IETF Logo Mail Archive

Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces

Aseem Choudhary <achoudhary@aviatrix.com> Mon, 30 October 2023 03:31 UTC

Return-Path: <achoudhary@aviatrix.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 340B3C14CF0C; Sun, 29 Oct 2023 20:31:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aviatrix.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWErLQ5XruX3; Sun, 29 Oct 2023 20:31:00 -0700 (PDT)
Received: from outbound-ip141a.ess.barracuda.com (outbound-ip141a.ess.barracuda.com [209.222.82.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2F99C151080; Sun, 29 Oct 2023 20:30:59 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2041.outbound.protection.outlook.com [104.47.66.41]) by mx-outbound8-235.us-east-2a.ess.aws.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Oct 2023 03:30:57 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gMLhV0bmYnrpEqmDIZoS9Zy6aQUcrNZIc3kXZVS/8JlKJrkqN8nmsgBd51CEnxd0njNThk2f0baBB164nwkaB64RMmtYV92LzEuju9IoSXhufhlxGhQOMpifzalHys8OJVwnoy9NvciSHw20XiMRJxMuWJEI9/sKLhj6VhJ1k8B3ERjBKpH35UXlqx7dhdEgqSKrt5SIJXjAYJhxYhAvm3G2pbwQjA4fuDvoMBotIkVq7lBYcluqpYdsRS15Xarygy+D0JCcNHUnnPJvUObEt4XWej3BgbgVIXxH/5ipWZh5NhV4+yhww6KF/q8Sg5L59QiLQTTOt4h9UVYgr+UgBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Hdx9A5Vc1N7h1oeCNljb/5H6ZRejbAQ8DAciiSNZPjo=; b=MQXZzM8hC5+TYaF5j4x3/MIacP3fkssIqYdMUZQkSxLIQ4AzoFRolc4konIOyZPwNrwMJPEZ9+8LVwPfpXbr95M4qS+IwA8FDkokAGpG6485VwlHyGmSHUUiYuLbv6Vmjskxtlx24KD0bAjCax0xcKmnMBsh1ZSxXTmPl03aQnKwc/O/Bfo6ztILxhU5LDZzFVvLc+Zxg7g6KhdkRFPsFseP7elfbQbUXGAOfJeWrmZpHF1GTTH/6sX2pL+m1/BjdaU69hi1CSoGfb+yPgSXJj9iYjLdxj3jr4opV49i2JxjedWRk7L4N/+JDts1cHRvLxQi4tvcAG2EOx2eTj18iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aviatrix.com; dmarc=pass action=none header.from=aviatrix.com; dkim=pass header.d=aviatrix.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aviatrix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hdx9A5Vc1N7h1oeCNljb/5H6ZRejbAQ8DAciiSNZPjo=; b=gRFiGhoCP/3eG0DnkysYPwauQ6Ya6orsP4pb6knQbeRM+rK+F76k3Z+9tCsvWKuiYzJ2c3T9lYKTy2U8VTmO2vtUMvXBxObajyqRyODKRMB8xjdppEtygVWK9pE1MzIeI5fKvpi9dt5xcXN0Pgf60voBmASMXx6BKNaW1l59+PY=
Received: from MW3PR11MB4697.namprd11.prod.outlook.com (2603:10b6:303:2c::15) by SJ0PR11MB4800.namprd11.prod.outlook.com (2603:10b6:a03:2af::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.28; Mon, 30 Oct 2023 03:30:54 +0000
Received: from MW3PR11MB4697.namprd11.prod.outlook.com ([fe80::2c63:22e2:5b0f:f409]) by MW3PR11MB4697.namprd11.prod.outlook.com ([fe80::2c63:22e2:5b0f:f409%6]) with mapi id 15.20.6933.027; Mon, 30 Oct 2023 03:30:54 +0000
From: Aseem Choudhary <achoudhary@aviatrix.com>
To: "Pierre Pfister (ppfister)" <ppfister@cisco.com>, "Paul Ponchon (pponchon)" <pponchon@cisco.com>, "draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org" <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thread-Index: AQHZznvw3YK9W6++MEKLvhHk3j6Rh6/qA1KJgAAPn/CAU25kyoAaOoVZgAHAYDE=
Date: Mon, 30 Oct 2023 03:30:54 +0000
Message-ID: <MW3PR11MB469703DDF586BF97899B6CFBABDFA@MW3PR11MB4697.namprd11.prod.outlook.com>
References: <MW3PR11MB4697F948E5F548FE4A1E6590AB17A@MW3PR11MB4697.namprd11.prod.outlook.com> <DM6PR11MB453129152AC683BA4AE8464FCB17A@DM6PR11MB4531.namprd11.prod.outlook.com> <MW3PR11MB46974F028FF777DBB7549E80AB17A@MW3PR11MB4697.namprd11.prod.outlook.com> <MW3PR11MB46979276CAF14F280B003ABFABC9A@MW3PR11MB4697.namprd11.prod.outlook.com> <CO1PR11MB4946E68CAB01ACAD9A0EA159DFD8A@CO1PR11MB4946.namprd11.prod.outlook.com>
In-Reply-To: <CO1PR11MB4946E68CAB01ACAD9A0EA159DFD8A@CO1PR11MB4946.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=aviatrix.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW3PR11MB4697:EE_|SJ0PR11MB4800:EE_
x-ms-office365-filtering-correlation-id: 3a0fa10b-9410-4abf-c4ef-08dbd8f89fb9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EYspqbAx4FBXkT7pgmig2vZ6cXhJg2KWp49tcZC7W7LPiOUtGNELfX4lOJa0/yU/rJftGRidnPByLWkNWzhSteNbSwks5iXYMHxVTdIZxChEMBNqX/6Jg07SzsU878iMisggCTivwmSJqoE1SIyrr2Fq4e+Ou9p6iDOhjZq2lhNxvJqFjVdLc3gJUaZX28K+hkwiwcF88+0kUDBnj6wAnt9wKz1YgZqGydMMp8IJXCs8yewK4MjtSTMdAqfgbzLYcm14ldG1sfb0lQXNsSXoExQouox2179eE6Jpxg612lsinxidbFaByHqx/x9/fFRDIQAar99m4rgQU7+0OWr1IUurDd9FdJTbwHzyL+joUwd3MvHZNuy2chNuFZW9aMiS8qfVP9cuGEEFUA9CWEbLqKNAo3fcOASLO2kcUpm5yYDemxii3LQlXrz4o7Sx+pUV9x8ENDX+eW0IaHbL2Y/s78L8IlH/WQhm0kWwlHCoP1OIOqQOuOeGqHp/R0AZGY0nSOWnuIUYKcJhB07w6V1gwiPIf4JnBJbmSvA8L7oofX8atUWFK22NaSF6Efpg4N5bDn8g5l71Butvt+j8Tqzo/K3DLTacrmEEXYz3OhOe5wI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4697.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(136003)(396003)(376002)(366004)(39840400004)(230922051799003)(186009)(64100799003)(451199024)(1800799009)(122000001)(166002)(38100700002)(86362001)(71200400001)(478600001)(53546011)(66899024)(6506007)(7696005)(9686003)(41300700001)(9326002)(8936002)(4326008)(8676002)(38070700009)(52536014)(5660300002)(83380400001)(2906002)(33656002)(66946007)(66556008)(64756008)(76116006)(110136005)(66476007)(316002)(66446008)(55016003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: La4M9XthtQCxIkoGYYQdjAQqNywUQ6hpQTjFEVZcDFaFDFUB3WHjAZIVpvRiv5HMsBo2kA+RoSbR/mBWFL7AZqly+w+ZUyJPYBGQAbIhxJxKTbjdgni64BJO/+t9lfxL5dL6LNIGSlzKlQvz+go4nNUvsJEFllC5u72o2faz7E+zbUvyHU8Mq4oUo2rgKDPMlmpypKNooeAsjY/fLGpIRkkfF5kSO2AS2mVSiIyQz5s+8/AbMliXZO3w91wlr9tBhUuPT7XMSmzHfUfdK8Pg9K7UVlIvDdSnbzjTUgp9bFOH0kmtvn6VdVf7HH/Z7vOjaF/KpBfl3zYgE/wHwOYDrTWAc7q19S95RhbDZH4QcOKs5xEixSrWoyawElH3rB+8p1oaT8WrtPYmegC5Szuie+3eJ3Ac7KYsPIv8TayvexojqKKe6CShAGFdl7JZDHeeSpDddFguSGAmqXmkKVjgwJ1i3f/pVCv3grR6uljNH5Qjzl7iDhExxu+qx2KDsiMfiu2FjAZTIDNWUGl9gKsxUKELLr1Nxwh/mYKh5BufUXL8gXeK9C3HODr15h216pozzSMyBbhazGEYzbd0TcOdvmXKFnLxVJ/hZI/EEZ4GWjByhrHscva38tDHAxIGqylFyXcmTiNzrrSzToIPKtkAsmxAmm2hAjHBPmIVgmmUDSsQEf4qg8TLTdD+lChB+3wi8QUmx64gdlokcQ5ppjVCStNonLqqZ0AXPlem1w2459zabU9h1JVmS0oezJfWsoGP+txRXTS/+YXBNHxFcihlmJnSUjqPKds3cW4EEM5YtosOTaXnKceiUMw56j6pSwnerqtJlxjVfI11d9IGr5Xxb+nVFG4iL1mb16q3BsxZ2BB/LZx9NQbbXvne9ZEvTfnaHogjETrJH5CURubHF+jeVvL6114EIggga0eCq1zxrNZRxHFJkMquoVlvSaZiUcZArlqJK7IPhiWEv3/Vh3VpWy8AZ5T+25fyYBzXhlUiv25v1UdIsc1P1hr/7MQwn7xNZLPdlfqe7S9ENICq1r7hMa3bjONS8K13Hg7XBQXL8CQFnV811qrZjh7xTzRvUtNyYz7fM9Wqei+APYfu+bCuty0mP7t6f/2fwbX/1sl5vz6vlwtIldlJttbo3cnybzm5dXZVhJ75uZQ+fqH7NW/hAQ5LQXOJD/z9QIWaNSZ1sYfpvUsq5xrnZLBPtqyFpRCSAVJEv66H6s7VbXr6DJVMQCdXCIP8kZwLgFsiyQxT7ADPQ6m/G1/GiefncLVqyPiiAsp2w2fMMUPSH2Wg95CiZumy15ZVL3hAKRTtgAGNh37UcXtY8CnHyNVJDxmHpkE1a9iOmhHnMdrB1UoGRZJTKgQNAvH/31k0WGqhmuJ73gNhGesszcyA4fByCja3IIk/yMVTsiyGfNBizIvAYV2EvzV3YSOXTTAWgkRzh9THkYeWbokTrV/M94yBrXkIgoeUbOlkJDUDJkUdvm/ZkaguSHuLh9taeLV/RNxOtDMBYYOCaypLDqq4aZPnWWbTGQjUqP9Grh2lhR3wd60YfWog5JhrVZ5ks6qPzo4UG4fkJ5zSJTMtL49KonKEqB+F2CL86lcl5APyuxXoM1XrT01vKTfiPtNtz1n1AmpZCrnXFYmrIChRcvbZFRADHwbjTYf05QDzhF2fggEto+AsJzRtwx24kgWPR1enoh2Wd5sGjEY=
Content-Type: multipart/alternative; boundary="_000_MW3PR11MB469703DDF586BF97899B6CFBABDFAMW3PR11MB4697namp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jW/I+dirVlhN0IwudRG+pc29D6oNa6rl5ROke9hF4vJhNmXmhLcHJXn8LqMEDCAjFWT2md5+SpbPxJle+0GEGGqS5MUZ2t8rcGd+Hjnxp5yqWSqBleyScYNtFLafZlMsekzPI56oogJWWLZlY4zlRUsBEbM5mnLcUs8iR64BoI0KKvVI7OxL3/DyZ7XqvABNC/7W7Q0GvjjyjOmF7C55azWHq/iwOFcqOKgxQ4oIQ0YOeoPPqNtWUupqOjBDnjF1xPSmSGnu396T91Fx8z6iJhrY7bm01Apgj6YM2k7MeHlw2oa1EpyFelGVAdjvrvHr5ThH++tes8sBFeT749+gmDfqw4qzZyrLt3HLdstKHCk4iDxHG88Zooru8oEDLgxyFDBLhnbtz6APyg4PdpxXSXHrP0NGFa7ugtjdsRosEKFAcmQK6+TZmy5Zk4Qkggkn1pZrUj5Ihf0b8YqfSIKuAQBmez0g0fcrtNceIBlEgWfCsSTGC3OnZCwpFQhGjS0NYesMHPaHx9F1LF7HDZ+Jk82q5FFFusWFGOaakiznouOxnjP16aV4WGn3/jQrspqzmyFEoTgigm3+OrdNfdAOrdDDnTF9y4kIX8RqJhvTQzlsyG2pxV4fnRfj1myNy/TQ1mEy3dfX+agxWJOeRQKack+iIuhoobxjZnqLdYdESwGOJ5TXsoXzx6zcXj7azE2kHQoBMLnrHoRlbrs41oixYLnYERlQ0CGzETXXSdLPCFbbaiSOfpbhYJUZVZDD6D9GGrDmIgBfE2dKEjvsS30w2CAzUhev4j9zKfLN8w3iuCcCsDF9DLqyTNj+3eobATbSKv8DsDLs/Y5WRybgL9EdMQ==
X-OriginatorOrg: aviatrix.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4697.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a0fa10b-9410-4abf-c4ef-08dbd8f89fb9
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2023 03:30:54.6209 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4780055e-ce37-4f02-b33d-fdad8493a4b6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: adb2XPDxn1tyjCnL87CG1Q7st8KjXYYRtTl7kuHRJ2r0CWLfpy1NoThU7A7Y6eKeEsD9Ev3rjgbXTZuIONOHGw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4800
X-BESS-ID: 1698636656-102283-2351-10911-1
X-BESS-VER: 2019.1_20231024.1900
X-BESS-Apparent-Source-IP: 104.47.66.41
X-BESS-Parts: H4sIAAAAAAACAzWMsQ6DMAxE/8UzQ4hzOOFXqg7BscWCGJqhUsW/NwMsd6cnvX v9yL6dVuojJzo/tCIzxtoHzLYpV0HyUlABXxS+qXpzY8RC1/T4ez9uPwae5T7Q2kJolh DVyiLOAstJRnFqswS63n/4XH96ggAAAA==
X-BESS-Outbound-Spam-Score: 0.00
X-BESS-Outbound-Spam-Report: Code version 3.2, rules version 3.2.2.251780 [from cloudscan23-253.us-east-2b.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 BSF_BESS_OUTBOUND META: BESS Outbound
X-BESS-Outbound-Spam-Status: SCORE=0.00 using domain:214149 scores of KILL_LEVEL=7.0 tests=HTML_MESSAGE, BSF_BESS_OUTBOUND
X-BESS-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ixBl1ChMkU5IW4HamXnpuIPb1L0>
Subject: Re: [IPsec] Questions for draft-ponchon-ipsecme-anti-replay-subspaces
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2023 03:31:05 -0000

Hi Pierre,

Thanks for the response! This solution simplifies quite a bit.
I hope to see adoption call soon.

-thanks,
Aseem

From: Pierre Pfister (ppfister) <ppfister@cisco.com>
Date: Monday, October 23, 2023 at 5:31 AM
To: Aseem Choudhary <achoudhary@aviatrix.com>, Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Hello Aseem,

Apologies for the late reply.

Section 4.2 doesn't really go in full details regarding subspace ID selection because it would really depend on the implementation. Some uses of the subspaces are for cases with many-cores, others for many-paths, other for QoS, or a combination of these. There could be one subspace allocated per core,path,qos combination, but that can end-up being a lot of subspaces. Implementations could use a reduced set of subspaces and distribute over them using round-robin, or hashing. We felt adding too much details there would unnecessarily complicate the standard with implementation-specific details.

In the particular case of QoS, you could for instance use one subspace per QoS class. The receiver would be able to process packets from different QoS classes out-of-order without causing any anti-replay detection failure.

Thanks


De : Aseem Choudhary <achoudhary@aviatrix.com>
Date : vendredi, 6 octobre 2023 à 23:10
À : Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc : ipsec@ietf.org <ipsec@ietf.org>
Objet : Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Hi Paul,

Further to this discussion, section 4.2 “Sender Behavior” doesn’t talk about how subspace ID will be calculated. Like, for QoS, how a unique subspace-id can be mapped to a queue-id with some of QoS pipeline (classification, shaping etc) procedures. I think section 4.2 should describe it a bit. But, if not in section 4.2, can it be described in section 6 and for the Implementation, in some more details in section 6.2?
For some of the QoS solutions (like local video CAC<https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/qos/configuration/guide/b-qos-cg-asr9000-64x/b-qos-cg-asr9000-64x_chapter_01010.html> with redirect), queue may be selected based on availability of bandwidth.


Also, section 4.6 talks about per-QoS-queue, per-path and per-core but section 6 only mention multi-path and multi-core.

Describing more on QoS behavior will certainly help.



-thanks,

Aseem


From: Aseem Choudhary <achoudhary@aviatrix.com>
Date: Monday, August 14, 2023 at 10:55 AM
To: Paul Ponchon (pponchon) <pponchon@cisco.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces
Thanks Paul, appreciate your response!

From: Paul Ponchon (pponchon) <pponchon@cisco.com>
Date: Monday, August 14, 2023 at 10:00 AM
To: Aseem Choudhary <achoudhary@aviatrix.com>, draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org <draft-ponchon-ipsecme-anti-replay-subspaces.authors@ietf.org>
Cc: ipsec@ietf.org <ipsec@ietf.org>
Subject: Re: Questions for draft-ponchon-ipsecme-anti-replay-subspaces

Hi Aseem,
Thanks for your questions.

1. Yes, you're correct there is still reordering potentially happening between the endpoints of the tunnel. However, the intention behind using the subspace is to limit the potential reordering of packets at the tunnel endpoints. By assigning packets to specific subspaces based on factors such as CPU core or QoS, the aim is to manage and mitigate the reordering within each subspace, thereby improving the utilisation of multiple cores and QoS classes at the endpoint. The reordering happening in between the endpoint is less easily controllable and just like with using an SA today, would be handled by the replay window of each subspaces but they don’t need to be very big.

2. At the moment, we are leaning towards not splitting the subspace for CPU and QoS, as this could introduce unnecessary complexity and overhead in maintaining and managing unused subspaces. We however don’t impose any constraint on how to use the subspace IDs as long as they are between 0 and <max negotiated subspaces> - 1. We are actively exploring the best approach to distributing the subspaces between sender and receiver. Any insights or suggestions from the community on this matter would be highly appreciated.

3. While we haven't implemented this solution with strongSwan, we are currently working on an implementation for the IPsec stack of VPP. We have updated the latest version of the draft to reflect what we found during the implementation. While the main focus remains on defining a proper way to distribute subspaces to maximise the performance and compatibility aspects in the open-source implementation.

Thank you for your feedback and questions. We appreciate your interest and welcome any additional input or insights you may have.
Paul

Aseem Choudhary <achoudhary@aviatrix.com> writes:

Hello Authors,

Thanks for writing the document. It is good work!

Few questions:


1.       Looks like packet mapping to subspaces either for the CPU core or QoS or combination is tunnel source local decision. Since packet along the path can be marked/remarked reclassified, mapped to different queues, reordering is still possible.

2.       Since subspace is 16 bit, any plan/suggestion favor/against to split space for CPU and QoS?

3.       Any implementation experience/plan with  strongSwan?

-thanks,
Aseem

v2.23.0 | Report a Bug | By Email