Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
Steffen Klassert <steffen.klassert@secunet.com> Wed, 23 November 2022 06:36 UTC
Return-Path: <Steffen.Klassert@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C70C14F73D for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 22:36:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TXq7cM7FpRI for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 22:36:38 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD8A3C14F737 for <ipsec@ietf.org>; Tue, 22 Nov 2022 22:36:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 4FE5320538; Wed, 23 Nov 2022 07:36:33 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRTOa7qFUJAL; Wed, 23 Nov 2022 07:36:32 +0100 (CET)
Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 86B70204D9; Wed, 23 Nov 2022 07:36:32 +0100 (CET)
Received: from cas-essen-01.secunet.de (unknown [10.53.40.201]) by mailout1.secunet.com (Postfix) with ESMTP id 7F76A80004A; Wed, 23 Nov 2022 07:36:32 +0100 (CET)
Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 23 Nov 2022 07:36:32 +0100
Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 23 Nov 2022 07:36:31 +0100
Received: by gauss2.secunet.de (Postfix, from userid 1000) id 9C7E6318174D; Wed, 23 Nov 2022 07:36:31 +0100 (CET)
Date: Wed, 23 Nov 2022 07:36:31 +0100
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Daniel Migault <mglt.ietf@gmail.com>
CC: "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>, Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID: <20221123063631.GI424616@gauss3.secunet.de>
References: <25451.58560.690380.833165@fireball.acr.fi> <0fa86a3b220940f2abdd310ec9b829f2@huawei.com> <CADZyTkk6tuUgTZuivJNkj20tOqJreVu+hRFfuL=3w1wFqikcPQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADZyTkk6tuUgTZuivJNkj20tOqJreVu+hRFfuL=3w1wFqikcPQ@mail.gmail.com>
X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197)
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/gFvLpqWc4CDKOIm5eXPscNzsk6M>
Subject: Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2022 06:36:41 -0000
On Tue, Nov 22, 2022 at 04:58:55PM -0500, Daniel Migault wrote: > This draft is missing an important part which is the actual negotiation > of the multiple SAs. A peer willing to set these multiple SAs will have to > negotiate them anyway. Some implementations can > handle parallel CREATE_CHILD_SA others cannot and the negotiation of > multiple SAs might take a very long time, at least a time that is not > acceptable to high performance tunnels. Since these child SAs need to be > created, the one willing to the multiple SAs can simply start and stop when > the responder says stop. In terms of IKEv2 the gains are minimal. The > document may add a mechanism similar to address that: > https://datatracker.ietf.org/doc/draft-mglt-ipsecme-multiple-child-sa/ I'm one of the authors of the above mentioned draft and the draft we are discussing here. Speaking as an author of the above mentioned draft: This draft was a first attempt so solve the multi cpu SA case. The mechanism to install all child SAs once that was used there was seen as as too complex, given that the number of cpus are not too high. So it should be possible to either create separate parallel child SAs, or creating them on demand when traffic pops up an a certain cpu. The draft we discuss here takes this into account and reduces the complexity to a minimum. > However, draft-ponchon-ipsecme-anti-replay-subspaces addresses all of these > issues nicely and provides a much more scalable solution. It basically > makes -IMO - both -multiple-child-sa and -multi-sa-performance obsolete. I disagree here. The multi-sa-performance draft just adds two IKE notifications, so no achitectural changes. This is the 'low hanging fruit', it can be done independent of any changes to ESP. The anti-replay-subspaces draft does architectural changes to ESP, this needs more work. > My suggestion is that -multi-sa-performance is being moved to experimental > and almost shipped as it is so the work being achieved is documented. This > has been some interesting work, but today, I would like the group to spend > more cycles on draft-ponchon-ipsecme-anti-replay-subspaces that I consider > more promising. I already proposed to work on a ESP-v4 version, and this draft should definitely be considered there. But the discussion about ESP-v4 should be open, and not focused on this particular proposal.
- [IPsec] IPsecME WG Adoption call for draft-pwoute… Tero Kivinen
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Valery Smyslov
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Pierre Pfister (ppfister)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Michael Richardson
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Christian Hopps
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Panwei (William)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Steffen Klassert
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters