Hi.
I’ve read the draft. Overall, it’s similar to a non-standardized solution we
did at Check Point several years ago, so I agree that it is a solution that
works. Of course, since there *are* a bunch of working implementations, that
is not particularly insightful.
With a lot of flows, it’s likely that in most situations the number of parallel
SAs is going to be about the same as the number of “resources”. The text in
section 4 does mention the issue of having peers with a different number of
CPUs. In practice these can be very different. It’s not unheard of to have a
center office with dozens of CPUs working with a branch office machine with
one. The way this protocol seems to work is that the center office will attempt
to create dozens of SAs, only to be stopped by the branch office which at some
point will return the TS_MAX_QUEUE notification. I’m not a big fan of creating
as many SAs as you can until the peer fails you, but the alternative would be
to pre-negotiate the ts_max_queue value.
A couple of editorial comments:
- Although it is implied, it should be stated explicitly that TS_MAX_QUEUE does
not mean no more child SAs with these TS ever. As some child SAs get deleted
and perhaps not rekeyed if they’re idle, if traffic picks up again, new child
SAs with these TS can be created until the peer again blocks you with a
TS_MAX_QUEUE.
- With a single SA pair per TS, implementations can expect that all packets in
a flow (such as a TCP connection) will go through the same SA pair. This is
especially important in implementations that are combined with firewalls. I
think we need explicit text that says packets for any flow may come on any of
the SAs from the logical group of child SAs. Perhaps:
“implementations MUST NOT assume that all packets of a particular flow will be
encrypted with a particular SA in the logical group of child SAs.”
Yoav
> On 25 Oct 2023, at 1:40, Tero Kivinen wrote:
>
> This will start three week working group laste call for
> draft-ietf-ipsecme-multi-sa-performance. The working group last call
> will end at 2023-11-15.
>
> Please review the document and send comments to the list if you think
> it is ready for publication.
> --
> kivi...@iki.fi
>
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec