IETF Logo Mail Archive

Re: [IPsec] Why ipsecme-anti-replay-subspaces is needed.

Daniel Xu <dxu@dxuuu.xyz> Fri, 15 December 2023 16:54 UTC

Return-Path: <dxu@dxuuu.xyz>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7696FC14F5F4 for <ipsec@ietfa.amsl.com>; Fri, 15 Dec 2023 08:54:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dxuuu.xyz header.b="CK+Piqut"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="5HYOSQF0"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cHEECRkdMt8 for <ipsec@ietfa.amsl.com>; Fri, 15 Dec 2023 08:54:17 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DCBC14CF1D for <ipsec@ietf.org>; Fri, 15 Dec 2023 08:53:37 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id C817D3200B18; Fri, 15 Dec 2023 11:53:34 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Fri, 15 Dec 2023 11:53:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1702659214; x=1702745614; bh=tHdLypQGjy 4bDYvEZI6ypfQcDpd2bXlGHJV+Po4TqNU=; b=CK+PiqutRfCsj7cdcB4IpRKjwv 5MF33Z+H4d1aTVZUxFGMCy9I3YdLAdqW1m05PpRnJMT9W3dXRe4V5GIh6vYgK5eT uI/WuhiBs03CQzEqf7e3ceyWiLYHyGqZumG46wbfruWSh90+LTUMSgIu86rZs9bA cPQmDGSj2gLZukIbQ6uh4wcFmZyN8Cu7KH/Xhqyj4MEbMS2CeUGiB/nrweAvglLq xklpFcz5QGEiaQq2uIZskJ7svRzh8TSH4uGVl4w32EKGDwhJCPL2F+E4y2fzLlwH 2du/5tQivMedNH4u9tWg6W9qlmq5D84JaToJqB4UfJYb2mykEypgiX2BBQZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1702659214; x=1702745614; bh=tHdLypQGjy4bDYvEZI6ypfQcDpd2 bXlGHJV+Po4TqNU=; b=5HYOSQF0Q4J90yAoRSnJOf+zXXkEBz+6M8CZvssTwbxX TzC54P9BvQTmYw7VkUURos3tIJPNBJszJTgAdETIWZkkK8g3Y/JaDpdgpVeWIMhy 6JJc6JI+3ckBl/skMecKGtRHK6rRsLGgivC1QuDVllhNkW4YEhNV2kAuGw8h4oON 3ZgPwc0lYIG/PTOdrFdj87mdESxk4ohDy8HqUknX2c3td5QuOfcPSxtHRlmsMX8q 2utGQLtdykqDf0MMI00+edSf9x31/J47OJKrmj6bf/O2n/UPVpA8XzZp4FlkjUPC BCjZLcKkjznltsTVEKsTOtj86xXmkBvKEgznJz4dKw==
X-ME-Sender: <xms:joR8ZQaReAe_0jnnjtv2fRas7f3ZUZoVHLhcIbUZSDvB3e1pFBx5Eg> <xme:joR8ZbY_H64jxPo-PVVFJJicC1-1dJB-Wgz5X-MeuBTeoU341IUNIydwSXUos4czu x3tv-HbrVvJagOx4w>
X-ME-Received: <xmr:joR8Za_8s739KeUhFCTbAxPnltBOLYmHMEbm7J9d3WlAQgyOuzYIJuJVIVSwRFa8iXRZ-SfDi704_iQ5kBUMhCxUO2duT7JzhYI3AjI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvddtvddgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlfeehmdenucfjughrpeffhffvvefukfhfgggtuggjsehttdfstddt tddvnecuhfhrohhmpeffrghnihgvlhcuighuuceougiguhesugiguhhuuhdrgiihiieqne cuggftrfgrthhtvghrnhepgeeuudeufeehledtgfegveevveefleetkeduvdevkeegudfh feehveduveeugeeunecuffhomhgrihhnpehrfhgtqdgvughithhorhdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegugihusegugihu uhhurdighiii
X-ME-Proxy: <xmx:joR8Zao833J5ZoLgQnB_ehJyLmA0e3E34mNOt7B3PIDB-dja6kYFvg> <xmx:joR8ZbpUiQ73X8xxkPrcVm9IWSwx4VHePPi6yXj473Xv46EpCYJBBg> <xmx:joR8ZYTL9npK7syzkxwB8DOcR4UiMqJUZ2cxtCNTIh7c8CS7mJEZOg> <xmx:joR8ZaRgvJypm0nCcYSFxkMq0_678HheobckniLTb5iDC-yWxuiP2Q>
Feedback-ID: i6a694271:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 15 Dec 2023 11:53:33 -0500 (EST)
Date: Fri, 15 Dec 2023 09:53:32 -0700
From: Daniel Xu <dxu@dxuuu.xyz>
To: "Pierre Pfister (ppfister)" <ppfister=40cisco.com@dmarc.ietf.org>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID: <4lkrgicwrm7xqv2mqyrqs5ucml2xku5nw5aufd45yvmsksiyhb@i6uw34hwdlt2>
References: <CO1PR11MB49461176E5106D8965E5610DDF86A@CO1PR11MB4946.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CO1PR11MB49461176E5106D8965E5610DDF86A@CO1PR11MB4946.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SAYwRd-w5LPoQbLIDbXmzNdnx4A>
Subject: Re: [IPsec] Why ipsecme-anti-replay-subspaces is needed.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 16:54:22 -0000

Hi Pierre,

On Mon, Dec 04, 2023 at 08:52:52AM +0000, Pierre Pfister (ppfister) wrote:
> Hi all,
> 
> 
> 
> I'd like to encourage a discussion here around why the solution described in draft-ponchon-ipsecme-anti-replay-subspaces is needed, and why draft-ietf-ipsecme-multi-sa-performance is not sufficient for us.
> 
> 
> 
> So far, we have received feedback from people supporting our work, and sharing the same need. I'd like to encourage those people to take part in this thread.
> 
> 
> 
> We have received pushbacks from Tero. But I am curious to know if other people share the same opinion, or not.
> 
> 
> 
> To bootstrap the conversation, I'd like to answer Tero's comment (from the recording, with little paraphrasing):
> 
> "Creating 144 IPsec SA should take less than tenth of a second. IKEv2 have windowing mode. With really big systems, creating more SAs is not an issue."
> 
> 
> 
> We unfortunately cannot afford to throw more cores at every scaling issue that we have. IPsec hardware is pretty much limited today by how many keys you can store. And IKEv2 by how many SAs you must negotiate (Big concern when PFS is enabled).
> 
> 
> 
> We need to establish peerings with 10k peers. All our control-plane daemons, routing protocols, IKEv2, must run on one or two cores to leave room for the actual data-plane features.
> 
> What exactly did you mean by "big systems" ?
> 
> 
> 
> To give a more concrete example:
> 
> 
> 
> One of the reasons for IKEv2 design was to support multiple traffic selectors per SA (See point 9 in https://www.rfc-editor.org/rfc/rfc7296#appendix-A). In IKEv1, the design was also to throw more SAs at the problem. Someone who needed multiple different traffic selectors would create multiple SAs. We are repeating the same historical mistake now but with cores instead of traffic selectors.
> 
> 
> 
> The multi-sa draft is not bad and surely solves some of the problems. However, it also emphasizes that we're back to the same issues as IKEv1 trying to solve our modern performance problems by adding more SAs.

[...]

I'm pretty new to this space, so apologies if my question is backwards
or irrelevant. 

How do subspaces interact with modern-ish hardware features like RSS?
IIUC in the literature they would say this protocol extension is not
self describing on the wire. So HW would not be able to look at the ESP
packet and be able to consistently map subspace flows to NIC queues. Unless
it starts intercepting IKE messages, right? Or control plane programs
the NIC in-band.

Also I'm wondering about cloud use cases like with AWS where AWS places
per-flow throughput limits. Currently all ESP flows (regardless of SPI
value) are accounted towards a single flow limit. They could (in theory)
have separate flow limits differentiated by SPI. But IIUC with subspaces
it would again mix the flows. And it would be odd if AWS allowed you to
inform their fabric of subspace usage.

So IMO (ignoring the IKE overhead conversation which I have no opinion on)
subspaces does not completely solve all the problems in this space where
from my PoV the multi-sa approach does.

Sorry again if this question is backwards -- maybe the point of
standardizing through IETF is to get entities like AWS or HW vendors to
do things differently.

Thanks,
Daniel

v2.23.0 | Report a Bug | By Email