Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
"Panwei (William)" <william.panwei@huawei.com> Wed, 20 March 2024 08:04 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2A7C1D621A for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 01:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzPeKXGLkZnD for <ipsec@ietfa.amsl.com>; Wed, 20 Mar 2024 01:04:45 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D7AC1D4CE0 for <ipsec@ietf.org>; Wed, 20 Mar 2024 01:04:45 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V01MJ1BmDz6K5w8; Wed, 20 Mar 2024 16:04:12 +0800 (CST)
Received: from lhrpeml100002.china.huawei.com (unknown [7.191.160.241]) by mail.maildlp.com (Postfix) with ESMTPS id 905DA140595; Wed, 20 Mar 2024 16:04:43 +0800 (CST)
Received: from kwepemi100009.china.huawei.com (7.221.188.242) by lhrpeml100002.china.huawei.com (7.191.160.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 20 Mar 2024 08:04:42 +0000
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi100009.china.huawei.com (7.221.188.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 20 Mar 2024 16:04:41 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Wed, 20 Mar 2024 16:04:41 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
CC: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
Thread-Index: AQHabgXw2ORgzh79i06MkXh0+CozjrEo1fnw///F4ICABPAScIAEpZOAgAXB6YCACB5N0A==
Date: Wed, 20 Mar 2024 08:04:41 +0000
Message-ID: <a80bed7fcd02445d8a75555b2764c3a4@huawei.com>
References: <29bca8d122844180afc21cd6b353159a@huawei.com> <4C637D68-CD0C-47C1-8D34-36D01A2DBF1F@aiven.io> <e7bc176dafcd4a719b84842b685a9fc5@huawei.com> <c6dc7d13-2c1c-f5c7-290e-34a88a21d103@nohats.ca> <ZfP5SxlCueJ/aQt/@gauss3.secunet.de>
In-Reply-To: <ZfP5SxlCueJ/aQt/@gauss3.secunet.de>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.126.200.52]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uP3xVBPkqE8-OUF-rkkPFwIDFBM>
Subject: Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 08:04:49 -0000
Hi Steffen,
Thanks for your input and that is very useful for us.
At yesterday's meeting, I think people basically understood and accepted the problem statement itself, but also raised different ideas regarding to the solutions.
We'll try to do more analysis and comparison of possible solutions, including what you suggested.
What you are doing (new version of WESP) is also interesting to us, we'd like to know more if it's OK.
Switching to a new protocol is still a reasonable solution for us, although it has pains.
Developing a new protocol in IETF will cost time, we'd like to adopt the new protocol after it's standardized.
But we need to solve our problem now, and therefore, it's better for us to consider some forward compatible things in advance. For example, do you think it's better to encrypt the "Flow Identifier" field or not?
Regards & Thanks!
Wei PAN (潘伟)
> -----Original Message-----
> From: Steffen Klassert <steffen.klassert@secunet.com>
> Sent: Friday, March 15, 2024 5:31 PM
> To: Paul Wouters <paul@nohats.ca>
> Cc: Panwei (William) <william.panwei@huawei.com>; ipsec@ietf.org WG
> <ipsec@ietf.org>
> Subject: Re: [IPsec] I-D Action:
> draft-he-ipsecme-vpn-shared-ipsecsa-00.txt
>
> On Mon, Mar 11, 2024 at 11:36:03AM -0400, Paul Wouters wrote:
> > On Mon, 11 Mar 2024, Panwei (William) wrote:
> >
> > > Indeed, splitting the 32-bit SPI into two sub-fields, the VPN ID
> sub-field and SPI sub-field, may also be one option. This solution doesn't
> need to change the ESP packet format, but it also has some
> disadvantages.
> > > The first one is the scalable issue. 256 VPN IDs may be enough for
> use for current RAN Sharing scenario, but when considering the service
> slicing feature, thousands and even more VPNs will be needed in the
> future. So, it's better to assign 16 bits to the VPN ID sub-field. Therefore,
> the SPI sub-field will be trenched to 16 bits, which means the available
> SPIs are 64k. This can have a negative impact on the expansion of usable
> scenarios in the future.
> > > The second problem is the high possibility of packet disorder.
> Although all VPNs share one actual SA and the sender assigns sequence
> numbers in sequence to all the traffic no matter which VPN they belong
> to, different VPNs will use different SPIs in the ESP packets. This will
> interfere with the load balance process of the on-path routers because
> they usually look at the SPI field when doing the hash. This may lead to
> packet disorder at the IPsec receiver.
> > > Therefore, we currently still prefer a separate field representing the
> VPN ID. But we are open to more discussions and future changes.
> >
> > Thanks, those arguments are clear. Perhaps Steffen can take these into
> > consideration as well when thinking about ESPv4 / WESP :)
>
> The root cause what this draft tries to solve is that we need a possibility
> to expose information of the inner packet flow to the outer packet.
> Basically this is the same problem, the sequence number subspaces draft
> tries to solve. So instead of solving the same problem for every single
> usecase in a diffetent way, it would be nice to have a generic solution for
> that problem. I'm thinking of some 'Flow Identiyer' field that can be used
> for all this cases.
>
> The biggest problem here is that some usecases need to have this
> information transparent to the outer network. For instance the sequence
> number subspaces information is needed by the receiving NIC to do RSS
> properly. For that reason negotiating the new field does not help. The NIC
> can't know what you have negotiated, so the new field is useless in that
> case. Unfortunately ESP does not have a version number, so we can't
> change it in any transparent way. The only possibility for ESP is to use the
> SPI because this is already used as the ESP 'Flow Identifyer'.
>
> At the last IETF meeting I proposed to use an updated WESP to do
> changes that need to be transparent to the network. WESP has a version
> numbers and can be adjusted in a transparent way.
> I'm currently preparing a WESPv2 draft that I plan to publish after the
> next IETF meeting. Some people here on the list have seen it already,
> that's why Paul mentioned me in his mail.
>
> I know that switching to another protocol is always a pain, but I don't see
> other options do do that right.
>
> Steffen
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Paul Wouters
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Steffen Klassert
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Panwei (William)
- Re: [IPsec] I-D Action: draft-he-ipsecme-vpn-shar… Michael Richardson