IETF Logo Mail Archive

Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces

"Pierre Pfister (ppfister)" <ppfister@cisco.com> Mon, 23 October 2023 12:32 UTC

Return-Path: <ppfister@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BABC6C1519AE; Mon, 23 Oct 2023 05:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.905
X-Spam-Level:
X-Spam-Status: No, score=-11.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="EZOPrVkd"; dkim=pass (1024-bit key) header.d=cisco.com header.b="Viuud6qE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqQFgwYYiQmw; Mon, 23 Oct 2023 05:32:13 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9F0BC1D9F09; Mon, 23 Oct 2023 05:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27042; q=dns/txt; s=iport; t=1698064309; x=1699273909; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=orDzzcXA33VXwlbSUJlCJBkzXc+OzHrFnt9vHZ4EIYo=; b=EZOPrVkdoknm5ZNx8tAvrOv5PAKsKpvnF+KQLLr7oenQg8HTx7Uk00FF lzJ0Zq4LjFwKnCf1CNyG/Dg+YZ6TQycIrjtfGqDwwk8OzakVkPUkEv1J+ jQ4h3ltGNTOqzGDQjaXkGjzQuHRFvoRFoRc2nzNwZmlD5OFydmyYfvtN+ s=;
X-CSE-ConnectionGUID: 0BLEsMiuSISs9VHxyLk5jg==
X-CSE-MsgGUID: wxOTt6DISA6PVXVh1HYiVQ==
X-IPAS-Result: A0BZAwAfZzZlmIMNJK1aHgEBCxIMQCWBHwuBNjFSeAJZKhJIiB4DhS2IYwOdfIElA1YPAQEBDQEBNBAEAQGCEoIuRgKHFgImNAkOAQICAgEBAQEDAgMBAQEBAQEBAgEBBQEBAQIBBwQUAQEBAQEBAQEeGQUOECeFaA2GTAEBAQEDEhsTAQE3AQ8CAQgOAwMBAiEOMh0IAgQBDQUIDAcHglwBghZIAwEQBqUFAYFAAoooeIE0gQGCCQEBBgQFgU5BsF0DBoFIh3AaAWhmg2uETScbgUlEgViCaD6CPwQeAQEBgTcqHg2DZ4Ivg3WCLUiCBQcOLgMEMoEKDAmDfF6EAodPXiJHcBsDBwOBAxArBwQwGwcGCRYYFSUGUQQtJAkTEj4EgWeBUQqBBj8PDhGCQys2NhlLglsJFQY7TXYQKgQUF4EJCARqHxUeNxESFw0DCHYdAhEjPAMFAwQ0ChUNCyEFFEMDRAZKCwMCGgUDAwSBNgUNHgIQGgYNJwMDGU0CEBQDOwMDBgMLMQMwV0cMWQNsHzYJPAsEDB8CMANEHUADC209NRQbBQRkWQWcEQoPbTaBQWxoAgQdJg4CYAEaFjwSIy9EApI0EUKOLo5AlGkKhAyhPxepFGOYPCCiaYIGgxkCBAIEBQIOAQEGgWM6gVtwFYMiUhkPjiAZg1+PeXYCOQIHAQoBAQMJiG+CWwEB
IronPort-PHdr: A9a23:DeyYaBRwSvct+7awfhDtzlH2tNpso3PLVj580XJvo6hFfqLm+IztI wmDo/5sl1TOG47c7qEMh+nXtvX4UHcbqdaasX8EeYBRTRJNl8gMngIhDcLEQU32JfLndWo7S exJVURu+DewNk0GUN3maQjqq2appSUXBg25MAN0IurvHYuHl9y51vuu9of7aARTjz37arR3f 126qAzLvZwOiJB5YuYpnwLUq2FBffhXw24gKVOIyhD74MrxtJI2+CVLsPVn/MlFOZg=
IronPort-Data: A9a23:JxyWZa5EA4e2LbW7qwbNaAxRtN7HchMFZxGqfqrLsTDasY5as4F+v mpJWGyGPfyPZDPxKdknO9/j/BhU75LVyIM3G1Rpq3o2Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyKa/lH1dOG58RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wq+KUzBHf/g2QvazpOsPrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoZWk M6akdlVVkuAl/scIovNfoTTKyXmcZaOVeS6sUe6boD56vR0SoPe5Y5gXBYUQR8/ZzxkBLmdw v0V3XC7YV9B0qEhBI3xXjEAexySM5Gq95efC1ySqumS0nbnSGC9/dV+HWU1YI8Xr7Mf7WFmr ZT0KRgEahSFwumx2r/+E69nh98oK4/gO4Z3VnNIlG6CS614B8mYBfyRvLe03x9o7ixKNe7Ga csCdTd1RB/BeBZIfFwQDfrSmc/x2SSgLmAJ8AP9Sawf/Hj08BAv/JnWGYTtROy0RZx1r0emn zeTl4j+KkhKaIPAodafyVqtnvTClgv6VZ4cUrqi+ZZCjEeayHBWEBoQXlu8p7y4klWzUNdSb kUS5itrt6Uq8EW6C8LgVQagqXWJpVgVRsZQFPchwACA1qSS5ByWblXoVRZIbNgg8cQxXzFvj xmCnsjiAnpkt7j9pW+hGqm89RmWFDMwLHI5RBQfHDUl88jHo9wxgUeaJjp8K5KdgtrwEDD25 jmFqikimrke5fLnMY3moTgrZBrx9vD0oh4JChb/BTn8sl4gDGKxT8n5tgCFvKcowJOxEwHpg ZQSpySJAAni57mhmSqRR+Nl8FqBuKjfaWW0bbKC4/AcG9mF8nqne8Vb5ytzYR4vOccfcjiva 0jW0e+w2HOxFCX0BUOUS9vsYyjP8UQGPY+/PhwzRoERCqWdjCfdoElTibe4hggBanQEn6AlI ou8es2xF3scAqkP5GPoFrhMgO53mnlmmTq7qXXHI/KPjOf2iJm9F+9tDbdyRrtRAF6s+V+Mq I8Pa6NmNT0GC7KiCsUozWLjBQlacSdkbXwHg8dWbeWEahF3A30sDuS5/F/SU9INokihrc+Rp ivVchYBkDLX3CSbQS3UMSoLQO20Av5CQYcTYHZE0aCAgSZzOO5CLc43KvMKQFXQ3LU4nKIrF qZZIpTo7zYmYm2vxgnxpKLV9eRKXB+qngmJeSGiZVACk1RIHlChFgPMFuc3yBQzMw==
IronPort-HdrOrdr: A9a23:lZeraK1VLD997YOxL35pvgqjBf1xeYIsimQD101hICG9Lfbo9P xGzc566farslcssSkb6KG90cm7LU819fZOkPAs1MSZLXnbUQqTXc5fBO7Zsl/d8kLFh5NgPM tbAs9D4ZjLfCZHZKXBkUeF+rQbsaW6GcmT7I+0oQYJPGVXguNbnnhE422gYzVLrXx9dOAE/e 2nl7F6TlSbCBIqR/X+LEMoG8LEoNrGno/nZxkpOz4LgTPlsRqYrJTBP1y9xBkxbxNjqI1OzY HCqWPEz5Tml8v+5g7X1mfV4ZgTssDm0MF/CMuFjdVQAinwiy6zDb4RG4GqjXQQmqWC+VwqmN 7Dr1MLJMJo8U7ceWmzvF/ExxTg6jAz8HXvoGXowkcL4PaJBg7SOfAxwb6xQSGprHbIe+sMlp 6j6ljp8qa/yymwxRgVqeK4Dy2C3XDE0kbK2dRj/UC3F7FuKYO4aeckjRlo+FBqJlOg1Kk3VO ZpF83S//BQbBeTaG3YpHBmxJi2Um00BQrueDlJhiW56UkfoJlC9TpS+OUP2nMbsJ4tQZhN4O rJdqxuibFVV8cTKaZwHv0IT8e7AnHEBUukChPfHX33UKUcf37doZ/+57s4oOmsZZwT1ZM33J DMSklRu2I+c1/nTceOwJpI+BbQR3jVZ0Wh9uhOo5xi/rHsTrviNiOODFgojsu7uv0aRtbWXv 6iUagmSsML7VGeb7qh8zeOLKW6c0NuJfH9kuxLL26zng==
X-Talos-CUID: 9a23:h2rLqmH3FTUXlVeCqmI/3mo5AeUkb0b892yBHW+oGEJqFb+aHAo=
X-Talos-MUID: 9a23:WM0pBA67wTakAdb4/ytiS+lixox384OSFB4hsK4v5fG6BRJwYhesjQqOF9o=
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Oct 2023 12:31:43 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 39NCVhNa018619 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 23 Oct 2023 12:31:43 GMT
X-CSE-ConnectionGUID: VqnU5oZaSQmKfc1kBF+XEg==
X-CSE-MsgGUID: eCA6Wbf+TumoNposJXvkBg==
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=ppfister@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.03,244,1694736000"; d="scan'208,217";a="5433278"
Received: from mail-dm6nam10lp2100.outbound.protection.outlook.com (HELO NAM10-DM6-obe.outbound.protection.outlook.com) ([104.47.58.100]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Oct 2023 12:31:43 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kvigytL7F1+9RYlRmL7YC6xsNIDt75J/GanPPfFtlU/9qzRX8mPmrr1gG44KgnNvl/Co1YPr8MKq+eoAlTPARXbJjdOmkqJC3EwzpKE9YAj3ao7BDxhzR+bhIhrf3RlFH7KZJo3hGH2E7qBfcmSzukj35RDAapAjR9wbzB61+kKegJ7fdv1GJCWjuKBqQjknKkQcvcnJrkcmI2ZTfznQM0SFUvlUYLU3kkh2NNjPIQcyVmw5Nsuv95TsjOlyLoNF4cftnFuay2owM/79O8Xhdn2MCTpTQcYcA8Ou+v7qPOcItG4eKeX4XMsgYZMV3d/0tjSyH03opAXpvDUfAJOPhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+xIzKon9h1M6Q93qvfEtyLU1eIK+bIsTuUbxVnBi38A=; b=Iat3aAQ1fwS0hlN2tzx87yw8r9Lb4aZv8JvmY+aWb1ds3HlcygK25kkPIkWrp9jrwvlSW3Z9m4f5yJNYfUleVzRJQJIE3RG6sae+1yqkuiMAhfICr087AJw+AN2xd7r6gV9w2luyJiE2U5VOjknFyRVaXMK6av5WWJWLyjhHWCw8mWWeiaggDbf6Bh1P0rjX+u82PHMpHrTl1IK/NxXmsx0kyfFiqeyf7I0SqV1LPXVrYDSQ1sb07VSiGRaBh+BtZwV2cnzzyjwagjHaSf9jq4ONtX+VAzXwseFzIy5vgh9gVoY2nVQ41kcdqnkDvtQ5ZT8iueQFQDwqFf2tDwpbrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+xIzKon9h1M6Q93qvfEtyLU1eIK+bIsTuUbxVnBi38A=; b=Viuud6qEeQvO6i3tl1KakXdiXhH8TRglyollW45a5C1YWqPgz1qOIKVcJx7YoQDnO92TiboMWzwoE6EIlnJrpvBDtRJuV0q1Da7/4afCGS4W1BEATX20U+X8WC/WkX4OUuXYKzpFIJ9C07VyN/HbZ07k37FrE8BnBCdWkHq/Kkc=
Received: from CO1PR11MB4946.namprd11.prod.outlook.com (2603:10b6:303:9e::6) by SA1PR11MB7038.namprd11.prod.outlook.com (2603:10b6:806:2b3::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.33; Mon, 23 Oct 2023 12:31:41 +0000
Received: from CO1PR11MB4946.namprd11.prod.outlook.com ([fe80::fe20:19f2:ebcf:1e9e]) by CO1PR11MB4946.namprd11.prod.outlook.com ([fe80::fe20:19f2:ebcf:1e9e%4]) with mapi id 15.20.6907.025; Mon, 23 Oct 2023 12:31:41 +0000
From: "Pierre Pfister (ppfister)" <ppfister@cisco.com>
To: Aseem Choudhary <achoudhary@aviatrix.com>, "Paul Ponchon (pponchon)" <pponchon@cisco.com>, "draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org" <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thread-Index: AQHZznvw3YK9W6++MEKLvhHk3j6Rh6/qA1KJgAAPn/CAU25kyoAaOoVZ
Date: Mon, 23 Oct 2023 12:31:41 +0000
Message-ID: <CO1PR11MB4946E68CAB01ACAD9A0EA159DFD8A@CO1PR11MB4946.namprd11.prod.outlook.com>
References: <MW3PR11MB4697F948E5F548FE4A1E6590AB17A@MW3PR11MB4697.namprd11.prod.outlook.com> <DM6PR11MB453129152AC683BA4AE8464FCB17A@DM6PR11MB4531.namprd11.prod.outlook.com> <MW3PR11MB46974F028FF777DBB7549E80AB17A@MW3PR11MB4697.namprd11.prod.outlook.com> <MW3PR11MB46979276CAF14F280B003ABFABC9A@MW3PR11MB4697.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB46979276CAF14F280B003ABFABC9A@MW3PR11MB4697.namprd11.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB4946:EE_|SA1PR11MB7038:EE_
x-ms-office365-filtering-correlation-id: 44ba4783-7cc6-4b56-fe27-08dbd3c402ab
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1c65XT2SGBG7MXQ2s5xHP+hhvVslK7ixul/qiMODUJxiYxGXhTYoLBfVQZT6eYNG01gKPKTjMSJFVoyUIuIaWXXA3rRT3GjvIh+ZMkG20w0BFEpYdFx42Zjs1QuP6E++wYxiq2/J8vOBcN3s0HWHGNnzWUkUObI5M5vDM80yFFsXuna/W6t+PU+OCq7Qh6rS6hmwE6DXF9zlTSMEyb/DUmBjbNLB1FkuSVY8gl2HcA6ZSI5wt8rBZuaFUoIT9wFRPgbSmOjyJglGAfGibCFtm0QuUByH2myEs6jRe4i7b9dcGiw7Wtf8h1eQYFZyCyPimEEuH/LBZq1dTh4f7lrXH+jjRIrWdN6huYo5gvoAPfv7mR1TimvnQHw/0AcSSkUGyTrN8eiBrH3ZOOi0nLWKiZZeZU+PnSJ7K057GEmDYvyOruBvvuDs+uoS0YU5M8HAxsJDkkUAXiC2bCam45BBFxhd8LYJo64g/3wTIPPRBAwPImsyOBlt1P4bvybn1PAnpa3rVq9qIy81v5BIbRIwYC1tyCABdPmjEPLkIhSWmPCZm9KkMr5BTKhxHUzZLx93eKCMM82vn1cfuXgt02PoO9hrvZ9mNuR/vrv5Y6dF9So=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB4946.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(366004)(376002)(396003)(39860400002)(136003)(230922051799003)(451199024)(1800799009)(186009)(64100799003)(52536014)(5660300002)(4326008)(83380400001)(8936002)(122000001)(7696005)(6506007)(21615005)(38070700009)(41300700001)(8676002)(26005)(66446008)(66476007)(66556008)(9686003)(66899024)(55016003)(316002)(66946007)(64756008)(110136005)(76116006)(38100700002)(53546011)(71200400001)(166002)(33656002)(2906002)(478600001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +Tkz58V6rloEur9nw1fFJrJLijHphRixfYWcUSsZApZnWcbufmnvc5p2SnCXZXa5G52fIA2hl29H80HtB9A+kTJpPIwhI72SpHbaco+IhUcGu3quQ0Do9Do3HYYxBrnEmZ9iVfu4PawsJOikfTOFGe+csnfdGAtAanVXr+VLFUAR4FPq1fB6dtgeUagB6FOqreh5lMCSGWOD7hrkcdKbcBlb7sQPcTCau45cipSnIS5+c8iohStPPzerxW9Q8TlIBg3PMEudo0x5k+GDij3J/vjVKMBwrBCfWQuHfCECDHJ8fbfrmEZaI+wXHR4pdPPKJmoL3dVPziArChpl+qpe62oCHzi4zPdxlbg2iqBWAoKeSDf0AgPiP/Oz0m6qu7c5P84AtODOqGUYaY9E2R/5+0AvQUD84SXesX/CNcrEKRobm9iFQy6BObGpZEn8/G9LMZDIL+ivhk9l4nQKnoVYoxeRdY0DHCNWzseNqHcpQT5MEnHpBSwq+7aSIW6sIlhgvKbXkqLfBta6lT9hLJVWZIhY5rDZdon55Z7w/w2hpfYjNf2q+fwnMrnm2VdS+LVQobjh4NJi13vI60BTzZIuLGOnxNGlLnFR9v0TqWevLZyXrAEwp5oSRRQznDygIvAAcSGljNT6BoGUVX7Rx6dXeOQROLYDGlL3wkUszPHyBTa+FvleJq4HQSKLUQnrSIPCZ37nRzeevGPx9ZyAPZ5cbrUSGH9N9VkKJbA6bIgaoFIAhUwdwPQXrjgLODIK5g/d70KI0Ust1qLIwcUdUzMUY+YH3EkTEiyVdqhHzTe3csNetrQtOIIritpdKk1eKEniHDP38p4RDJCsP7DjibapoWCwqdJDqJUJ5Yeu3nXMeLTbW8GpEk9kQwzGTsewMa/TiZp894LUIpR+36CUZqxi8s5O3vfCOWccR9s2JDV5+2vt7cTHMXFjm6FovYg++7bUZUhhkJrBNU04qHqeNdrJR54Fy3eh5bM1SUctvQRUo6x04I43Uc+BGho2G5L4iiq5RfVesmDF40lKGevnsD3nkcIjj0+hCwIo1i/Dt21UNtrlTdbhUaXoD1DvnkhG/OiZmFvkghymj0eTGlSv5dxH3H1le3WOjcND/a4EtLfOph2GlXZkh94j1L1gGP5ZG2V9Eq3/boRzMXEaRa+MXZX6LxR1x94Xmx3S1hgpkBNB3ZVOfMgOcrIhCq52+WBVYzsawGZV5t0qwJNKveXGd9WWdieyXkb8uGSP5+SR9qxPRyRPVoDqidtDfv/MZncPAvQNXSIowkF2ZbAeYbO/x3PwpESE9C7TeYtb7iwonpF91n0dL5eSMyOHFCXrSewT6foAc8tAhrHkW8WWqOBzuyczuZq9chuSoDT9yUK749M5dbZnTwwAIkSBru/zmWFLD3uXzJDtBTU6/IEbQS3PdLlysMmXQTojpCECvzE/dvThDcBzLJV9tiSP3omo6xh9/JJuzbfTsJVrZiBnAp0UTglElUgsdAJ+1nwydZAvvRyBxU7H8p70NEocDgByYOGDlehw/ZDl/l/TYdFjB23d1ONpU0jjl+DB7+zENDyGdqiKG152PzHy0X9KNgqd0NLCZbRb
Content-Type: multipart/alternative; boundary="_000_CO1PR11MB4946E68CAB01ACAD9A0EA159DFD8ACO1PR11MB4946namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4946.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 44ba4783-7cc6-4b56-fe27-08dbd3c402ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2023 12:31:41.4679 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v5S23T1ebORV8Vw0eMZK1gqdw4AWr4TzZ9zxXCKh6qSTGRZiwzyA7v1ycjISeZtf1rp/+gqGhlIZUzMS31HgVA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB7038
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WxByrZ4dI2NYhW2EydDNBZefOx4>
Subject: Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 12:32:19 -0000

Hello Aseem,

Apologies for the late reply.

Section 4.2 doesn't really go in full details regarding subspace ID selection because it would really depend on the implementation. Some uses of the subspaces are for cases with many-cores, others for many-paths, other for QoS, or a combination of these. There could be one subspace allocated per core,path,qos combination, but that can end-up being a lot of subspaces. Implementations could use a reduced set of subspaces and distribute over them using round-robin, or hashing. We felt adding too much details there would unnecessarily complicate the standard with implementation-specific details.

In the particular case of QoS, you could for instance use one subspace per QoS class. The receiver would be able to process packets from different QoS classes out-of-order without causing any anti-replay detection failure.

Thanks


De : Aseem Choudhary <achoudhary@aviatrix.com>
Date : vendredi, 6 octobre 2023 à 23:10
À : Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc : ipsec@ietf.org <ipsec@ietf.org>
Objet : Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Hi Paul,

Further to this discussion, section 4.2 “Sender Behavior” doesn’t talk about how subspace ID will be calculated. Like, for QoS, how a unique subspace-id can be mapped to a queue-id with some of QoS pipeline (classification, shaping etc) procedures. I think section 4.2 should describe it a bit. But, if not in section 4.2, can it be described in section 6 and for the Implementation, in some more details in section 6.2?
For some of the QoS solutions (like local video CAC<https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/qos/configuration/guide/b-qos-cg-asr9000-64x/b-qos-cg-asr9000-64x_chapter_01010.html> with redirect), queue may be selected based on availability of bandwidth.


Also, section 4.6 talks about per-QoS-queue, per-path and per-core but section 6 only mention multi-path and multi-core.

Describing more on QoS behavior will certainly help.



-thanks,

Aseem


From: Aseem Choudhary <achoudhary@aviatrix.com>
Date: Monday, August 14, 2023 at 10:55 AM
To: Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thanks Paul, appreciate your response!

From: Paul Ponchon (pponchon) <pponchon@cisco.com>
Date: Monday, August 14, 2023 at 10:00 AM
To: Aseem Choudhary <achoudhary@aviatrix.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces

Hi Aseem,
Thanks for your questions.

1. Yes, you're correct there is still reordering potentially happening between the endpoints of the tunnel. However, the intention behind using the subspace is to limit the potential reordering of packets at the tunnel endpoints. By assigning packets to specific subspaces based on factors such as CPU core or QoS, the aim is to manage and mitigate the reordering within each subspace, thereby improving the utilisation of multiple cores and QoS classes at the endpoint. The reordering happening in between the endpoint is less easily controllable and just like with using an SA today, would be handled by the replay window of each subspaces but they don’t need to be very big.

2. At the moment, we are leaning towards not splitting the subspace for CPU and QoS, as this could introduce unnecessary complexity and overhead in maintaining and managing unused subspaces. We however don’t impose any constraint on how to use the subspace IDs as long as they are between 0 and <max negotiated subspaces> - 1. We are actively exploring the best approach to distributing the subspaces between sender and receiver. Any insights or suggestions from the community on this matter would be highly appreciated.

3. While we haven't implemented this solution with strongSwan, we are currently working on an implementation for the IPsec stack of VPP. We have updated the latest version of the draft to reflect what we found during the implementation. While the main focus remains on defining a proper way to distribute subspaces to maximise the performance and compatibility aspects in the open-source implementation.

Thank you for your feedback and questions. We appreciate your interest and welcome any additional input or insights you may have.
Paul

Aseem Choudhary <achoudhary@aviatrix.com> writes:

Hello Authors,

Thanks for writing the document. It is good work!

Few questions:


1.       Looks like packet mapping to subspaces either for the CPU core or QoS or combination is tunnel source local decision. Since packet along the path can be marked/remarked reclassified, mapped to different queues, reordering is still possible.

2.       Since subspace is 16 bit, any plan/suggestion favor/against to split space for CPU and QoS?

3.       Any implementation experience/plan with  strongSwan?

-thanks,
Aseem

v2.23.0 | Report a Bug | By Email