Hi, Michael. Thanks for bringing this to the group.
> On 22 Jul 2020, at 13:26, Michael Rossberg <michael.rossb...@tu-ilmenau.de> > wrote: > > > We have been analyzing issues ESP has in current data-center networks and > came to > the conclusion that changes in the protocol could significantly improve its > behavior. Some > of results will be presented next Tuesday in a pitch talk at IETF 108. This > mail is just a > small teaser, in case some of you wanted to gather some arguments for the > discussion. > > In particular, we propose the following changes to ESP: > > * Allow multiple windows per SA to allow for scaling over CPUs, windows > per QoS > class & replay protection in multicast groups > * 64 bit sequence counters in each header to ease protocol handling and > allow for > replay protection in multicast groups > * Removing the trailer to ease segment & fragment handling and alignment > * Implicit IVs in spirit of RFC 8750 removing the need for AAD > > Further details and benchmark results may be found in a paper preprint [1] > and a > presentation [2] we held with at the Linux IPsec Workshop. RFC 6311 allows multiple members in a cluster of IPsec gateways to have independent parallel SAs so as to solve the problem of synchronization and counter re-use among nodes. While the focus there is on different nodes, the synchronization problem also exists between cores of a single node. There is no reason to think RFC 6311 could not be adapted to multi-core nodes. So I’m wondering if we really need multi-window logic to scale over CPUs, or whether it would be simpler to just generate multiple SAs for multiple CPUs. Yoav (with no hats other than co-author of RFC 6311) _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
