Hi all,
I'd like to encourage a discussion here around why the solution described in
draft-ponchon-ipsecme-anti-replay-subspaces is needed, and why
draft-ietf-ipsecme-multi-sa-performance is not sufficient for us.
So far, we have received feedback from people supporting our work, and sharin
As I've mentioned previously, I think this draft is valuable for
"network-to-network" tunneling, where the sender and receiver are both
represented by a large (and evolving) collection of gateways (perhaps sharing
IPs via anycast). This situation requires O(N^2) SAs in the current protocol,
bu
Pierre Pfister \(ppfister\) writes:
> "Creating 144 IPsec SA should take less than tenth of a second.
> IKEv2 have windowing mode. With really big systems, creating more
> SAs is not an issue."
>
> We unfortunately cannot afford to throw more cores at every scaling
> issue that we have. IPsec har
