Re: [IPsec] FW: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
Antony Antony <antony@phenome.org> Fri, 04 November 2022 10:42 UTC
Return-Path: <antony@phenome.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8EE0C14F726 for <ipsec@ietfa.amsl.com>; Fri, 4 Nov 2022 03:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kpnmail.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ydn7Xxr7tw2g for <ipsec@ietfa.amsl.com>; Fri, 4 Nov 2022 03:42:23 -0700 (PDT)
Received: from ewsoutbound.kpnmail.nl (ewsoutbound.kpnmail.nl [195.121.94.184]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AD54C14F73F for <ipsec@ietf.org>; Fri, 4 Nov 2022 03:42:21 -0700 (PDT)
X-KPN-MessageId: 5af8d31e-5c2d-11ed-bd66-005056994fde
Received: from smtp.kpnmail.nl (unknown [10.31.155.5]) by ewsoutbound.so.kpn.org (Halon) with ESMTPS id 5af8d31e-5c2d-11ed-bd66-005056994fde; Fri, 04 Nov 2022 11:42:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:message-id:subject:to:from:date; bh=PDt7qthIzqwcv6rKcTjgan3lZg2b96lIIz1qAHmrf2I=; b=ZNS3L3+zIF6FfrfzY2KcXKvvSn9LVCfCvOWAFqo1y66UwCRNjppPCPwkyar/op01u9mXZ7SqJ6Hkb QMczQjVl9Q1iPGWtsZImeXo6z5kedG/qJm28zmtly2wNvzNu8/TiUmeSaZLJxDaKjtsJVALW1xnxgN y3t1qc4MrSd/lfyI=
X-KPN-MID: 33|0aMSwj6CHt6+GO4Of1/Qby6zUS7rNY88c54EUE1U2C8eeQHKJw4AnJ3XKJjRgJL iSkt/IKLu8K5XA0l69tq9VdZLo2d2qlU1EPuA4x7tkHY=
X-KPN-VerifiedSender: No
X-CMASSUN: 33|oPXZZl13NL0lSXfrQyfgjo6NpsQTjceCBWbORcDzDsCEdy3E/uwWRmkvtc77V4y S37ymmL9QMOqnuKzQ4XdrKw==
X-Originating-IP: 109.144.25.67
Received: from Antony.local (unknown [109.144.25.67]) by smtp.xs4all.nl (Halon) with ESMTPSA id 59c3a7ed-5c2d-11ed-9b31-00505699b758; Fri, 04 Nov 2022 11:42:18 +0100 (CET)
Date: Fri, 04 Nov 2022 11:42:16 +0100
From: Antony Antony <antony@phenome.org>
To: "Paul Ponchon (pponchon)" <pponchon=40cisco.com@dmarc.ietf.org>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID: <Y2TsiD1wlMC+9dzj@Antony.local>
References: <166662303140.2807.4357443238363299404@ietfa.amsl.com> <DM6PR11MB4531E91C45B7E44F212DF849CB2E9@DM6PR11MB4531.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DM6PR11MB4531E91C45B7E44F212DF849CB2E9@DM6PR11MB4531.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XM3eQQf4r47rL8ykJShbvwl07kU>
Subject: Re: [IPsec] FW: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 10:42:26 -0000
Hi Paul,
This is an interesting draft. I feel there is room for this and
pwouters-ipsecme-multi-sa-performance:)
How would a receiver, a NIC in a typical X86 scenario, steer IPsec packets
to different CPUs? The document mentions the following text and I would like
to read more details.
"On reception, the 5-tuple based packet steering would provide a
decent level of load-balancing between threads, since different IP
paths would use different 5-tuples."
What would be the 5 tuple to steer an ESP packet?
Would the sender use ESP in UDP? In that case would the different subspace
send with different UDP port to get entropy for the NIC?
Would the ESP sequence number, the first 8 bits be used for steering the
flow?
Another possibility I imagine is a hardware that decapsulate ESP and then
use 5 tuple of the inner packet to steer to CPUs.
regards,
-antony
On Mon, Oct 24, 2022 at 02:56:47PM +0000, Paul Ponchon (pponchon) wrote:
> Hello ipsecme,
>
> We would like to notify the list that we just published a new draft (ieft-draft-pponchon-ipsecme-anti-replay-subspaces) and would kindly ask for the opportunity to present it in London in person.
>
> We (the authors of this draft) are currently involved in the performance optimization of an IPsec stack deployed in some large SD-WAN networks. We have been observing performance and scalability challenges related to anti-replay, and believe the working group could propose a solution.
>
> We recently became aware that the working group was investigating similar issues in the multi-sa draft (draft-pwouters-ipsecme-multi-sa-performance-04). We are very enthusiastic about that work, but believe that we have additional requirements, as well as operational experience, which might challenge the currently proposed solution. To summarize: We do need anti-replay to scale to multiple cores (as detailed in the multi-sa draft), but we also need packets to be sent across multiple paths and multiple QoS policies.
>
> These problems add-up in showing anti-replay limitations. And using more Child SA comes with a significant performance degradation. We believe that the anti-replay mechanism itself could be improved to support all these use-cases. And that's what this draft is about.
>
> We would appreciate any feedback and, again, would love to have the opportunity to present that work in London.
>
> Thanks,
>
> Paul, Mohsin, Pierre and Guillaume.
>
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Date: Monday, 24 October 2022 at 16:50
> To: Guillaume Solignac (gsoligna) <gsoligna@cisco.com>, Mohsin Shaikh (mohsisha) <mohsisha@cisco.com>, Paul Ponchon (pponchon) <pponchon@cisco.com>, Pierre Pfister (ppfister) <ppfister@cisco.com>
> Subject: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
>
> A new version of I-D, draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
> has been successfully submitted by Paul Ponchon and posted to the
> IETF repository.
>
> Name: draft-ponchon-ipsecme-anti-replay-subspaces
> Revision: 00
> Title: IPsec and IKE anti-replay sequence number subspaces for multi-path tunnels and multi-core processing
> Document date: 2022-10-24
> Group: Individual Submission
> Pages: 11
> URL: https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
> Status: https://datatracker.ietf.org/doc/draft-ponchon-ipsecme-anti-replay-subspaces/
> Htmlized: https://datatracker.ietf.org/doc/html/draft-ponchon-ipsecme-anti-replay-subspaces
>
>
> Abstract:
> This document discusses the challenges of running IPsec with anti-
> replay in environments where packets may be re-ordered (e.g., when
> sent over multiple IP paths, traffic-engineered paths and/or using
> different QoS classes) as well as when processed on multiple cores.
> Different approaches to solving this problem are discussed, and a new
> solution based on splitting the anti-replay sequence number space
> into multiple different sequencing subspaces is proposed. Since this
> solution requires support on both parties, an IKE extension is
> proposed in order to negotiate the use of the Anti-Replay sequence
> number subspaces.
>
>
>
>
> The IETF Secretariat
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] FW: New Version Notification for draft-po… Paul Ponchon (pponchon)
- Re: [IPsec] FW: New Version Notification for draf… Antony Antony