IETF Logo Mail Archive

Re: [IPsec] Comments on draft-pwouters-multi-sa-performance

Paul Wouters <paul.wouters@aiven.io> Tue, 02 November 2021 03:26 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7393A0978 for <ipsec@ietfa.amsl.com>; Mon, 1 Nov 2021 20:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HmIeAl-NOiB3 for <ipsec@ietfa.amsl.com>; Mon, 1 Nov 2021 20:26:39 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 515463A0976 for <ipsec@ietf.org>; Mon, 1 Nov 2021 20:26:39 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id w1so17105612edd.10 for <ipsec@ietf.org>; Mon, 01 Nov 2021 20:26:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=9erj2GegFLK/t7SfEIP/ARGf6Tcep08kWouC5z3CxF4=; b=YCU4d2AtmBvM3cgk7bZlkyMG+tHlwBnytlz6qKPXLow/nSSVnYKAxjifMjb0iMhD8t Qm3O/GMPQSrpyiTWrBJpgkMlRBUtzon5hIExtI93Q0/kF7jhB5NdJDlA4+QNuoxN6SJc bAYoNYm6d7+IR3/7feJmT1CLLSDmBcCgsGKgI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=9erj2GegFLK/t7SfEIP/ARGf6Tcep08kWouC5z3CxF4=; b=Sk+S8XWlkGZFF1JIZzgW4ntQLkiT/D9Wta6sK/8Q6zgpgN6BDsVsf6ZYamLrcCl2bP 5Qa4sNe7t0cnPQRVFd452p6M2/6mG6R3qwGEiwMn8rL+XGmULt4YZHr3JRvrdamfUCPp sglieh7jchBaQiqTFtoeAQt34HTnqWpxBlBrBgXQiemDh/INW3YpqXSG3BJCe2E3h4jE NRVmYBlkZJMmSK3//u7ckBpTLB6yZaA9a55M0pKHY8Nk9+nKR0BDCWI2jJOyKJyhulIz I15Xa6wZ/g8xftt3sQzVur1/QD5nM90aFtOXwXcTmUu4lHD/CeN1pXQROG11TdI3zFz8 bfDw==
X-Gm-Message-State: AOAM531Xz0R6Qh8s+FX1ElMZgKKAqvaURPCA1QqwcWnpNHGe40qLZOFx uWhGsi5pnJHSneU/2qdeb2D8yw==
X-Google-Smtp-Source: ABdhPJx5Vdj4nl1YG57XqWOY+5yuX7FRcX1My4Y1s0WtTrn8rw9YXRIEu5aqvkPeHNDnP8MhJ5yW/A==
X-Received: by 2002:aa7:ccc1:: with SMTP id y1mr48133349edt.177.1635823596606; Mon, 01 Nov 2021 20:26:36 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id ec38sm7176353edb.40.2021.11.01.20.26.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 20:26:36 -0700 (PDT)
Date: Mon, 01 Nov 2021 23:26:32 -0400
From: Paul Wouters <paul.wouters@aiven.io>
To: "Panwei (William)" <william.panwei@huawei.com>
cc: "draft-pwouters-ipsecme-multi-sa-performance@ietf.org" <draft-pwouters-ipsecme-multi-sa-performance@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <cc0b5528e7c047e0a9073f637218f013@huawei.com>
Message-ID: <3c525728-22e8-d5ef-f183-c2c9d622cc54@nohats.ca>
References: <cc0b5528e7c047e0a9073f637218f013@huawei.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-15858328-1635823596=:73832"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WvVcado3LAGlzqosBdOKcYdqu3g>
Subject: Re: [IPsec] Comments on draft-pwouters-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2021 03:26:44 -0000

On Fri, 29 Oct 2021, Panwei (William) wrote:

Hi William,

> Subject: [IPsec] Comments on draft-pwouters-multi-sa-performance

> I’ve read the recent version. This is an interesting solution. I think it should be adopted. Below are some comments.

Thnks for reading the draft and giving us feedback!

> 1.
> 
> The CPU_QUEUES notification value refers to the number of additional
> 
> resource-specific Child SAs that may be installed for this particular
> 
> TSi/TSr combination excluding the Fallback Child SA.
> 
> Is it necessary to limit the amount of additional SAs at the beginning while TS_MAX_QUEUE can be used to reject the request of
> creating additional SA at any time? In the virtualization scenario, the new VMs can be launched on-demand, in other words, it may be
> seen as the number of CPUs isn’t fixed, so maybe limiting the addition SAs at the beginning will damage the flexibility.

The limit is really a very high maximum number and not a very low number
exactly matching CPUs. We had that at first, to try and optimize it but
there were too many race conditions, eg with rekeying. So if you have
a peer with 4 CPUs and a peer with 2 CPUs, you might just want to set
the max to 8 or even 12. It is mostly meant to try and avoid doing
CREATE_CHILD_SA's that are just doomed to failure anyway. So see it
more as a resource cap that a strict physical limitation.

> 2.
> 
> The CPU_QUEUES notification payload is sent in the IKE_AUTH or
> 
> CREATE_CHILD_SA Exchange indicating the negotiated Child SA is a
> 
> Fallback SA.
> 
> Before additional SAs are created, is there any difference between using this first/Fallback SA and using other normal SA? I think
> there is no difference. So maybe we don’t need to add this notification payload when creating the first SA.

the problem right now is that implementations often will discard an
an older identical Child SA for the newest one. So one of the key
intentions of the document is for the initiator/responder to clearly
negotiate from the start they are going to be using Child SA's with
identical Traffic Selectors and they want the older ones to stick
around. Also, it is important that there is always 1 fallback Child
SA that can be used on any CPU resource. So we really wanted to mark
that one very clearly. For instance, if it becomes idle, it should
NOT be deleted.

> When the initiator wants
> to create an additional SA, it can directly send the request with CPU_QUEUE_INFO notification payload.

It would be good to know from the responder if they support this and if
they are willing to do this before doing the CREATE_CHILD_SA. And as I
said above, to ensure both parties agree on which Child SA is the
"always be present" fallback SA to ensure things like adding a new CPU
always results in encrypted packets via the fallback SA.

> There are 3 ways that the
> responder may reply: 1) The responder doesn’t support/recognize this notification, it will ignore this notification and reply as
> usual.

But there is no "as usual" for what happens to the older Child SA. Some
implementations will allow it, some will only allow it if it has its own
IKE SA, and some will just delete the old one. This is the ambiguity we
are trying to address with the draft.

> 2) It supports this function and is willing to create the additional SA, so it will reply with CPU_QUEUE_INFO notification
> too. 3) It supports this function, but it isn’t willing to create more additional SAs, so it will reply with TS_MAX_QUEUE.
> Therefore, it seems like that CPU_QUEUE_INFO and TS_MAX_QUEUE these 2 notifications are enough to use, and the draft can be
> simplified to only use these 2 notifications.

I hope I explained why we think some clear signal has its use. If you
take your assumptions to the max, one would need no document at all,
as the IKEv2 specification states there can be Child SAs that are
duplicates or with overlapping IP ranges, so in theory, nothing is
needed.

> 3.
> 
> Both peers send
> 
> the preferred minimum number of additional Child SAs to install.
> 
> First, I think sending the number of additional Child SAs is unnecessary. Second, when using “minimum” here my first impression is
> that it means 0, so in order to remove ambiguity I suggest just saying “the preferred number” (if you think sending the number is
> necessary).

The use of minimum is indicating what the peer needs. A peer with 4 CPUs
does not prefer 4, it really prefers as many as the highest number of
CPUs of the two peers - within reason. The preference is really a
combination of what works best for the combination of the two peers.

Note the minimum is not about the minimum number required for
functioning, but the minimum number to get optimum performance.

By indicating the minimum, both sides can pick the highest minimum and
then allow a few more (for race conditions during rekeying).

> 4.
> 
> If a CREATE_CHILD_SA exchange request containing both a
> CPU_QUEUE_INFO and a CPU_QUEUES notification is received, the
> responder MUST ignore the CPU_QUEUE_INFO payload. If a
> CREATE_CHILD_SA exchange reply is received with both CPU_QUEUE_INFO
> and CPU_QUEUES notifications, the initiator MUST ignore the
> notification that it did not send in the request.
> 
> I think there is ambiguity here. When the initiator sends the CREATE_CHILD_SA exchange request containing both a CPU_QUEUE_INFO and
> a CPU_QUEUES notification, and the responder also adds CPU_QUEUE_INFO and CPU_QUEUES notifications in the reply, the initiator
> doesn’t know how to process with this situation, should the initiator ignore the CPU_QUEUE_INFO payload or notify an error to the
> responder?

We went back and forth on this a couple of times with the authors. We
really wanted to keep it as simple as possible but also not be too
pedantic. From a protocol point of view, we could say to just return
an error like SYNTAX_ERROR, but that would cause the IKE SA and all
its working Child SAs to also be torn down, and we wanted to avoid
that so bugs in the performance implementation does not result in
completely tunnel failures. Hence our phrasing of "just ignore X"
on both the initiator and responder.

We agree that a broken initiator with a broken responder leads to
something broken. I think specifying how a broken initiator should
respond to a broken responder is taking the Postel Principle a step
too far? :)

Paul

v2.23.0 | Report a Bug | By Email