Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
Paul Wouters <paul.wouters@aiven.io> Tue, 05 March 2024 13:14 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B87EC14F6E1 for <ipsec@ietfa.amsl.com>; Tue, 5 Mar 2024 05:14:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_2PetlDn7CH for <ipsec@ietfa.amsl.com>; Tue, 5 Mar 2024 05:14:24 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1BEBC14F6B3 for <ipsec@ietf.org>; Tue, 5 Mar 2024 05:14:24 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-5135540c40dso632199e87.3 for <ipsec@ietf.org>; Tue, 05 Mar 2024 05:14:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1709644463; x=1710249263; darn=ietf.org; h=to:in-reply-to:references:message-id:date:subject:mime-version:from :content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=s5AQiMGoODqCoh8Fw/jveY0HBdgSPH+jSCRdFLLK9aA=; b=X1IKiEPzUc3qs1MNWwaburVKyvm7mzwN9NmVrhSXV7FsriX3ffAalBCN6NPGlQQugb vIuj7wqGv952nZHr311WlPUClAQz1ZWZoAueYsxoSUarudDK8Ef7iOCha4a7QxMvpvVm G+Lv2WoZAaz70b4KZA4VI4S32jE6IWv5fLX/U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709644463; x=1710249263; h=to:in-reply-to:references:message-id:date:subject:mime-version:from :content-transfer-encoding:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=s5AQiMGoODqCoh8Fw/jveY0HBdgSPH+jSCRdFLLK9aA=; b=HA0xyCWc1U/tnWi+yG35aEdkzHybT7/gKdX0ZvRaXxq/5uluppq3Hu7NPcvc/6fPGL DKECybowIORgg5i9TqI4hkgrTmSrmgeYPyYUyHeDlPKT0csnDo5h7egv71rj27sSzhjx x3OsGUv1Z4lNA80iAfizx8LTJcWi4QPVNs20MxL+YPpViaz/z1DxLxpU/uSdTm2BDG+3 CDsR9rQnvkw43Bh68cbv1jObgtDYTvRhBKVYMkQvDGezvMJtHMhioqvqblsnTz4lPccn GVQAd0xKT+7pn6K6cwPmd8AKvpxa22wi/ojp2vVj1C/AAhKt7iPFeMbF3uH/vfxJmpG7 z0sQ==
X-Forwarded-Encrypted: i=1; AJvYcCXJLIwod5tS+mo25sGbHOQps34EgusZUfe7cg7dW2hkQv3R06Itgg/9dUHaj5AqtqCeJt5LgMgrUOack9KgTg==
X-Gm-Message-State: AOJu0Ywb6NTGdyfAOwF6J7OpRneAHVf6Ij1KfS+Q8Mna0j/goqiX4FXC r7BOqCLVZIo8tnktiD+McK4tTb0hMGzHY3w99DKYPBdI0NSMfxPc/bgdGzN/3WkMDHfx3+yaOUS 0BYMnIu92qeeiquZ0Y+q3XVl788nWDzsfehLqN4QwdnvlVD2meAcpxgmaW+OJZNaeJmWzzRKiiz Ybw8FElBhouTqfIKoJYs4DkRGpLW6Al77pDg==
X-Google-Smtp-Source: AGHT+IGyQ75RUDXuxI0g1i9E/CCBBLsT5Wl5oC0KMCasq4Cj3ePoNG+4NrP+Eb2h+6XBeMBNeZufcQ==
X-Received: by 2002:a05:6512:3055:b0:513:4ecd:23 with SMTP id b21-20020a056512305500b005134ecd0023mr1581952lfb.7.1709644462561; Tue, 05 Mar 2024 05:14:22 -0800 (PST)
Received: from smtpclient.apple ([74.122.52.94]) by smtp.gmail.com with ESMTPSA id ef5-20020a17090697c500b00a449cb924dbsm4696466ejb.124.2024.03.05.05.14.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Mar 2024 05:14:22 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Tue, 05 Mar 2024 08:14:07 -0500
Message-Id: <4C637D68-CD0C-47C1-8D34-36D01A2DBF1F@aiven.io>
References: <29bca8d122844180afc21cd6b353159a@huawei.com>
In-Reply-To: <29bca8d122844180afc21cd6b353159a@huawei.com>
To: "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/s3HyHsZbP8JQS1dzYEgI7MfNJqA>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 13:14:28 -0000
Initial thought while having morning coffee. I can see how you want an extra SPD selector for the VPN ID - but maybe call it Namespace ID or something else as VPN ID is confusing. Your gateway that needs to support say 256 VPN IDs could split up its SPI range so it can detect which VPN to send it to based on SPI range ? That would need no ESP changes. In linux terms that would mean you “mark” the skbuf with the VPN ID to steer it into the right place before/after decrypting / encrypting. In Linux you could also use the “labeled IPsec” to label the packet with the VPN ID. It would require you keep track of the SPI bundle of the SA, but again in Linux terms you could use marking of packets based on keeping a list of peer SPIs per VPN ID. Usually, hardware offload and queueing looks at some (hash of) IP properties (eg port numbers or SPI). This might interfere but since you have many tunnels that might not matter? The VPN ID could be done via notify instead of new traffic selector. Or you could add a new traffic selector type of just the VPN ID instead of copying and extending the existing v4/v6 types - similar to RFC 9478. Paul Sent using a virtual keyboard on a phone > On Mar 5, 2024, at 03:55, Panwei (William) <william.panwei=40huawei.com@dmarc.ietf.org> wrote: > > Hi folks, > > We've encountered a real problem when using IPsec in the Multi-VPN environment. > We find that separate IPsec tunnels (i.e., different IKE SAs and different Child SAs) are needed for each VPN to distingue the traffic from different VPNs. > But, due to the number of peer devices and the number of VPNs increases, the number of IPsec tunnels needed is also explosively growing and exceeds the device's capacity. > > Therefore, we are considering whether different VPNs can share the use of the same IPsec tunnel, i.e., the same IKE SA and Child SA. > We've prepared a draft to present the problem and our considerations: https://datatracker.ietf.org/doc/draft-he-ipsecme-vpn-shared-ipsecsa/ > > We'd like to get comments and feedback from you experts. Thanks a lot in advance. > > Regards & Thanks! > Wei PAN (潘伟) > > -----Original Message----- > From: I-D-Announce <i-d-announce-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org > Sent: Monday, March 4, 2024 3:30 PM > To: i-d-announce@ietf.org > Subject: I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt > > Internet-Draft draft-he-ipsecme-vpn-shared-ipsecsa-00.txt is now available. > > Title: Shared Use of IPsec Tunnel in a Multi-VPN Environment > Authors: Qi He > Wei Pan > Xiaolan Chen > Beijing Ding > Name: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt > Pages: 18 > Dates: 2024-03-03 > > Abstract: > > In a multi-VPN environment, currently, different IPsec tunnels (i.e., > different IKE SAs and Child SAs) have to be created to differentiate > and protect the traffic of each VPN between the device and its peer. > When the number of neighbors of a device and the number of VPNs > increases, the number of IPsec tunnels also increases considerably. > This results in the need for a large number of SAs, which exceeds the > device's capacity. > > This document proposes a method for different VPNs to share the use > of a single IPsec tunnel, which can greatly reduce the number of SAs > required in a multi-VPN scenario. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-he-ipsecme-vpn-shared-ipsecsa/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-he-ipsecme-vpn-shared-ipsecsa-00.html > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Steffen Klassert
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson