IETF Logo Mail Archive

Re: [IPsec] Comments on draft-pwouters-multi-sa-performance

"Bottorff, Paul" <paul.bottorff@hpe.com> Fri, 05 November 2021 21:39 UTC

Return-Path: <prvs=0943f67691=paul.bottorff@hpe.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E35D3A0E67; Fri, 5 Nov 2021 14:39:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdMGFIGiwwbx; Fri, 5 Nov 2021 14:39:23 -0700 (PDT)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB8C13A0E81; Fri, 5 Nov 2021 14:39:22 -0700 (PDT)
Received: from pps.filterd (m0150242.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1A5KfNPo022198; Fri, 5 Nov 2021 21:39:14 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=GkhYnWbX8j4lkPBVQcQtmj69qVuGXQckfbPn6/tvmx4=; b=WodnRkefdyXgypAPQ8Zn0fKTQI/rt3ACYJ9IMuaTySim74EFeBdV1Ix5IZxujeNzBOxi ZYFD7xkaeHHnTjjgMF24Z8/PAv5y0fG3ulUKt/8Y8aD1jG0/Vk73NKAbalGLv1x6y2e5 t7/PwZQjS2+IWqWE1unFn8WVU0FDPewza+HqyGVlRXWi742uAC/3wpkyAnZwjmM2AqY6 4oidNcRwBc4fi7yz9wQdiwCVixFRXzxB5DcqFzCWUHj1tlnI+XoHVV2lBQWvfr4YKVf9 rMYn4NPuSX9DXctD7Xs5KxO0k41Y9lbaiuvlCFDVmKuDZQFQlCjE2FUeuNyfYJS+R2D9 6g==
Received: from g9t5009.houston.hpe.com (g9t5009.houston.hpe.com [15.241.48.73]) by mx0a-002e3701.pphosted.com with ESMTP id 3c4t4tnshm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Nov 2021 21:39:14 +0000
Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com [16.193.72.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g9t5009.houston.hpe.com (Postfix) with ESMTPS id 9E28D51; Fri, 5 Nov 2021 21:39:13 +0000 (UTC)
Received: from G9W8677.americas.hpqcorp.net (16.220.49.24) by G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 5 Nov 2021 21:39:13 +0000
Received: from G4W10205.americas.hpqcorp.net (2002:10cf:520f::10cf:520f) by G9W8677.americas.hpqcorp.net (2002:10dc:3118::10dc:3118) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 5 Nov 2021 21:39:13 +0000
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (15.241.52.10) by G4W10205.americas.hpqcorp.net (16.207.82.15) with Microsoft SMTP Server (TLS) id 15.0.1497.23 via Frontend Transport; Fri, 5 Nov 2021 21:39:12 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QPix/8Pli3ioXLSS0YxV4TplNYhSRaeCp4fpkMIo6Z81GjI1LgADSfm/Rn9F/dcAODNsDSUTyKpqaA9IImYpSjfa4aU25gWva0QE9sjPvfmx0z8KNd/CZ0JfY4wZfTcVcdD5yukd1ae80phsnRhcxLa65k1h7zRE8kLpIMJ27OEQtOlqsy7Z5KQZNPTcJ3VwdFxkG3vj4VHZxOwcsj2bQaGDIhKNptlGugCjQbxJRXjUr41CyeDLid7jkYggjdyRphbd5NOBOWJ6KgiqPtLMFchIzbIXuPAaqv/v3Dmcq8WorNKQ37n1x6iGvSCLyh917eq3Fk240cX9wczM3u2ocw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GkhYnWbX8j4lkPBVQcQtmj69qVuGXQckfbPn6/tvmx4=; b=W2wt1LbGLFXujCEzVs1429ibGHkOJO47/S/IU9szLs6lYcxhSDGuuMklezzvH7JejrawV0Pt2/rt6GcbfS2A0rzjObr67Cpjwa3WnnXIIAiVZTIb5OQu2eN3wKR3tzmgE2ZLZWBjCpZfOQZ3/CpvGgXNwi9cBk/xODDOH5u1O0XWM12uIjSZHiOFB4x2XWZpt0HhFZcykVe65TuiN+gk+iR3/mZlq3bXHZP1q4EP995w5AmfREWC795USSH9HhIH5XdQ70wiCGS7Oj/P7/Q8JtB3xaH5GXO9LoztSGm2QWxcXHCrYD+cSwwDtvTSX3XJmbd3TccHWOBCX57SCKxHtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7507::23) by CS1PR8401MB0581.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7514::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Fri, 5 Nov 2021 21:39:11 +0000
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::44db:61fc:e3ef:528a]) by CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::44db:61fc:e3ef:528a%6]) with mapi id 15.20.4669.013; Fri, 5 Nov 2021 21:39:05 +0000
From: "Bottorff, Paul" <paul.bottorff@hpe.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, "Panwei (William)" <william.panwei@huawei.com>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "draft-pwouters-ipsecme-multi-sa-performance@ietf.org" <draft-pwouters-ipsecme-multi-sa-performance@ietf.org>
Thread-Topic: [IPsec] Comments on draft-pwouters-multi-sa-performance
Thread-Index: AdfL2PwR5lphcqWoSvCzgV2vdsvQZADwHJUAALvtirA=
Date: Fri, 05 Nov 2021 21:39:05 +0000
Message-ID: <CS1PR8401MB11924248C78CF59B633D931EFE8E9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <cc0b5528e7c047e0a9073f637218f013@huawei.com> <3c525728-22e8-d5ef-f183-c2c9d622cc54@nohats.ca>
In-Reply-To: <3c525728-22e8-d5ef-f183-c2c9d622cc54@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=hpe.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 936c40a9-2d00-4e05-4cc1-08d9a0a4b133
x-ms-traffictypediagnostic: CS1PR8401MB0581:
x-microsoft-antispam-prvs: <CS1PR8401MB05812DCF0CDBC6E8E7C98E0BFE8E9@CS1PR8401MB0581.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vFjch0SBMAr5JTtqH4SLJ20yX9pbH8kAi7juXvcOX9/P3PstyldUbVRrjOTaEGsLYHrKZ63CcLYwx0EPmWojbaAn2b4Bs9rHzaljNE2iZQ/XWyp9/zAGeIjqWxgNhMBsY7QL6TzoAma0JJRamFbGTpREXJRcXBla1p0iJnhQ2B2UnDJPH2bNYy+8fnkUnLY66xlKfjETAxETi1tD91p2wjhjI0V9/x5BdU0rjsz2LUnE2Q65AAx4gzhvVWMSS+wVSAcw3vcn1os8D0GCPT4F9Rt81Gc/+XqYOI4nZVVuZPBQyPx0n6wmbD7dKV3rkLrV/0MUjmJM+43a4awqtG+rq94ulBdST43M/vFv4YFMhHyG50Q7niUgsnuYhoME+cimgf8GC4snLnlt5NVfrpf+WXb1GX3PYy9PqXQuu8bKbVoDqhhg2rxMOkTZbl2lIYeCrc7xLh5PJLpbMoIu9zA6cd4pQAYyL4TDEFctNcTSWkn0+DSPOSkSyYPNfeDGPgYUMVpBvcDCJ0ZlVMlOIIvHJUgk4pLY9hvOb4Oar/4EJoxBAIMb1pQnnVHVNJw0uI39NrsqX1WKx2I4lURwUUMREupWveQ+TR0Q5NFB3NIzL3hmdK9hKr7QjMPeroHq4G2eTmR8DTT+JRcGbbs78EoP2QI2DbPFEcDWjo98+rQOHCXJIgeWnj8ThyE/24zh3cPMI5oOn2tTCnNcj3Xdh0vUmA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(316002)(38100700002)(110136005)(7696005)(122000001)(6506007)(55016002)(53546011)(66476007)(83380400001)(4326008)(82960400001)(8676002)(9686003)(54906003)(66574015)(52536014)(55236004)(33656002)(5660300002)(8936002)(508600001)(86362001)(66946007)(38070700005)(66446008)(66556008)(26005)(76116006)(64756008)(186003)(71200400001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: db5LOQz4IxjRJ5qGXFcIRsR6hXJgOcM0zlJtDdkKNyE6/qpvy1P73Cjcnh/SGnWnPRFbeguzGCSnQ1mLJfZNrmJCboJ0FLeKQkzVHNehjQX1c6ppFQBe+8E3sxfy2rU10+ECwSmsn4SXQLrs7nmIZAQ1N+5bXO90qjmNbN0vc2tTr8yp1Mr//9F5JLGhUPrJHc+Mp5KJun/80efQ2yNOGhiZWa08qN1LRgfwo28HTGXFqoncSJyzhb2bxoQJ9dJgcfPg/tNQFsIEackxP7vI/s1biaKKJZ4dwNfMocshhWsffIKGYrtGpsFvlVn+ML4mj0dgCsFR1i2Z14bbsrY0TmZ0Qd3k3uSScQRBl0Ndgj8e3eG9z5diinn1HT/URvv3Dah8NX6ivjtMKMxygU4Eno2sD14a3EPl3K3TaFU4pHdXiec+JH76LKtppkwSNeUFFgpN67NnPGfrFJoWYPkrunSsost3ekUl+HshPtljVoS/BViJslFioTqnfOoaj6zgprlD1ansAm3blSR9vRT9cdBB/1f5OFLsaYe6CUJHHrb7taWaAgNxOBJ7OZ7uuzONvqq1iznsMDWCdO+wxIUS3Mt5KixP0zSD0WfyRQLUoi+wtOk1IemocVYVA9L9l8zVS/IhPCkXrR0r00oW0z+rb2KW+f6TnSPPLrQwn3KfA6ixst1uY4dXBgc1UcoggkYObCkivJDB/tpJjlKBxPx0F/3G21pVf2qLbIFlPgGF7EjaZeCV1hTS//RChKLgqvJI8BBIYNkizoIMXZ37br/T7Il1kr9eB/l6kG1KhA6FzgEL4Geri5KmJPs5LB1tge0FpGGCiphWZ5YxZnMmHEySAuiml9BNFeDGo+Z4XUB9X/Cs0wzZe+WIRRBTMkovgR9bG9O+ssMqNNpjJIE35JNVt37tNT4UdV78DrzIWr4NyEFlbI/9bqjf/0YdtyVKAp0D3rXc4bFi8PJH+ayNTXACo+89nU1MvxT/OeTg56Afdr58jZLTh6/2Y3KiLu82nNMTYb9O+cqFOXEYJNqFQPcKR+SOd3esztjV5+90kt3ihehWALPgK2+m+0SBs1jiIMFx5Tml3J4kZfHYmQJ+DoplnbXHB6aTRLAL1o5Y/35bZbA6mI7w2F9c4i5uxCMevgmAgPErHpZL/dQMRFhOEVEtmvHVGDOC7HGJJge0rPerQc6huIiAmb/Wi04hQ41FkhpgNErLIADvGm6vO3M+IB8v6K3w+gBgirb5Dxzc7i6wEpvFN6Qr38O77uJtXqSThYPzDdQqjzMz6PxO7d64+K4ZoPfaIE1XVa7LBjCO3MQi1iVVfRQqpluctnqBO0mPLs5sLkWFqynwk6SK+r212XIov4rrA3BPEB6NLrBdXQ1l00nr5LiQUtXYae0Ba30AH6uGcWBpxpLTRWs2NgdAfYgnN0jHkrWxYCEDax+1ZJzisXcc1lVhQvhxrl5uU0LamBYEU5IjKQrji8EIA5FxwloyZrqiqdR0M+s94Ry8BCZBx0/3QrciMqE6vmVHQvOAMs01bg2FDWNuWZAM8k8iin5sfnJ34QpQQ83Ddn+ivavRD6Tp66uHbCseRlE3zJXTyvwrf0MGGIbWmQVZfSrZtYgs3La3YJdkctgZ6pXpYrm129E=
Content-Type: text/plain; charset="utf-8"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 936c40a9-2d00-4e05-4cc1-08d9a0a4b133
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2021 21:39:05.6106 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y4yo77sYXBAPDy3G1g6y7u/T2laOCV8qKz/i6fZnMEoVdxetbZrJXyAJq2CynbbusWpXxaa2Sv4Stlkp51CWUw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0581
X-OriginatorOrg: hpe.com
X-Proofpoint-ORIG-GUID: 6YhqIuiUHK7ghJBSq5CB8mCPgm_4dToo
X-Proofpoint-GUID: 6YhqIuiUHK7ghJBSq5CB8mCPgm_4dToo
Content-Transfer-Encoding: base64
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-05_03,2021-11-03_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 impostorscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 mlxscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111050116
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RIHVzAi7ownVZ8b4aNTKQ_VaCi4>
Subject: Re: [IPsec] Comments on draft-pwouters-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 21:39:29 -0000

Hi Paul:

I've reviewed your draft to determine if it is viable as a solution to the network multi-pathing problems I've been investigation. Though I have no objection to your solution for multi-cpu balancing, it does not seem to provide a reasonable alternative to draft-xu-ipsecme-esp-in-udp-lb-08 for network multi-pathing. Hopefully, we can move forward with draft-xu-ipsecme-esp-in-udp-lb-08 for network multi-pathing. We currently have it implemented and working quite successfully in our smart NICs.

For network multi-pathing within a highly meshed data center we want to be able to create an identifier for every flow to allow the network to perform load balancing algorithms which measure the load on links and dynamically shift flows to achieve balance (rather than balancing the number of flows on links). For a typical big server we would expect 100s of flows and for a network middle box we would expect 1000s. The amount of state required to carry independent SA state for each of these is troublesome.

Further, to use the additional SAs we would need to dynamically generate new identical SAs based on a current flow table which will result in startup delays for new flows as we establish the new SA.

Finally, even though some of the switches some of the time could add the SPI into their hash for IPsec packets (and use a different hash for other packets), this feature is not available universally across all data center switches and router. Also the standard procedure for existing data center switches, even those that could generate a special hash for SPI, is to use 5 tuple hash as the flow identifier across all packets.

It is true that for network multi-pathing delivery order is only guaranteed per flow, and therefore replay detection must either be disabled or would needed to take this into account re-ordering between flows.

Cheers,

Paul  



-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Paul Wouters
Sent: Monday, November 1, 2021 8:27 PM
To: Panwei (William) <william.panwei@huawei.com>
Cc: ipsec@ietf.org; draft-pwouters-ipsecme-multi-sa-performance@ietf.org
Subject: Re: [IPsec] Comments on draft-pwouters-multi-sa-performance

On Fri, 29 Oct 2021, Panwei (William) wrote:

Hi William,

> Subject: [IPsec] Comments on draft-pwouters-multi-sa-performance

> I’ve read the recent version. This is an interesting solution. I think it should be adopted. Below are some comments.

Thnks for reading the draft and giving us feedback!

> 1.
> 
> The CPU_QUEUES notification value refers to the number of additional
> 
> resource-specific Child SAs that may be installed for this particular
> 
> TSi/TSr combination excluding the Fallback Child SA.
> 
> Is it necessary to limit the amount of additional SAs at the beginning 
> while TS_MAX_QUEUE can be used to reject the request of creating 
> additional SA at any time? In the virtualization scenario, the new VMs can be launched on-demand, in other words, it may be seen as the number of CPUs isn’t fixed, so maybe limiting the addition SAs at the beginning will damage the flexibility.

The limit is really a very high maximum number and not a very low number exactly matching CPUs. We had that at first, to try and optimize it but there were too many race conditions, eg with rekeying. So if you have a peer with 4 CPUs and a peer with 2 CPUs, you might just want to set the max to 8 or even 12. It is mostly meant to try and avoid doing CREATE_CHILD_SA's that are just doomed to failure anyway. So see it more as a resource cap that a strict physical limitation.

> 2.
> 
> The CPU_QUEUES notification payload is sent in the IKE_AUTH or
> 
> CREATE_CHILD_SA Exchange indicating the negotiated Child SA is a
> 
> Fallback SA.
> 
> Before additional SAs are created, is there any difference between 
> using this first/Fallback SA and using other normal SA? I think there is no difference. So maybe we don’t need to add this notification payload when creating the first SA.

the problem right now is that implementations often will discard an an older identical Child SA for the newest one. So one of the key intentions of the document is for the initiator/responder to clearly negotiate from the start they are going to be using Child SA's with identical Traffic Selectors and they want the older ones to stick around. Also, it is important that there is always 1 fallback Child SA that can be used on any CPU resource. So we really wanted to mark that one very clearly. For instance, if it becomes idle, it should NOT be deleted.

> When the initiator wants
> to create an additional SA, it can directly send the request with CPU_QUEUE_INFO notification payload.

It would be good to know from the responder if they support this and if they are willing to do this before doing the CREATE_CHILD_SA. And as I said above, to ensure both parties agree on which Child SA is the "always be present" fallback SA to ensure things like adding a new CPU always results in encrypted packets via the fallback SA.

> There are 3 ways that the
> responder may reply: 1) The responder doesn’t support/recognize this 
> notification, it will ignore this notification and reply as usual.

But there is no "as usual" for what happens to the older Child SA. Some implementations will allow it, some will only allow it if it has its own IKE SA, and some will just delete the old one. This is the ambiguity we are trying to address with the draft.

> 2) It supports this function and is willing to create the additional 
> SA, so it will reply with CPU_QUEUE_INFO notification too. 3) It supports this function, but it isn’t willing to create more additional SAs, so it will reply with TS_MAX_QUEUE.
> Therefore, it seems like that CPU_QUEUE_INFO and TS_MAX_QUEUE these 2 
> notifications are enough to use, and the draft can be simplified to only use these 2 notifications.

I hope I explained why we think some clear signal has its use. If you take your assumptions to the max, one would need no document at all, as the IKEv2 specification states there can be Child SAs that are duplicates or with overlapping IP ranges, so in theory, nothing is needed.

> 3.
> 
> Both peers send
> 
> the preferred minimum number of additional Child SAs to install.
> 
> First, I think sending the number of additional Child SAs is 
> unnecessary. Second, when using “minimum” here my first impression is 
> that it means 0, so in order to remove ambiguity I suggest just saying “the preferred number” (if you think sending the number is necessary).

The use of minimum is indicating what the peer needs. A peer with 4 CPUs does not prefer 4, it really prefers as many as the highest number of CPUs of the two peers - within reason. The preference is really a combination of what works best for the combination of the two peers.

Note the minimum is not about the minimum number required for functioning, but the minimum number to get optimum performance.

By indicating the minimum, both sides can pick the highest minimum and then allow a few more (for race conditions during rekeying).

> 4.
> 
> If a CREATE_CHILD_SA exchange request containing both a CPU_QUEUE_INFO 
> and a CPU_QUEUES notification is received, the responder MUST ignore 
> the CPU_QUEUE_INFO payload. If a CREATE_CHILD_SA exchange reply is 
> received with both CPU_QUEUE_INFO and CPU_QUEUES notifications, the 
> initiator MUST ignore the notification that it did not send in the 
> request.
> 
> I think there is ambiguity here. When the initiator sends the 
> CREATE_CHILD_SA exchange request containing both a CPU_QUEUE_INFO and 
> a CPU_QUEUES notification, and the responder also adds CPU_QUEUE_INFO 
> and CPU_QUEUES notifications in the reply, the initiator doesn’t know how to process with this situation, should the initiator ignore the CPU_QUEUE_INFO payload or notify an error to the responder?

We went back and forth on this a couple of times with the authors. We really wanted to keep it as simple as possible but also not be too pedantic. From a protocol point of view, we could say to just return an error like SYNTAX_ERROR, but that would cause the IKE SA and all its working Child SAs to also be torn down, and we wanted to avoid that so bugs in the performance implementation does not result in completely tunnel failures. Hence our phrasing of "just ignore X"
on both the initiator and responder.

We agree that a broken initiator with a broken responder leads to something broken. I think specifying how a broken initiator should respond to a broken responder is taking the Postel Principle a step too far? :)

Paul

v2.23.0 | Report a Bug | By Email