[IPsec] scalability questions for draft-sathyanarayan-ipsecme-advpn-03
Timo Teras <timo.teras@iki.fi> Fri, 07 February 2014 07:29 UTC
Return-Path: <timo.teras@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 550D61A05B7 for <ipsec@ietfa.amsl.com>; Thu, 6 Feb 2014 23:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivB0k31f8W4t for <ipsec@ietfa.amsl.com>; Thu, 6 Feb 2014 23:29:19 -0800 (PST)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 1E44F1A05AC for <ipsec@ietf.org>; Thu, 6 Feb 2014 23:29:18 -0800 (PST)
Received: by mail-la0-f52.google.com with SMTP id c6so2280363lan.25 for <ipsec@ietf.org>; Thu, 06 Feb 2014 23:29:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:subject:message-id:mime-version:content-type :content-transfer-encoding; bh=7wdWElZB2iNNzdKLSoOPok3wmrP7cSzGxCbXl+0O2PA=; b=U75iFeONhnBN/jENArTVbOMr4k/PGWBHHQpBc4aR/nGF9bK30kz2o184mrMq3As/6d gOnyILsN+wJi/WAEowk0WuiRncICEEyx5Vfn+e70HKKmQeKz5U+4vQfUGzdJW81jE0PQ rDbtu2WCTIb0aiLyyV9NwNFpQMBNwRU/h08Fil9UfgydTCy0JVaTx61AaRCQanIr3wGC WsmQDxiXLK+rpHvq+rlGcOoJCgxY6gNiE5bKc5BcJxc+cduxtP6ln7KO0D74CMFThzCt WwGWEqOut40RD9EwdsykCywwbIQvaCylZAR7fugQu79llX5zgPVfNL1CXY3mHGSRaQpq cG6g==
X-Received: by 10.153.3.2 with SMTP id bs2mr8760354lad.5.1391758157131; Thu, 06 Feb 2014 23:29:17 -0800 (PST)
Received: from vostro ([2001:1bc8:101:f402:21c:23ff:fefc:bf0b]) by mx.google.com with ESMTPSA id jf8sm3874109lbc.8.2014.02.06.23.29.16 for <ipsec@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Feb 2014 23:29:17 -0800 (PST)
Sender: Timo Teräs <timo.teras@gmail.com>
Date: Fri, 07 Feb 2014 09:29:52 +0200
From: Timo Teras <timo.teras@iki.fi>
To: "<ipsec@ietf.org> WG" <ipsec@ietf.org>
Message-ID: <20140207092952.01039e7f@vostro>
X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.20; i486-alpine-linux-uclibc)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [IPsec] scalability questions for draft-sathyanarayan-ipsecme-advpn-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 07:29:21 -0000
Hi, In addition to previous questions, I have few additional scalability concerns regarding draft-sathyanarayan-ipsecme-advpn-03. 1. Scaling hubs, and shortcut creation times If I have so many spokes (>1000) that single gateway node cannot handle feasibly simultaneous connectivity all of them. Appendix A.2. describes shows that in advpn shortcut establishment requires spoke to first connect to the next nearer 'shortcut suggester' with the specific SA, at least temporarily, before final shortcut. This implies that in worst case all short suggester gateways should be able to handle simultaneous connection to all non-suggester nodes to handle shortcut formation. So instead of suggesters requiring SA only for it's static set of clients, it must be scaled to handle SAs for *all* clients in the same domain. (As comparison, dmvpn forms shortcuts directly spoke-spoke even if there multiple hubs involved in between.) It does not sound feasible that to grow network, say every additional 500-1000 spokes, I would need to replace all the *core* locations to be faster so that they can handle the larger number of connections. Of course things work if it's assumed that it's not full mesh, but I'm not happy building architectures around assumptions that cannot be guaranteed. Or did I somehow misunderstand these implications? Any comments? This also means that I might need multiple SA negotiations for one shortcut which can be very CPU intensive. Additionally it limits the number of intermediate shortcut suggesters or the shortcut creation can take long amount of time (both wall and CPU). Do you have recommendations on how a complicated topology should be configured? What is the normal / recommended maximum amount of shortcut suggester nodes 'in a path from A to B' envisioned in this setup? 2. Scaling number of prefixes Suppose I have medium sized spokes A and B with 10 prefixes. This means they would need 10*10 SAs in the policy based approach. Additionally, if these cannot be "supernetted" as less prefixes on hub, each spoke would need another additional 10*10 SAs with the all of the hubs in path. To me this sounds like the CPU power need in spokes is not proportional to the number of _connected_ devices (as in dmvpn), but instead it is exponentially proportional to number of prefixes it communicates with (because of previous point, it needs these prefixes negotiated with all shortcut suggestors involved and the final spoke). Or did I misunderstand something? If the solution is to use routed mode: - do you have recommendations to when use which mode? - does it make sense to complicate things by specifying policy based mode at all if it does not scale? Thanks, Timo