Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
Paul Wouters <paul@nohats.ca> Mon, 17 October 2022 19:55 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 479EBC14CF0F for <ipsec@ietfa.amsl.com>; Mon, 17 Oct 2022 12:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K52IZohWyiTB for <ipsec@ietfa.amsl.com>; Mon, 17 Oct 2022 12:55:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9879EC14CF0B for <ipsec@ietf.org>; Mon, 17 Oct 2022 12:51:43 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Mrngd3C0jz4B1; Mon, 17 Oct 2022 21:51:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1666036301; bh=ao9U+hHsY4asyz8V47YjiFIB8bRErkZ8lMv0vBIzesU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=aOXxXko0BHl7WrE2beIHON9FPIEfHD1TP5uLXn7jnENcHHltBQRVsMLtKYCSqBu2B NM9Lf9csMUksdiyavQQ9Uu8Ky4HKyPG2T+HLXKSVAudXf96s2KjHJXGdRauS/b+azV +IrJWzWAnJuf1uNGAGFQj0ZvJuIBu/13m8dTxXGA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cQXdQNPRl06R; Mon, 17 Oct 2022 21:51:40 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 17 Oct 2022 21:51:40 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 77CF33F61E5; Mon, 17 Oct 2022 15:51:39 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 746B63F61E4; Mon, 17 Oct 2022 15:51:39 -0400 (EDT)
Date: Mon, 17 Oct 2022 15:51:39 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: 'Steffen Klassert' <steffen.klassert@secunet.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'IPsecME WG' <ipsec@ietf.org>
In-Reply-To: <03c901d8e232$3850ef20$a8f2cd60$@gmail.com>
Message-ID: <1ba3323-5fb1-8350-3acb-5d87ad8f2b16@nohats.ca>
References: <15eb01d8dd7e$fdf158e0$f9d40aa0$@gmail.com> <10861.1665504183@localhost> <161701d8dd8c$8d042a50$a70c7ef0$@gmail.com> <20221014101504.GI2602992@gauss3.secunet.de> <03c901d8e232$3850ef20$a8f2cd60$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/a66mtM_E7NN5SG-knCGnpSr06wo>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 19:55:35 -0000
On Mon, 17 Oct 2022, Valery Smyslov wrote: [leaving cache/linux implementation details to Steffen to answer] > Another issue that is not clear from the draft - > how per-CPU SAs are created. Consider the situation when > an outgoing packet is handled by a CPU > and there is no per-CPU Sa to handle it. Then, I assume, > the fallback SA is used. Yes. > My question - in this > case does this CPU additionally requests IKE > to create a per-CPU SA for it? Yes. In linux language, it would a per-CPU ACQUIRE to userland. > If so, then > what happens if the other side has indicated > that no more per-CPU SAs is allowed - > is it saved somewhere, so that future outgoing > packets handled by CPUs with no per-CPU SA, > don't trigger requests to create it anymore? I think this is implementation specific. You could install an temporary rule into the SPD that would give the fallback SA more priority than the per-CPU policy installed, so it wouldn't generate ACQUIRES for a while. Perhaps userland could also decide to terminate another per-CPU SA that is idle. Although I think the advised policy is stated to install at least one per-CPU SA per CPU (and allow a few more to catch any race conditions and rekeys). Clearly, if for part of the connection, you are using the fallback SA, you are running at suboptimal speed which is not a situation you should remain in. >> We don't require a fallback SA in the draft, we just recommend to have >> one. So in that sense, once created, all SAs live their own live. > > Hmm, my impression from reading the draft is that it is not so: > > Section 3: > > When negotiating CPU specific Child SAs, the first SA negotiated > either in an IKE_AUTH exchange or CREATE_CHILD_SA is called Fallback > SA. Indeed. The idea is that no matter what, you can encrypt the packets and send them, even if at sub-optimal speeds. We don't want packets to have to wait another RTT for the per-CPU SA to establish. That would cause a lot of issues (slow TCP retransmits, UDP application retransmits, etc). Once the first SA is up, you have a working IPsec tunnel and no more packets should be dropped or wait for SA's to establish. > The Fallback Child SA MUST NOT be deleted when idle, as > it is likely to be idle if enough per-CPU Child SAs are installed. > > I think that these BCP14 requirements make the fallback SA very special. Yes it does. It ensures there is a fully working (albeit slow) IPsec connection. Paul
- [IPsec] Discussion of draft-pwouters-ipsecme-mult… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Michael Richardson
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Michael Richardson
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Steffen Klassert
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Ponchon (pponchon)
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Guillaume Solignac (gsoligna)
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Tero Kivinen
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Valery Smyslov
- Re: [IPsec] Discussion of draft-pwouters-ipsecme-… Paul Wouters