Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt
Daniel Migault <mglt.ietf@gmail.com> Tue, 30 November 2021 13:21 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CAE3A12B0 for <ipsec@ietfa.amsl.com>; Tue, 30 Nov 2021 05:21:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHTLs0EDWDVo for <ipsec@ietfa.amsl.com>; Tue, 30 Nov 2021 05:21:27 -0800 (PST)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D86323A125D for <ipsec@ietf.org>; Tue, 30 Nov 2021 05:21:26 -0800 (PST)
Received: by mail-ua1-x92f.google.com with SMTP id y5so41272622ual.7 for <ipsec@ietf.org>; Tue, 30 Nov 2021 05:21:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zqw2RaHJXsibW+VY9V1YiFg6BRikZ/qXGm7M3pU1H1g=; b=Ad8FvOSsjQQwuyf3tWg95kp4kAgNv7EF9AAF7ZKKuvOu4v6O9iH5O7lKNk1gNKX+Di tGvMJmpXL/qnNyjv2IbcgunQkKjTO8dqRaFiqcPklPedSmsuiUkTEtchnVXcz1PbKaPs VjNLhU/GK5JFbW+sac8Go49HJ0VfrmsCy6pOOQLX+jC1wcHZiZ91NaobYf48Fmf5w4Lr n6S8BtafO63r+cN/Jn45TNSHP4HUwGBWwRm3vIHPlhS3FxChc5+BiMolOduXvU+/ezPa DpydUi7vH+bUKE4L1g412Anag+Krob0da2OQN/BQnFwJJLeFDQqVeyY9tg/ErGpPt8EA sU3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zqw2RaHJXsibW+VY9V1YiFg6BRikZ/qXGm7M3pU1H1g=; b=KSJ6FEGXifsZEWeUGnDnAFMMpreE7x7iyc7r6jtkGuoi9VxCaZZAYSH/Kc8OUuWClA yK7SqGJxO9GlQo8SBWegrIe7Voer+fHlenbco1oGcp4bzkaa8oonTL34OpveGmFzA8Mx 1D5HFqUTSlO9MxFNQoFO9gZpouVIhLGBeHqZ6qL56zCaQ4NoQ3Zs9x5TjUGcWNyDjktR zU1EvfdfBjJlbM2mwXMWqHhkj+makLD47Zqa/SaBy6/ljWWJiqLUU7Sc4amtVFoadN7t PfcqLyuMTL3EYBxHHWF7VJf+hS85P4u17O3JVlMuDil1bejwAFnHb60f+8TbmXdEzOu0 BHrQ==
X-Gm-Message-State: AOAM532m5yx52y979N7tjO0wa37UKCVx+8oeqSw4RSOwqitOOHsMeh/u IAQ3KttlfnXcfeqqvA4fpUNSZItIYJEqg93xKBg=
X-Google-Smtp-Source: ABdhPJzlSdwrsh9gcxpWHnmnCwhXHUCq9Fa08UtyKYjynW1u1MBi1oi8JonxmUXMl4BA1zwc3KquKVSJROtM8CFVp8Q=
X-Received: by 2002:a05:6102:32cd:: with SMTP id o13mr40558197vss.23.1638278485452; Tue, 30 Nov 2021 05:21:25 -0800 (PST)
MIME-Version: 1.0
References: <163756302647.16358.8631436336190852796@ietfa.amsl.com> <AM6PR07MB6056A9CCECA59F8035D04543EB9F9@AM6PR07MB6056.eurprd07.prod.outlook.com> <fc922cce-fdf2-62c1-8b66-588886479864@nohats.ca> <AM6PR07MB6056906966D25383E9B61D31EB619@AM6PR07MB6056.eurprd07.prod.outlook.com> <c0ad1622-c9f7-448e-b3d8-aa17e47acc1@nohats.ca> <1a7d01d7e14b$b79aeee0$26d0cca0$@gmail.com>
In-Reply-To: <1a7d01d7e14b$b79aeee0$26d0cca0$@gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 30 Nov 2021 08:21:14 -0500
Message-ID: <CADZyTkmmfyG9mqU+BaMSW1Jz9uDWJT7z-eVvCKwA45FAWsu59w@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, Harold Liu <harold.liu=40ericsson.com@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b2a9e05d2016fa3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/s_DygKsP-iQlr84eOoxT8iQpIJA>
Subject: Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 13:21:32 -0000
Hi, Thank you all for the comments. I believe there is a misunderstanding of the resource issue we are facing, so please find below a more detailed description. The resource in question is neither related to the CPU nor the memory, nor the bandwidth as comments seem to suggest but instead related to the number of table entries that perform the IPsec processing that varies between 720 to 4000 depending on the hardware chip. When gateways rekey at the same time, ephemeral SAs are created in the table entry and are filling the entries of the table which means, if we consider the worst case scenario, only half of the table entries can be used. In our cases, using the 4000 entry table, leaving 400 unused entries is not sufficient to prevent legitimate SA from being created and so the hardware is not used at its full capacity. We are proposing a determinist mechanism to address this issue. The general idea is that peers agree that one of the peers will handle the rekey to renew the SA when that SA expires during a given time slot. To take Tero's numbers the rekey time slot could be (0.85 ± 0.05) leaving the future responder the time to realize the commitment has not been respected and take over the rekey. The mechanism is not expected to interfere with any other reasons that would lead to a rekey. The mechanism currently does not provide the SA life time as we thought the mechanism would be mostly useful between gateway that are known to have the same configuration. We are fine extending the mechanism and including the SA life time if we can agree that this does not generate any security / privacy consideration. Randomizing the SA lifetime is a probabilistic approach we - and our customers - do not want to rely on even if the probability of collision decreases with the SA lifetime. Similarly considering different SA lifetime on every device would require some changes in the way the gateways are provisioned our customers would like to avoid. Yours, Daniel On Wed, Nov 24, 2021 at 10:55 AM Valery Smyslov <smyslov.ietf@gmail.com> wrote: > Hi Harold, > > I failed to understand one thing. The situation you are trying to avoid > in most cases happens if peers are configured with equal SA lifetime. > Why you don't just configure your gateways with different lifetimes? > It seems to me that in scenarios you describe you have a total control > over gateways? > > > > Is your implementation not using a rekey fuzz of say 1 to 5 % ? In > that way, two endpoints are extremely > > unlikely to rekey at the exact same time. > > > > > > <Harold> > > > 1) We do use randomize the SA life time. Thanks for the feedback. > > > 2) Currently the typical lifetime is 300s (shortest). > > > 3) In the case of gateway to gateway, there is no client or > server. > > > 4) In gateway to gateway case, randomizing the SA lifetime is > not sufficient as we do not want to rely on > > a probabilistic model that depends on the life time of the child SA, but > rather ensure we do not run into such > > duplications. At the same time, even though initiator and responder both > have randomize lifetime the lifetime > > is a completely local value (not negotiated), and even the initiator and > responder can use different values. So > > there's still a probability of rekey happening at both ends > simultaneously. > > In our tests we emulated ~3000 SAs between two hosts with lifetime ~300 > secs. > With SA lifetimes randomization collisions were very rare (don't remember > exact data, I believe few percent of total rekeys). > > > > 5) Due to the arrival of 5G the number of radio access increases > greatly meanwhile IKE sessions are > > established between GATEWAY and GATEWAY based on cloud-RAN. At the same > time, Cloud-ran causes IKE > > sessions to be concentrated on the gateway and gateway so as to the > scale of Child SAs is huge, usually more > > than thousands. So even a few percent of simultaneous rekeying is > unacceptable because it will bring too > > many redundant packets and occupy bandwidth. > > > </Harold> > > I can't buy the last argument. Rekey consumes two ~100 bytes messages and > little CPU cycles > (unless you do PFS). If you can handle 5G traffic, then couple of hundreds > extra bytes happened > in approximately 1% of all rekeys (which in turn are very small fraction > of data traffic) > cannot saturate 5G network, IMHO. > > > Okay that is fair. Please add it to the Introduction of the draft > somehow :) > > > > > <Harold> > > > We are looking for a deterministic mechanism. We are happy to > change the one we proposed, but we > > cannot rely on SA random SA lifetime. > > > </Harold> > > > > So since lifetime is not negotiated, both endpoints have a need to > > rekey. Even if they agree via some other mechanism that one end > > should initiate the rekey, what should happen when that rekey is > > not happening? At some point the endpoint not initiating will have > > to tear down or start a rekey anyway. > > Exactly. For this reason I don't think the proposed solution is workable. > > > So why not, instead of a random process, exchange the maximum Child SA > > lifetime accepted before rekey? If the numbers are identical, prefer the > > current exchange initiator. > > > That way, it is deterministic and both endpoints inform the other end > > when (plus or minus some fuzz) a rekey is required. > > It's not enough. There are many cases when rekey is caused not because > of time expiration, but due to other reasons. For example, peer > may count number of bytes sent and rekey after some amount is reached > (when it is critical to limit the number of bytes processed with the same > key). > Or the number of messages sent (when you want to limit the number of > times a key was used for crypto operations). Or just because peer > receives too many packets with invalid ICV and decides that he/she is > under attack trying to break the current key. > > I only mentioned those reasons that we implemented... > > So, there are a lot of reasons for rekey. I think that the ability for any > peer to rekey at any time it thinks it is needed is a fundamental > property of IKEv2 and I think we should not break it. > > Regards, > Valery. > > > Paul > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
- [IPsec] FW: New Version Notification for draft-li… Harold Liu
- Re: [IPsec] FW: New Version Notification for draf… Paul Wouters
- Re: [IPsec] FW: New Version Notification for draf… Harold Liu
- Re: [IPsec] FW: New Version Notification for draf… Paul Wouters
- Re: [IPsec] FW: New Version Notification for draf… Tero Kivinen
- Re: [IPsec] FW: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] FW: New Version Notification for draf… Daniel Migault
- Re: [IPsec] FW: New Version Notification for draf… Paul Wouters
- Re: [IPsec] FW: New Version Notification for draf… Daniel Migault