Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
Paul Wouters <paul.wouters@aiven.io> Wed, 20 March 2024 09:50 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669F0C14F6F6 for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 02:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4K7b_Y4d_1Kk for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 02:50:30 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F651C14F6AA for <ipsec@ietf.org>; Wed, 20 Mar 2024 02:50:30 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2d21cdbc85bso96167501fa.2 for <ipsec@ietf.org>; Wed, 20 Mar 2024 02:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1710928228; x=1711533028; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=GSZL3RCMitIRIkpEKOqYYtkyr5TmwNXKqULSjNORaaU=; b=HYQ22X5qtHNu2iXc+yCmKpgQFbBmDnfFIpMBzw34KCbuzXAxwtKmSKL0CrzlQskPOH oorgowVFIFUAQe2ADN5/u0R3wWsBKK7XMmjZHXlckVlkYoniNjXI7MAsbvMRSvAP03GP uhTZkuSZP3Bdl74/9k+uerp+I+gsfYlxUqr5A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710928228; x=1711533028; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GSZL3RCMitIRIkpEKOqYYtkyr5TmwNXKqULSjNORaaU=; b=hcAA2WhL+nfxlkLV073YfadUrZZQnBWj6/vdO/3oY5EHI3dWJ93WJAmYQkOqeGFEG4 HEws4TY9t6OQyoSwbhVrtgO1MLU4LPBDdT74OKDVkycBMWETwPdv+XIrg/mG8YzMaipU Li2tRKOBDhEEbaq4raQZXgYch7WnNoKCOnh6aEaBFNLxUqXx0J3krn4XHmGcAIIicpca FKtYOjuiFKM9XLeI0Hl3/XBOlWKdVtE80qfEbA8a2f7rQVVKlXIc6KCvFuLMbo+cX0k0 TLw25asWVpfPtB7CQUcSIqp31QFGk1VkncDFfdefRLSHQS3SQxRNJ8ahPmSySPN2CkiC 9t+Q==
X-Forwarded-Encrypted: i=1; AJvYcCXIQp4gskOmcVOxnJJO8fnxR5JiIwg1w42XoYDVWwWoyJjUDKhPq2sG+I5J0PJ5u2ny+p0U8JUE/1qbSurzwg==
X-Gm-Message-State: AOJu0Yz2LlKdFFEgXgMOK5W8cvx4PKhNnY+bHpHtI67fofrBuWjkwnzg 6Nbze8t+8nlTjLCqM+aCJauwuHe846rnxeDTyDiKAcqL7Ri4PLt7AXpv+91YJdNJziIW88go1Lt LqnLQUh42N100nB5LEjqopYmpF9GvqLqoN4gfdR9kBkBQkytIApUYmeBbAbQZML1NJGipzrUOmb CayjPrbP6snD/WoMuA29Hn6V5JUuUyvdFhuA==
X-Google-Smtp-Source: AGHT+IHrJGXzE2tbUcvrX/pViIREVIEd/E7qSVWtf6z9YJI8sDAfy0BzX79XO5x+8jONJMmwTqKwhg==
X-Received: by 2002:a05:651c:2127:b0:2d6:8ce2:87d5 with SMTP id a39-20020a05651c212700b002d68ce287d5mr1246727ljq.18.1710928227713; Wed, 20 Mar 2024 02:50:27 -0700 (PDT)
Received: from smtpclient.apple ([161.38.216.8]) by smtp.gmail.com with ESMTPSA id l4-20020a170902d34400b001dd63a468c7sm13110735plk.292.2024.03.20.02.50.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Mar 2024 02:50:27 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Wed, 20 Mar 2024 19:50:15 +1000
Message-Id: <A9E54898-AC8F-4726-805B-57554564D394@aiven.io>
References: <BN2P110MB1107AC8AA10D8303A655EC43DC33A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Cc: Paul Wouters <paul@nohats.ca>, ipsec@ietf.org
In-Reply-To: <BN2P110MB1107AC8AA10D8303A655EC43DC33A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/jHb0HTLLA5NEB8yn1YymvwSMXXQ>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 09:50:34 -0000
All of these were resolved in -06 Paul Sent using a virtual keyboard on a phone > On Mar 20, 2024, at 15:33, Roman Danyliw <rdd@cert.org> wrote: > > Hi! > > Thanks for the quick response. Below is a bit more editorial back-and-forth for small number of issues. All of the other discussion removed from the thread made sense for the future -06 that can go to IETF LC. > >> -----Original Message----- >> From: Paul Wouters <paul@nohats.ca> >> Sent: Wednesday, March 20, 2024 12:26 AM >> To: Roman Danyliw <rdd@cert.org> >> Cc: ipsec@ietf.org >> Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-performance-05 >> >> Warning: External Sender - do not click links or open attachments unless you >> recognize the sender and know the content is safe. >> >> >>> On Tue, 19 Mar 2024, Roman Danyliw wrote: >>> >>> I performed an AD review of draft-ietf-ipsecme-multi-sa-performance-05. I >> have a mostly editorial feedback below: >>> > > [snip] > >> And answering that: >> >> Most IPsec implementations are currently limited to using one >> hardware queue or a single CPU resource for a Child SA. Paralyzing >> the packet encryption can be done, but there is a bottleneck of >> different parts of the hardware locking or waiting to get their >> sequence number assigned for the packet it is enrypting. The >> result is that a machine with many such resources is limited to >> only using one of these resources per Child SA. This severely >> limits the throughput that can be attained. For example, at the >> time of writing, an unencrypted link of 10Gbps or more is commonly >> reduced to 2-5Gbps when IPsec is used to encrypt the link using >> AES-GCM. By using the implementation specified in this document, >> aggregate throughput increased from 5Gbps using 1 CPU to 40-60 >> Gbps using 25-30 CPUs. > > Maybe s/Paralyzing the packet encryption/Running packet steam encryption in parallel/ > > Also. s/enrypting/encrypting/. > > Otherwise, LGTM. > > [snip] > >>> ** Section 4. Is this section normative? Why are RFC2119 key words used in >> an example? >> >> Why do you say this is an example? It is the Implementation Considerations >> section telling you to do or do not some things? > > ==[ snip ]== > There are various considerations that an implementation can use to > determine the best way to install multiple Child SAs. Below are > examples of such strategies. > ==[ snip ]== > > I inferred this text to be non-normative and only examples because the second sentence said these were "examples". Maybe just drop that second sentence to eliminate confusion? > >>> ** Section 6. >>> Peers SHOULD be lenient with the maximum number of Child SAs they >>> allow for a given TSi/TSr combination to account for corner cases. >>> >>> What does “lenient” mean here? >> >> "account for corner cases" as explained further done? >> >> Eg one should not use a hard max of 4 when one runs on a 4-CPU system. > > Consider if "flexible" is what you want here instead. > > Roman > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] AD Review of draft-ietf-ipsecme-multi-sa-… Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-multi… Paul Wouters
- Re: [IPsec] AD Review of draft-ietf-ipsecme-multi… Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-multi… Paul Wouters