Hi, We’ve submitted an updated revision of draft-ponchon-ipsecme-anti-replay-subspaces to address the changes that were discussed since IETF 115. The draft keeps the same structure with the following major changes:
* We moved to a 16 bits subspace identifier field to accommodate a larger number of sequence number of subspaces as the previous maximum of 256 was too low for some use cases. * Consequently, we’re now using an explicit 64 bits field in the ESP header for the extended sequence number to hold the subspace id. * We’ve completed the IKE negotiation section of the draft from the recommendations by defining a new transform to use the subspaces. We’d like to thank everyone who provided feedback so far and appreciate further feedback on the updated draft. Paul P. internet-dra...@ietf.org <internet-dra...@ietf.org> writes: A new version of I-D, draft-ponchon-ipsecme-anti-replay-subspaces-01.txt has been successfully submitted by Paul Ponchon and posted to the IETF repository. Name: draft-ponchon-ipsecme-anti-replay-subspaces Revision: 01 Title: IPsec and IKE anti-replay sequence number subspaces for traffic-engineered paths and multi-core processing Document date: 2023-03-13 Group: Individual Submission Pages: 12 URL: https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-01.txt Status: https://datatracker.ietf.org/doc/draft-ponchon-ipsecme-anti-replay-subspaces/ Htmlized: https://datatracker.ietf.org/doc/html/draft-ponchon-ipsecme-anti-replay-subspaces Diff: https://author-tools.ietf.org/iddiff?url2=draft-ponchon-ipsecme-anti-replay-subspaces-01 Abstract: This document discusses the challenges of running IPsec with anti- replay in multi-core environments where packets may be re-ordered (e.g., when sent over multiple IP paths, traffic-engineered paths and/or using different QoS classes). A new solution based on splitting the anti-replay sequence number space into multiple different sequencing subspaces is proposed. Since this solution requires support on both parties, an IKE extension is proposed in order to negotiate the use of the anti-replay sequence number subspaces. The IETF Secretariat
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec