[IPsec] FW: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt

"Paul Ponchon (pponchon)" <pponchon@cisco.com> Mon, 24 October 2022 14:56 UTC

IronPort-PHdr: A9a23:pJQxKhFkeUzNzrnA7/hhzJ1GfiYY04WdBeZdwpYkircbdKOl8tyiOUHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvGsNEWRdl8ni3PFITFtz5YgjZo2a56ngZHRCsXTc=
IronPort-Data: A9a23:qblhJq7muepylA20Fqls1wxRtCXFchMFZxGqfqrLsTDasY5as4F+vmofX2jXO/6Ia2rwKIgna96xoUhT7JGHnIRkT1A+/Hg0Zn8b8sCt6fZ1gavT04J+FiBIJa5ex512huLocYZlFxcwmj/3auK79SQli/nRLlbBILes1h5ZFFcMpBgJ0XqPq8Zh6mJZqYDR7zGl4LsekOWHULOR4AOYB0pPg061RLyDi9yp0N8QlgRWifmmJzYynVFNZH4UDfnZw3cV3uBp8uCGq+brlNlV/0vD9BsrT9iiiLu+LwsBQ6XZOk6FjX8+t6qK20cZ4HdtlPdgcqNBNy+7iB3R9zx14M1Vspq7SQAvFqbNg+8aFRJfFkmSOIUfoO6cfCfn6ZPNp6HBWz62qxl0N2k3JZYV8c52DH1As/sCJ1gwgrqr7w6t6KiwRu8pjcM5IYy2eogeoXpnizreCJ4brVn4a/2izbdlMP0Y26iixcrjWvc=
IronPort-HdrOrdr: A9a23:pregvq5sBOVnVHQpSQPXwU+BI+orL9Y04lQ7vn2ZFiY6TiXIra+TdaoguSMc0AxhJU3I6urwRJVoIEmsv6KdhLNxAV7MZniehILFFvAB0WKm+UybJ8SczJ8R6U4DSdkHNDSYNzET5qyWgHjaLz9j+qj9zEnCv5a7854Zd3ANV0gW1XYfNu/0KDwSeCB2Qb4CULaM7MtOoDStPV4NaN6gO3UDV+/f4/XWiZPPe3c9dlIawTjLqQntxK/xEhCe0BtbeShI260e/W/MlBG8zrm/ssu81gTX2wbonttrcZrau5V+7f63+4gowwbX+0WVjUNaKv+/VQUO0aCSAZAR4ZzxSlkbToBOAjjqDx6ISFPWqnfdOXAVmjjfIZvyuwq7nSQ/LwhKTfapzLgpAyfx+g4uuspx37lM2H/cv51LDQnYlCC4/NTQUQp2/3DE6EbKvNRj+EC3a7FuHoN5vMga5gdYAZ0AFCX15MQuF/RvFtjV4LJTfUmBZ37Us2FzyJj0N05DVSuuUwwHoIiYwjJWlHd2ww8Rw9EehG4J8NY4R4Nf7+rJP6x0nPVFT9MQb6h6GOAdKPHHQlDlUFbJKiafMF7nHKYINzbErIP2+qw84KWwdJkB3PIJ6eD8uZNjxBsPkm7VeL+zNcdwg2DwqU2GLEfQ9v0=
From: "Paul Ponchon (pponchon)" <pponchon@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
Thread-Index: AQHY57gEo4sMkI8IJUeAHk+MiltMaK4dodf4
Date: Mon, 24 Oct 2022 14:56:47 +0000
Message-ID: <DM6PR11MB4531E91C45B7E44F212DF849CB2E9@DM6PR11MB4531.namprd11.prod.outlook.com>
References: <166662303140.2807.4357443238363299404@ietfa.amsl.com>
In-Reply-To: <166662303140.2807.4357443238363299404@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PRZZSDq6O5u8z6sgmCI00Abn+s+WvFW9kGQcApPj9sdV9/KWheMkFLo4OucdmmWRs1CDAO3HajNBhmeCNvQTHNyFZPp7IwTTuNoySKEPO2JqmJa0++rd191QdNRM+APRpNod+VyWe3Tm6sbawUr9by+VVnNWyER54yfMorjeMXtiPA5JVK//jFo3HcKi9opDYT9DftaszM7duY8Bo77aMOj1dACPftNdMdoz7Pf/xBm/MfFbPGF/vtbf/AveqMQuasdSKW2ShkZxfDVBYnX7bJGwT40YhZ1nL5QgGQi8jv6nN7s3amM9/zyePTzThk5N+EFeE4xdsvHo7C6I4PgWdP1/OfDPcBRNL44jx31L7XzmFYkRJnreu0Vd/rQe8SL7o2zkAVgtV9PtnVymbTUantlp5d9gIWKZtLA1CrorCW+JZnjoRW8cWQXb1xCFHDJLvp9afxPPiLsEfOAmoriyDMO1rvnbiIpDZQctqowRGvrWYfPeIEPoJ8ihKdUOd/cYioG9B5eC9+9wXtVizezcE97iRLMuPs5sxZRkwE3WhNxgw0sG05H9KCDRVcES0joadxqIUle8ZtNAJyN51PMjF62sw3v7X0gEpsGLRZKWbIj5pLqhM8dbj401XNuUWXW1mobx9e2sj/AbI0yGEtw2PwLRwUQWGENTMoB5FN2GtZuIiCTVEz5rwuvtxljS4GIMAIQxY9hcstW2negeOMrKAqNLhTEraXBWHi6S1L7sGjMIVZBKvNJnA83pmHYfUW9uELPPXpYnNNIZTgK0S+OXvjHx0aPaieidHTiW6hzRbo1kP9qUWzAXdqKO7ENet92ZRBKbsGQ/J46Z0bTXKGk1L/5WVSxfAwLm+2rQVmaElKzuvMkGu+X/oqnwi1bPHNpxKDF9eLTF3T39LA8Q0IHpQduqh8PvAvgAlMt4tHEdHxG+SdPmsLuWwtMnpuHN7nbDQW9rVb2wgHJPe37YftSyI/A4qAXSxh2QxEfKtV9BvPAD92zkj0gWsNPtHn0thLo8CbQHmqhfr+fo1wWcjIFrpNbNnA4+WR5nIgPyd//a/lViNoRmpB/1BKL4okGxcpOR9DNkdKJLGHjam/v/VVo3IoEmCR1Dlp/w7KDbcniEQwRnar8IqHRKV/+3k5dxxuyDZ5vFw6CHJDirTMC50jQmsFolRfH2amUw1o4XE590hnUHgEHcoI163KTDYPmb15cfyFcut34FG/hbyIcIAiZVtg+/2mYw/msFUoZfDNifdh0YLWmJablwEw4zgHfJOlVp/t4SvP1MT1H93l+B4xquDYZq8trs0AYhxBqpHukvw7aEjYSUshhBG3aNtnbJeYn+5rzjskF1wyDvCS//qbVz2wzBjBl/nwzm/KRYJldDE45IN806/Gyfok6PCdUYM5oCuyzwBNYpN5EadSMcKcGpolfE0STtg3grtmPzTzZ6d8Og0NfP4V2fFhi0YRFP8sS949/zc1HFfu785CmRHqJ5fPogi7klFXmMUn+Jbs4sGS7pL9x4EQT+eNVm+lXmlqfeVbFbOuEGyCgeygUJyTfkWUjRpfWbsiVnPe+qr7bcr/dYhLyzT+iu8yP/U+EBycKzS91EmJqlIEWfRvSlF7IAng==
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB4531E91C45B7E44F212DF849CB2E9DM6PR11MB4531namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4531.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8eff70c1-3e11-4ce7-8d5c-08dab5cff997
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2022 14:56:47.6350 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Bco/YbcDR7m3gFSJzgUcq/sfGbPd9MsWhdn75AEjvmTcXuxH3JeOtl96BPbLyewCusU2kLv7UN5JoIlUEp2mAw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5048
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.252, xfe-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ccgGEsIp3ByL8KU1HkIInnfL6og>
Subject: [IPsec] FW: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 14:58:30 -0000

Hello ipsecme,

We would like to notify the list that we just published a new draft (ieft-draft-pponchon-ipsecme-anti-replay-subspaces) and would kindly ask for the opportunity to present it in London in person.

We (the authors of this draft) are currently involved in the performance optimization of an IPsec stack deployed in some large SD-WAN networks. We have been observing performance and scalability challenges related to anti-replay, and believe the working group could propose a solution.

We recently became aware that the working group was investigating similar issues in the multi-sa draft (draft-pwouters-ipsecme-multi-sa-performance-04). We are very enthusiastic about that work, but believe that we have additional requirements, as well as operational experience, which might challenge the currently proposed solution. To summarize: We do need anti-replay to scale to multiple cores (as detailed in the multi-sa draft), but we also need packets to be sent across multiple paths and multiple QoS policies.

These problems add-up in showing anti-replay limitations. And using more Child SA comes with a significant performance degradation. We believe that the anti-replay mechanism itself could be improved to support all these use-cases. And that's what this draft is about.

We would appreciate any feedback and, again, would love to have the opportunity to present that work in London.

Thanks,

Paul, Mohsin, Pierre and Guillaume.

From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Monday, 24 October 2022 at 16:50
To: Guillaume Solignac (gsoligna) <gsoligna@cisco.com>, Mohsin Shaikh (mohsisha) <mohsisha@cisco.com>, Paul Ponchon (pponchon) <pponchon@cisco.com>, Pierre Pfister (ppfister) <ppfister@cisco.com>
Subject: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt

A new version of I-D, draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
has been successfully submitted by Paul Ponchon and posted to the
IETF repository.

Name:           draft-ponchon-ipsecme-anti-replay-subspaces
Revision:       00
Title:          IPsec and IKE anti-replay sequence number subspaces for multi-path tunnels and multi-core processing
Document date:  2022-10-24
Group:          Individual Submission
Pages:          11
URL:            https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
Status:         https://datatracker.ietf.org/doc/draft-ponchon-ipsecme-anti-replay-subspaces/
Htmlized:       https://datatracker.ietf.org/doc/html/draft-ponchon-ipsecme-anti-replay-subspaces


Abstract:
   This document discusses the challenges of running IPsec with anti-
   replay in environments where packets may be re-ordered (e.g., when
   sent over multiple IP paths, traffic-engineered paths and/or using
   different QoS classes) as well as when processed on multiple cores.
   Different approaches to solving this problem are discussed, and a new
   solution based on splitting the anti-replay sequence number space
   into multiple different sequencing subspaces is proposed.  Since this
   solution requires support on both parties, an IKE extension is
   proposed in order to negotiate the use of the Anti-Replay sequence
   number subspaces.




The IETF Secretariat

[IPsec] FW: New Version Notification for draft-po… Paul Ponchon (pponchon)
Re: [IPsec] FW: New Version Notification for draf… Antony Antony