IETF Logo Mail Archive

Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance

Paul Wouters <paul@nohats.ca> Fri, 21 October 2022 13:56 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09FF1C14CF0B for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 06:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tm1VxdhLUzxe for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 06:56:41 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F956C14F74F for <ipsec@ietf.org>; Fri, 21 Oct 2022 06:56:39 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Mv5c364sDz7pR; Fri, 21 Oct 2022 15:56:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1666360595; bh=6w9+KWhxXwvZtOpwcyWVaPYdYp/FQ+N8IXtAcmZK4To=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=I1LqyR/JgxRsnUFMYCVtsZpcjClr6BGO2YYv2ZU1mc9pvUrBjWXL3YMTQ6HDbA5lL NhDJhgCyY2rxIVZp97qXmzl3j0El6JksTwzrj0IIpBMAa6vR1zyr5f8CzU77YFKoXp YxbIlQRIfUixZOFEVS22vicKGgzWGJAu5lo0BXhI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QiteYeXsgXid; Fri, 21 Oct 2022 15:56:34 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 21 Oct 2022 15:56:34 +0200 (CEST)
Received: from smtpclient.apple (unknown [72.136.111.77]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 1B22A3F8986; Fri, 21 Oct 2022 09:56:33 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Fri, 21 Oct 2022 09:56:29 -0400
Message-Id: <F84D65B2-9A68-420D-BC55-2A6BD2542246@nohats.ca>
References: <20221021073714.GP3294086@gauss3.secunet.de>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, IPsecME WG <ipsec@ietf.org>
In-Reply-To: <20221021073714.GP3294086@gauss3.secunet.de>
To: Steffen Klassert <steffen.klassert@secunet.com>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/g0ylYKf8hxtbtJS78l5ieDkrYJs>
Subject: Re: [IPsec] Discussion of draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 13:56:46 -0000

On Oct 21, 2022, at 03:37, Steffen Klassert <steffen.klassert@secunet.com> wrote:
> 
> 
> Another possibility would be to use the same keymat on all
> percpu SAs

You cannot do that. You need to ensure unique IVs for AEAD so you would need to subdivide the IV space. You would also still reach max operations on these SAs on different times AND things like FIPS puts an operational max count on the key usage which you can’t do if the key is used by multiple different states.

Using different real child SA’s was needed to ensure the cryptographic security properties.

Paul

v2.23.0 | Report a Bug | By Email