IETF Logo Mail Archive

Re: [tcmtf] Answers to possible questions in the BOF

"Jose Saldana" <jsaldana@unizar.es> Thu, 11 July 2013 08:44 UTC

Return-Path: <jsaldana@unizar.es>
X-Original-To: tcmtf@ietfa.amsl.com
Delivered-To: tcmtf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A98121F9DF2 for <tcmtf@ietfa.amsl.com>; Thu, 11 Jul 2013 01:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.3
X-Spam-Level:
X-Spam-Status: No, score=-6.3 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1HMSGDBDgqn for <tcmtf@ietfa.amsl.com>; Thu, 11 Jul 2013 01:44:15 -0700 (PDT)
Received: from huecha.unizar.es (huecha.unizar.es [155.210.1.51]) by ietfa.amsl.com (Postfix) with ESMTP id B08B921F9DB0 for <tcmtf@ietf.org>; Thu, 11 Jul 2013 01:44:14 -0700 (PDT)
Received: from usuarioPC (gtc1pc12.cps.unizar.es [155.210.158.17]) by huecha.unizar.es (8.13.8/8.13.8/Debian-3) with ESMTP id r6B8i2w0014434; Thu, 11 Jul 2013 10:44:03 +0200
From: Jose Saldana <jsaldana@unizar.es>
To: "'Muthu Arul Mozhi Perumal (mperumal)'" <mperumal@cisco.com>, "'Dan Wing (dwing)'" <dwing@cisco.com>
References: <007e01ce70c9$fe1a0aa0$fa4e1fe0$@unizar.es> <009901ce725a$d1623360$74269a20$@unizar.es> <2543ED38-A2FF-49D7-85E0-4790A31415BC@cisco.com> <20130628105725.lmag0xgqsgogggww@webmail.unizar.es> <EFFB6AC1-BF9A-47D9-B5B8-3DD34A508FE8@cisco.com> <E721D8C6A2E1544DB2DEBC313AF54DE22417E050@xmb-rcd-x02.cisco.com> <23E6BFC1-4D3C-48A5-A9A2-3BD32863F9A6@cisco.com> <E721D8C6A2E1544DB2DEBC313AF54DE22417FD51@xmb-rcd-x02.cisco.com> <007901ce7d42$2d49fc20$87ddf460$@unizar.es> <E721D8C6A2E1544DB2DEBC313AF54DE224189F5E@xmb-rcd-x02.cisco.com>
In-Reply-To: <E721D8C6A2E1544DB2DEBC313AF54DE224189F5E@xmb-rcd-x02.cisco.com>
Date: Thu, 11 Jul 2013 10:44:04 +0200
Organization: Universidad de Zaragoza
Message-ID: <003b01ce7e12$cf140570$6d3c1050$@unizar.es>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHxl5HfJe4XxEPJrqhURPk2/vEH5gJG8kQSAT8jBAUB238Z4AIljoQ2An0f44UBvevVIgGBEpi6Ai84Ev4Bgo8iUpiRTJyg
Content-Language: es
X-Mail-Scanned: Criba 2.0 + Clamd & Bogofilter
Cc: tcmtf@ietf.org, jltornos@unizar.es
Subject: Re: [tcmtf] Answers to possible questions in the BOF
X-BeenThere: tcmtf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: jsaldana@unizar.es
List-Id: "Tunneling Compressed Multiplexed Traffic Flows \(TCMTF\) discussion list" <tcmtf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcmtf>, <mailto:tcmtf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcmtf>
List-Post: <mailto:tcmtf@ietf.org>
List-Help: <mailto:tcmtf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcmtf>, <mailto:tcmtf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2013 08:44:19 -0000

Muthu,

So you have a "bunch" of IPsec flows, and you
- decrypt each flow
- compress headers
- multiplex packets
- put the multiplexed bundle in an IPsec packet, using a new IPsec tunnel

So you would have three phases:
- separate IPsec tunnels for each flows
- a single IPsec tunnel for the TCM flow
- separate IPsec tunnels in the end

Origin 1
Origin 2     <----20 secured flows --------> TCM-IO <------1 tunnel------>
TCM-EO <-------- 20 secured flows----> destination 1, 2, 20
...
Origin 20

But I think this raises a question: the TCM ingress optimizer must be able
to decrypt all the flows. This implies that it knows the keys and it is
trusted by the communication ends.

This would be the most efficient solution, but you would need some
requirements:

- trust the TCM optimizer
- processing capacity for decrypt-compress-multiplex-encrypt

Is this what you are thinking?

Jose

> -----Mensaje original-----
> De: Muthu Arul Mozhi Perumal (mperumal) [mailto:mperumal@cisco.com]
> Enviado el: miércoles, 10 de julio de 2013 12:00
> Para: jsaldana@unizar.es; Dan Wing (dwing)
> CC: tcmtf@ietf.org; jltornos@unizar.es
> Asunto: RE: [tcmtf] Answers to possible questions in the BOF
> 
> Hi Jose,
> 
> |But in this case you have two security layers: the original flows use
> |IPsec, and you are adding another IPsec tunnel including all the
compressed
> ones.
> 
> No, just one IPSec tunnel. The idea is to compress the headers of all
packets
> that need to go over the same IPSec tunnel, multiplex them and give it to
the
> IPSec layer. The IPSec layer would add the IP/ESP header and send it over
> the IPSec tunnel. The next header field in ESP would tell there is a mux
> header following it, and the mux header can be used to demux the packet
> after IPSec decryption.
> 
> Muthu
> 
> |-----Original Message-----
> |From: Jose Saldana [mailto:jsaldana@unizar.es]
> |Sent: Wednesday, July 10, 2013 1:21 PM
> |To: Muthu Arul Mozhi Perumal (mperumal); Dan Wing (dwing)
> |Cc: tcmtf@ietf.org; jltornos@unizar.es
> |Subject: RE: [tcmtf] Answers to possible questions in the BOF
> |
> |Muthu,
> |
> |But in this case you have two security layers: the original flows use
> |IPsec, and you are adding another IPsec tunnel including all the
compressed
> ones.
> |Am I right? Would this be necessary?
> |
> |Jose
> |
> |> -----Mensaje original-----
> |> De: tcmtf-bounces@ietf.org [mailto:tcmtf-bounces@ietf.org] En nombre
> |> de Muthu Arul Mozhi Perumal (mperumal) Enviado el: jueves, 04 de
> |> julio de 2013 15:42
> |> Para: Dan Wing (dwing)
> |> CC: tcmtf@ietf.org; jltornos@unizar.es; jsaldana@unizar.es
> |> Asunto: Re: [tcmtf] Answers to possible questions in the BOF
> |>
> |> |My read of it was:  apply ROHC at the endpoint ("inner headers") and
> |> |then do IPsec.  That is, compress and then encrypt.
> |>
> |> Right, Dan. I was thinking the (inner) headers of the packets going
> |> over
> |the
> |> same IPSec tunnel could first be compressed, multiplex, then
> |> encrypted and sent over that tunnel:
> |>
> |> --------------------------------------------
> |> |outer IP hdr| ESP | MUX | ROHCoIPsec|Data1|
> |> |            |     | hdr |   hdr1    |     |
> |> --------------------------------------------
> |>                           ----------------------
> |>                           | ROHCoIPsec | Data2 |
> |>                           |    hdr2    |       |
> |>                           ----------------------
> |>                           -------------------------------------
> |>                           | ROHCoIPsec |  Data3  | ESP   | ESP|
> |>                           |    hdr3    |         |Trailer| ICV|
> |>                           -------------------------------------
> |>                     <-----------Encrypted-------->
> |>
> |> Muthu
> |>
> |> |-----Original Message-----
> |> |From: Dan Wing (dwing)
> |> |Sent: Thursday, July 04, 2013 12:26 AM
> |> |To: Muthu Arul Mozhi Perumal (mperumal)
> |> |Cc: jltornos@unizar.es; tcmtf@ietf.org; jsaldana@unizar.es
> |> |Subject: Re: [tcmtf] Answers to possible questions in the BOF
> |> |
> |> |
> |> |On Jul 3, 2013, at 11:51 AM, Muthu Arul Mozhi Perumal (mperumal)
> |> <mperumal@cisco.com> wrote:
> |> |
> |> |> |However, if there are a bunch of IPsec packets sharing a common
> |> |> |path, I could see them being successfully multiplexed into one
> |> |> |larger packet at one tunnel endpoint and then de-multiplexed at
> |> |> |the
> |> other tunnel endpoint.
> |> |> |This can provide a packet per second reduction.  I don't think
> |> |> |there are enough bytes in an IPsec header to bother trying to do
> |> |> |IPsec header compression (SPI and sequence number are only 64
> bits).
> |> |>
> |> |> Actually, RFC5856 describes how ROHC can be used over IPSec
> |> (ROHCoIPsec).
> |> |
> |> |My read of it was:  apply ROHC at the endpoint ("inner headers") and
> |> |then do IPsec.  That is, compress and then encrypt.
> |> |
> |> |-d
> |> |
> |> |
> |> |> Combining it with multiplexing the entire packets could provide
> |> |> significant reduction in the header
> |> |overhead, especially for IPv6, I think.
> |> |>
> |> |> Muthu
> |> |>
> |> |> |-----Original Message-----
> |> |> |From: tcmtf-bounces@ietf.org [mailto:tcmtf-bounces@ietf.org] On
> |> |> |Behalf Of Dan Wing (dwing)
> |> |> |Sent: Monday, July 01, 2013 10:25 PM
> |> |> |To: jltornos@unizar.es
> |> |> |Cc: tcmtf@ietf.org; jsaldana@unizar.es
> |> |> |Subject: Re: [tcmtf] Answers to possible questions in the BOF
> |> |> |
> |> |> |
> |> |> |On Jun 28, 2013, at 1:57 AM, jltornos@unizar.es wrote:
> |> |> |
> |> |> |> Hi all,
> |> |> |>
> |> |> |> Few days ago Julian talked about TCM-TF's security and now I've
> |> |> |> read in the link included by Dan,
> |> |> |saying that the gain obtained when multiplexing Ipsec-encrypted
> |> |> |packets is 20-to-1. We have been looking for more information
> |> |> |about this issue and thinking about a way to reduce the needed
> |> |bandwidth
> |> |> |in IPsec flows.
> |> |> |>
> |> |> |> The main idea is to find a way to change the authentication of
> |> |> |> the individual packets and merge
> |> |all
> |> |> |of them in a unique authentication. Thus, instead of using 20
> |> |> |IPsec tunnels, we would have a single tunnel including 20 flows.
> |> |> |Is this
> |> something similar than how Cisco gets the improvement?
> |> |> |
> |> |> |We would not be able to change IPsec any more than we could
> |> |> |change TCP, so I would not look at how
> |> |to
> |> |> |change IPsec authentication.
> |> |> |
> |> |> |However, if there are a bunch of IPsec packets sharing a common
> |> |> |path, I could see them being successfully multiplexed into one
> |> |> |larger packet at one tunnel endpoint and then de-multiplexed at
> |> |the
> |> |> |other tunnel endpoint.  This can provide a packet per second
> |> |> |reduction.  I don't think there are enough bytes in an IPsec
> |> |> |header to bother trying to do IPsec header compression (SPI and
> |> |> |sequence
> |> number are only 64 bits).
> |> |> |
> |> |> |-d
> |> |> |
> |> |> |
> |> |> |>
> |> |> |> José Luis
> |> |> |>
> |> |> |>
> |> |> |>
> |> |> |> Dan Wing <dwing@cisco.com> ha escrito:
> |> |> |>
> |> |> |>>
> |> |> |>> On Jun 26, 2013, at 3:49 AM, Jose Saldana <jsaldana@unizar.es>
> |> wrote:
> |> |> |>>
> |> |> |>>> Question 4: Is TCM-TF interesting for the Industry? Should
> |> |> |>>> the
> |IETF
> |> standardize this?
> |> |> |>>>
> |> |> |>>> Answer:
> |> |> |>>>
> |> |> |>>> 1) TCM-TF intends to update RFC4170, which optimizes RTP VoIP
> |> |> |>>> traffic. So if RFC4170 was
> |> |> |interesting, why not updating it?
> |> |> |>>>
> |> |> |>>> 2) TCM-TF can be useful in order to save bandwidth in many
> cases:
> |> |> |>>>
> |> |> |>>> - Aggregation network of *network operators*: We are saving
> |> |> |>>> bandwidth by optimizing and
> |> |putting
> |> |> |together traffic flows. Is this  interesting for a network
operator?
> |What
> |> about overprovisioning?
> |> |The
> |> |> |idea is that there are places and moments in which a number of
> |> |> |flows based on small packets are in the same place and at the
> |> |> |same moment. Then, TCM-TF can be applied in order to provide
> |> |flexibility.
> |> |> |We are not optimizing the overall Internet traffic, we  are
> |> |> |optimizing specific flows with very
> |> |tight
> |> |> |delay requirements,  which network operators have to take care of
> |> |> |in a
> |> special way.
> |> |> |>>> www.huawei.com/ilink/en/download/HW_193034
> |> |> |>>>
> |> |> |>>> - *End to end* optimization: Nowadays, many appliances are
> |> |> |>>> used to  connect remote offices of
> |> |the
> |> |> |same company (creating a VPN). So if  a tunnel exists, why not
> |> |> |optimizing this traffic when
> |> |possible?
> |> |> |We  would save bandwidth in the access network, where it can be
> |> scarce.
> |> |> |>>>
> |> |> |>>> - Wireless and satellite scenarios.
> |> |> |>>
> |> |> |>> "Cisco adds IP multiplexing to mobile satellite package",
> |> |> |>> April 2012,
> |> |> |http://www.networkworld.com/news/2012/040912-cisco-ip-
> |> multiplexing-2
> |> |> |58082.html
> |> |> |>>
> |> |> |>>
> |> |> |>>
> |> |> |>>>
> |> |> |>>>
> |> |> |>>> Any other thoughts? Any other scenarios in mind? Potential
> |> beneficiaries?
> |> |> |>>
> |> |> |>> Some networks, today, use cRTP (RFC2508) on their access links.
> |This
> |> gives bandwidth savings
> |> |on
> |> |> |the access link, but consumes  considerable CPU horsepower on the
> |> aggregation router (to perform
> |> |> |cRTP), but provides no bandwidth savings across the network core.
> |If,
> |> instead, the bandwidth
> |> |could
> |> |> |be saved on the access link, across  the core, and on the far-end
> |> |> |access link -- all without the
> |> |CPU
> |> |> |impact on the aggregation router -- it is a considerable win.
> |> |> |>>
> |> |> |>> -d
> |> |> |>>
> |> |> |>>
> |> |> |>>
> |> |> |>>>
> |> |> |>>>
> |> |> |>>> Jose
> |> |> |>>>
> |> |> |>>> De: tcmtf-bounces@ietf.org [mailto:tcmtf-bounces@ietf.org] En
> |> |> |>>> nombre de Jose Saldana Enviado el: lunes, 24 de junio de 2013
> |> |> |>>> 13:00
> |> |> |>>> Para: tcmtf@ietf.org
> |> |> |>>> Asunto: [tcmtf] Answers to possible questions in the BOF
> |> |> |>>>
> |> |> |>>> I would like to start a thread about possible questions
> |> |> |>>> people may  ask in the BOF. Obviously,
> |> |we
> |> |> |also need answers, so we should  cooperate.
> |> |> |>>>
> |> |> |>>> This is different from the "questions to ask in the BOF".
> |> |> |>>> This
> |will  be
> |> discussed separately.
> |> |> |>>>
> |> |> |>>> Thanks!
> |> |> |>>>
> |> |> |>>> Jose
> |> |> |>>>
> |> |> |>>> _______________________________________________
> |> |> |>>> tcmtf mailing list
> |> |> |>>> tcmtf@ietf.org
> |> |> |>>> https://www.ietf.org/mailman/listinfo/tcmtf
> |> |> |>>
> |> |> |>>
> |> |> |>
> |> |> |>
> |> |> |>
> |> |> |
> |> |> |_______________________________________________
> |> |> |tcmtf mailing list
> |> |> |tcmtf@ietf.org
> |> |> |https://www.ietf.org/mailman/listinfo/tcmtf
> |>
> |> _______________________________________________
> |> tcmtf mailing list
> |> tcmtf@ietf.org
> |> https://www.ietf.org/mailman/listinfo/tcmtf

v2.23.0 | Report a Bug | By Email