Hi all,
Antony, Steffen and I wrote a draft on increasing IPsec performance.
This is the method we are envisioning for the Linux kernel. There is
an experimental implementation in the kernel and libreswan/strongswan
IKE daemons.
It supports per-CPU and per-QoS Child SA's.
Paul
From: internet-dra...@ietf.org
Date: November 2, 2020 at 14:09:16 EST
To: Steffen Klassert <steffen.klass...@secunet.com>, Paul Wouters
<pwout...@redhat.com>, Antony Antony <antony.ant...@secunet.com>
Subject: New Version Notification for
draft-pwouters-multi-sa-performance-00.txt
A new version of I-D, draft-pwouters-multi-sa-performance-00.txt
has been successfully submitted by Paul Wouters and posted to the
IETF repository.
Name: draft-pwouters-multi-sa-performance
Revision: 00
Title: IKEv2 support for per-queue Child SAs
Document date: 2020-11-02
Group: Individual Submission
Pages: 10
URL:
https://www.ietf.org/archive/id/draft-pwouters-multi-sa-performance-00.txt
Status:
https://datatracker.ietf.org/doc/draft-pwouters-multi-sa-performance/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-pwouters-multi-sa-performance
Htmlized:
https://tools.ietf.org/html/draft-pwouters-multi-sa-performance-00
Abstract:
This document defines two Notification Payload (NUM_QUEUES and
QUEUE_INFO) for the Internet Key Exchange Protocol Version 2 (IKEv2).
These payloads add support for negotiating multiple identical Child
SAs that can be used to to optimize performance based on the number
of queues or CPUs, orcw to create multiple Child SAs for different
Quality of Service (QoS) levels.
Using multiple identical Child Sa's has the additional benefit that
multiple streams have their own Sequence Number, ensuring that CPU's
don't have to synchronize their crypto state or disable their replay
window detection.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
