IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 20 March 2024 23:50 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F8E8C14F6BA for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 16:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khmlMwhUiIZG for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 16:50:34 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46815C14F5FE for <ipsec@ietf.org>; Wed, 20 Mar 2024 16:50:33 -0700 (PDT)
Received: from dyas.sandelman.ca (unknown [IPv6:2001:67c:370:128:e298:6a8c:96f2:bfef]) by relay.sandelman.ca (Postfix) with ESMTPS id 0F0091F4A8; Wed, 20 Mar 2024 23:50:31 +0000 (UTC)
Authentication-Results: relay.sandelman.ca; dkim=pass (2048-bit key; secure) header.d=sandelman.ca header.i=@sandelman.ca header.b="Td1xj78g"; dkim-atps=neutral
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 69DEBA17CC; Thu, 21 Mar 2024 09:50:24 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sandelman.ca; s=dyas; t=1710978624; bh=E2a8as9/xierJTb2CeaXPn8gM/Qj9Fqi9t7CjDqfGUo=; h=From:To:Subject:In-reply-to:References:Date:From; b=Td1xj78gWLvUQvos4rEB9KxG9jGFXAxKF9/UIfbVA0pm3ePdb90WRfNNHSe3SXRzs PdBkrTiCDkKCI+ZXUtDmB52K/g+OPahlh1vQYqoWwAOc9szIvfQ8K7WBj+l4GKBCjy LG6Z3hl38VwDqo1Dd94kQGzxZQxHD7rMQRbiVak1bpPS3JDQuk/sR/EYLvXqD30dy+ 1bnZOIq3PWJ7jSdMz8x2xOit7m6JNoJcqZ1rpsaQf/+bUoSY6+Z/8zrD7PXHBT0htH A5wpMgxPL8alKo++d/NBRIn3Sh0/xitaHkAvi71Iu7NxByFUHGlp5NtaxAVgcCD+iZ stbL2BBlOUGlQ==
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 66CD8A0CBE; Thu, 21 Mar 2024 09:50:24 +1000 (AEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Panwei (William)" <william.panwei@huawei.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>
In-reply-to: <b7b44906db3240c78ee461bb8a95cebc@huawei.com>
References: <29bca8d122844180afc21cd6b353159a@huawei.com> <4C637D68-CD0C-47C1-8D34-36D01A2DBF1F@aiven.io> <e7bc176dafcd4a719b84842b685a9fc5@huawei.com> <c6dc7d13-2c1c-f5c7-290e-34a88a21d103@nohats.ca> <ZfP5SxlCueJ/aQt/@gauss3.secunet.de> <a80bed7fcd02445d8a75555b2764c3a4@huawei.com> <167439.1710926532@dyas> <b7b44906db3240c78ee461bb8a95cebc@huawei.com>
Comments: In-reply-to "Panwei (William)" <william.panwei@huawei.com> message dated "Wed, 20 Mar 2024 10:28:25 +0000."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 21 Mar 2024 09:50:24 +1000
Message-ID: <178093.1710978624@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/b-ZvgCbhGb_wFocbpW9hPZtCjJA>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 23:50:38 -0000

Panwei (William) <william.panwei@huawei.com> wrote:
    > Hi Michael,

    >> > At yesterday's meeting, I think people basically understood and >
    >> accepted the problem statement itself, but also raised different >
    >> ideas regarding to the solutions.  We'll try to do more analysis > and
    >> comparison of possible solutions, including what you > suggested.
    >>
    >> I think that one thing that is unclear to me is whether the different
    >> RANs can tolerate that all the different traffic share the same *IKE*
    >> SA.

    wei> [Wei (William) Pan] We did consider this before. Sharing the same IKE
    wei> SA can partly release the pain, but not much.  Assuming there are N

The reason I ask is if you can *NOT* share the IKE SA, then one solution is
to just give each base station a bunch of IP addresses. N of them.
Given RFC1918 this might be limiting.  Given IPv6, a /64 per base station is
plenty.   The advantage of that is that rather than having a VPNID, one has a
source/destination pair per RAN.

How are the base stations connected?  Is it ethernet to the basestation?
Or do the base stations have direct fiber connections to each other?  What
does the physical connectivity look like?  I also wonder if there is a
metro-ethernet occuring, if the full mesh isn't overkill because the
metro-ethernet has other topological issues.  {This question is mostly just
for my full understanding}

    wei> the base station is deployed in a crowded area.  We got from the
    wei> customers that they want to double the number of operators sharing the
    wei> RAN. Therefore, this solution isn't scalable enough for this need and
    wei> future expansion.

What is the order of magnitude of N and M today?
2^4? 2^8? 2^16?

When you double, what is the starting order?

    >> The next level is whether or not they can tolerate being in the same
    >> CHILD SA.  We could put the "VPN ID" at another layer (inside the
    >> common tunnel), such as some kind of L3VPN, GRE, VXLAN.

    wei> [Wei (William) Pan] Do you mean first encapsulating the original
    wei> traffic into a tunnel that can carry the VPN info and then
    wei> encapsulating the tunneled traffic into the IPsec tunnel?  My initial
    wei> feeling is that there may be operational and maintenance
    wei> difficulties. We can have more thinking on this and reply later.

Yes, if you can tolerate the CHILD SA traffic being shared between all the
RANs, then having a new layer would let you scale without concern for IPsec.
You didn't answer that question: can they tolerate this?

Also, I think that this traffic is control plane traffic that allows for the
mobility of the devices attached to these base stations.  I don't know the
3GPP protocol names for that.

But, does it also include encapsulated end-customer traffic?
I would assume that each base station has an SA to connect it to each of the
RAN's concentrators.  L2TP or something like that.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-                      *I*LIKE*TRAINS*

v2.23.0 | Report a Bug | By Email