Re: [IPsec] Comments on draft-pwouters-multi-sa-performance
Paul Wouters <paul@nohats.ca> Tue, 16 November 2021 18:11 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2723A0405; Tue, 16 Nov 2021 10:11:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vzTTX4vV_fSn; Tue, 16 Nov 2021 10:11:25 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 257923A0406; Tue, 16 Nov 2021 10:11:24 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4HtvJT0nX8z7Zs; Tue, 16 Nov 2021 19:11:21 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1637086281; bh=nFOIpHkRj/bMaUWrSSbYxswZ1D1iA/D1gN6F1BZO7TA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ZNUgXIkPKXO5RV0YlA94NT8e+jfovgq/JrXJ3Eyqsyf0qRIE4jRVNa0mrK2Df5LEM s+dUV6YC+lRCfka9BOBZlYYGJTnBg8Q3Iv4uygkKKS5zAxV/oMiwIdrvfDmtyuwhb1 ZeNZjsTJYYlLy2NX3boG3lR8Yz80iUyNe5QLhnSM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FBjSr_-FhGWj; Tue, 16 Nov 2021 19:11:20 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 16 Nov 2021 19:11:20 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CEB41137092; Tue, 16 Nov 2021 13:11:18 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CAF99137091; Tue, 16 Nov 2021 13:11:18 -0500 (EST)
Date: Tue, 16 Nov 2021 13:11:18 -0500
From: Paul Wouters <paul@nohats.ca>
To: Antony Antony <antony.antony@secunet.com>
cc: "Bottorff, Paul" <paul.bottorff@hpe.com>, "ipsec@ietf.org" <ipsec@ietf.org>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, "draft-pwouters-ipsecme-multi-sa-performance@ietf.org" <draft-pwouters-ipsecme-multi-sa-performance@ietf.org>
In-Reply-To: <YZOu9m8YCekKIQV5@moon.secunet.de>
Message-ID: <53b3d77-19ee-c820-f6d3-a64a6ec7edd3@nohats.ca>
References: <cc0b5528e7c047e0a9073f637218f013@huawei.com> <3c525728-22e8-d5ef-f183-c2c9d622cc54@nohats.ca> <CS1PR8401MB11924248C78CF59B633D931EFE8E9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <YYt+iIbwjZuh4uSI@moon.secunet.de> <CS1PR8401MB1192E17A959F3010EEF24CEDFE989@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <YZOu9m8YCekKIQV5@moon.secunet.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/hlx8elpzTzxdXqVCAyB0BlormE8>
Subject: Re: [IPsec] Comments on draft-pwouters-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2021 18:11:30 -0000
On Tue, 16 Nov 2021, Antony Antony wrote: > When traffic arrives, IPsec gateway compute the hash. If there is no SA for that hash index, use the Fallback SA and send a SADB_ACQUIE to IKE daemon. IKE daemon will negotiate a new perPath SA for that index. Once a perPath SA is installed, the traffic will use that SA. The perPath SA use UDP encapsulation, a unique src port + destination port. Just to clarify further on to what Antony said. You can imagine the first fallback SA to use regular IKE and ending up using 4500 <-> 4500, although a NAT might change the source port of course. For the perPath SA, the IKE daemon picks a new source port to negotiate the CREATE_CHILD_SA, and will use UDP ENCAPS on this new port. It of course could also end up being NAT'ed but it would be NAT'ed to a unique free port. The IKE traffic goes over this source port to confirm the network path is clean for this. And IPsec flows embedded in UDP so all the "flow" acting mechanism can work for you. We could keep the IKE on its normal 4500 port, but then when we pick a new source port for the new perPath SA, we are not guaranteed that path can actually send UDP ENCAP traffic. The changes to the spec is mostly to use/retain the new port and avoid these new port based packets from "updating" the NAT port mistakenly. Paul
- [IPsec] Comments on draft-pwouters-multi-sa-perfo… Panwei (William)
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Paul Wouters
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Bottorff, Paul
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Antony Antony
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Bottorff, Paul
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Antony Antony
- Re: [IPsec] Comments on draft-pwouters-multi-sa-p… Paul Wouters