS/R9jX7Kmi6RjNH82rXWvc9MsLL84sXCwATXs51S9aXJJ8R/1DDoRvW/4Qo51M51ywjU9pD0FjflHRVCxX+4Khf2lDKAT+nKAWzN7krPZPSRAmti2nB/Dppu9kv076XrP5Vhh0tg2Iio0OphvkkjXhzu5pnJgaB9ROrbRzr22zaWX5YJwI6N1Kq5lEMWA2Tuzaaknd4qWPkeeSWw+kAvAIcEQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f592c177-8079-42b6-7f95-08dc489f3e03
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2024 05:33:15.7084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1042
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Q1XLwkza7kWW0UBCT0PV2eRN0-E>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 05:33:22 -0000

Hi!

Thanks for the quick response.  Below is a bit more editorial back-and-forth for small number of issues.  All of the other discussion removed from the thread made sense for the future -06 that can go to IETF LC.

> -----Original Message-----
> From: Paul Wouters <paul@nohats.ca>
> Sent: Wednesday, March 20, 2024 12:26 AM
> To: Roman Danyliw <rdd@cert.org>
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
> 
> Warning: External Sender - do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> On Tue, 19 Mar 2024, Roman Danyliw wrote:
> 
> > I performed an AD review of draft-ietf-ipsecme-multi-sa-performance-05.  I
> have a mostly editorial feedback below:
> >

[snip]

> And answering that:
> 
>         Most IPsec implementations are currently limited to using one
>         hardware queue or a single CPU resource for a Child SA. Paralyzing
>         the packet encryption can be done, but there is a bottleneck of
>         different parts of the hardware locking or waiting to get their
>         sequence number assigned for the packet it is enrypting. The
>         result is that a machine with many such resources is limited to
>         only using one of these resources per Child SA. This severely
>         limits the throughput that can be attained. For example, at the
>         time of writing, an unencrypted link of 10Gbps or more is commonly
>         reduced to 2-5Gbps when IPsec is used to encrypt the link using
>         AES-GCM. By using the implementation specified in this document,
>         aggregate throughput increased from 5Gbps using 1 CPU to 40-60
>         Gbps using 25-30 CPUs.

Maybe s/Paralyzing the packet encryption/Running packet steam encryption in parallel/

Also.  s/enrypting/encrypting/.

Otherwise, LGTM.

[snip]

> > ** Section 4.  Is this section normative?  Why are RFC2119 key words used in
> an example?
> 
> Why do you say this is an example? It is the Implementation Considerations
> section telling you to do or do not some things?

==[ snip ]==
   There are various considerations that an implementation can use to
   determine the best way to install multiple Child SAs.  Below are
   examples of such strategies.
==[ snip ]==

I inferred this text to be non-normative and only examples because the second sentence said these were "examples".  Maybe just drop that second sentence to eliminate confusion?

> > ** Section 6.
> >   Peers SHOULD be lenient with the maximum number of Child SAs they
> >   allow for a given TSi/TSr combination to account for corner cases.
> >
> > What does “lenient” mean here?
> 
> "account for corner cases" as explained further done?
> 
> Eg one should not use a hard max of 4 when one runs on a 4-CPU system.

Consider if "flexible" is what you want here instead.

Roman

v2.23.0 | Report a Bug | By Email