Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
Daniel Migault <mglt.ietf@gmail.com> Tue, 22 November 2022 21:59 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00622C14CE28 for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 13:59:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZyyH35c-ksr for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 13:59:07 -0800 (PST)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A064DC14CF1E for <ipsec@ietf.org>; Tue, 22 Nov 2022 13:59:07 -0800 (PST)
Received: by mail-ot1-x32e.google.com with SMTP id l42-20020a9d1b2d000000b0066c6366fbc3so10172756otl.3 for <ipsec@ietf.org>; Tue, 22 Nov 2022 13:59:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=epG0KQ4tqJSSjN946uXAwb/MqXDLcW0bg6psteCV9rk=; b=J1FyZzMSyJMbYK1GoMr90fuNl+Usayjcnmd1VWmUT9POgaXbzBBZRrc0Alazc1YXAN /3pjjP6lXMryKPLZS/dJdINk19E7/zUpoFZ7oPtVbHUYC6TA0AdbewTqsG7jgdM74lYB cGw62s2qFuMY4BeODk35iytAs6Gp7efc2mh+h5CQYa+r3xl29JYBinDELasyEeEfbYaT NOgte8SwR92QZyPC52Klg5L3eyQkuSMQwWvr83Ux/GYi31Zn6kgYaJVIDuE6c9alMLM7 gYWm4Dt+kE756Y0wdJPFSJn65jdnnJluzwh12rTZKCBe6tiLJ6SQuhfwEKaMWW3L/fpT OsEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=epG0KQ4tqJSSjN946uXAwb/MqXDLcW0bg6psteCV9rk=; b=aLVbuQW2GPpAW/R8PJkcjK7abXCDUxmVvWsWwpHqW1bC7prco2uMXKYWsLpXUl6QTB CBRb5JmkpcfO31vy63jb4Wy6nh7c4Oatd0cIIP6KBJR5Pljf9NrPMJWJVambY1QShsAZ SExVkyVRj+rdmzJGGta10TCO1E/858Hz70EFUPj/OSLbeaSo9xTj+NAMdVSpjLa2I4Gl yc69SDlOkHI5h5hj4e9wyE7a9SxVEXkNnFpMzLJK/NWhq787NxKo2jcTBuURVnMcCfGl tGjOuZzVS/aIWrWtCka3wniNSBwzHpk2bSa2J6OYz4YjwsBHNQycWLU5b/1HTh/d8rWD h9Hw==
X-Gm-Message-State: ANoB5pmveae1QirrMZti/M0mH7aQEIbbwU5RveeoEE2JXPErL9w53f21 nBS/n/+eMURWZJUI4gIULatkrbx+YGFxtuQnd/0=
X-Google-Smtp-Source: AA0mqf4Rnn77j4fMdK0ftMXiIhLiw+Dv5cB7zTI+d0U1l/ZBY2Dp0AsWSEPNfP79ZUoNYHBW28EDmVtZt+tIGbFVNQk=
X-Received: by 2002:a9d:73d4:0:b0:661:9dc0:3c1e with SMTP id m20-20020a9d73d4000000b006619dc03c1emr13456641otk.72.1669154346817; Tue, 22 Nov 2022 13:59:06 -0800 (PST)
MIME-Version: 1.0
References: <25451.58560.690380.833165@fireball.acr.fi> <0fa86a3b220940f2abdd310ec9b829f2@huawei.com>
In-Reply-To: <0fa86a3b220940f2abdd310ec9b829f2@huawei.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 22 Nov 2022 16:58:55 -0500
Message-ID: <CADZyTkk6tuUgTZuivJNkj20tOqJreVu+hRFfuL=3w1wFqikcPQ@mail.gmail.com>
To: "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>
Cc: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eadcaa05ee16479b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zr5zK_XYVOfqKfQ-pTWC03zcoYA>
Subject: Re: [IPsec] IPsecME WG Adoption call for draft-pwouters-ipsecme-multi-sa-performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 21:59:12 -0000
This draft is missing an important part which is the actual negotiation of the multiple SAs. A peer willing to set these multiple SAs will have to negotiate them anyway. Some implementations can handle parallel CREATE_CHILD_SA others cannot and the negotiation of multiple SAs might take a very long time, at least a time that is not acceptable to high performance tunnels. Since these child SAs need to be created, the one willing to the multiple SAs can simply start and stop when the responder says stop. In terms of IKEv2 the gains are minimal. The document may add a mechanism similar to address that: https://datatracker.ietf.org/doc/draft-mglt-ipsecme-multiple-child-sa/ However, draft-ponchon-ipsecme-anti-replay-subspaces addresses all of these issues nicely and provides a much more scalable solution. It basically makes -IMO - both -multiple-child-sa and -multi-sa-performance obsolete. My suggestion is that -multi-sa-performance is being moved to experimental and almost shipped as it is so the work being achieved is documented. This has been some interesting work, but today, I would like the group to spend more cycles on draft-ponchon-ipsecme-anti-replay-subspaces that I consider more promising. Yours, Daniel On Tue, Nov 15, 2022 at 10:51 PM Panwei (William) <william.panwei= 40huawei.com@dmarc.ietf.org> wrote: > Hi, > > I've read this draft and support the adoption. > > Regards & Thanks! > Wei PAN (潘伟) > > > -----Original Message----- > > From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Tero Kivinen > > Sent: Thursday, November 10, 2022 1:35 AM > > To: ipsec@ietf.org > > Subject: [IPsec] IPsecME WG Adoption call for > > draft-pwouters-ipsecme-multi-sa-performance > > > > This is two week working group adoption call for the > > draft-pwouters-ipsecme-multi-sa-performance. If you support adoption of > this > > document to the IPsecME WG send email to the list before the 2022-11-24. > > > > Note, that this is starting point for the document, so if you have any > comments > > send them to list also. > > > > There is no specific item for this in our charter, but this should > > (now) be small enough change to fit in the "minor extensions" > > category... > > -- > > kivinen@iki.fi > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
- [IPsec] IPsecME WG Adoption call for draft-pwoute… Tero Kivinen
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Valery Smyslov
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Pierre Pfister (ppfister)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Michael Richardson
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Christian Hopps
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Panwei (William)
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Steffen Klassert
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Daniel Migault
- Re: [IPsec] IPsecME WG Adoption call for draft-pw… Paul Wouters