Hello ipsecme, We would like to notify the list that we just published a new draft (ieft-draft-pponchon-ipsecme-anti-replay-subspaces) and would kindly ask for the opportunity to present it in London in person.
We (the authors of this draft) are currently involved in the performance optimization of an IPsec stack deployed in some large SD-WAN networks. We have been observing performance and scalability challenges related to anti-replay, and believe the working group could propose a solution. We recently became aware that the working group was investigating similar issues in the multi-sa draft (draft-pwouters-ipsecme-multi-sa-performance-04). We are very enthusiastic about that work, but believe that we have additional requirements, as well as operational experience, which might challenge the currently proposed solution. To summarize: We do need anti-replay to scale to multiple cores (as detailed in the multi-sa draft), but we also need packets to be sent across multiple paths and multiple QoS policies. These problems add-up in showing anti-replay limitations. And using more Child SA comes with a significant performance degradation. We believe that the anti-replay mechanism itself could be improved to support all these use-cases. And that's what this draft is about. We would appreciate any feedback and, again, would love to have the opportunity to present that work in London. Thanks, Paul, Mohsin, Pierre and Guillaume. From: internet-dra...@ietf.org <internet-dra...@ietf.org> Date: Monday, 24 October 2022 at 16:50 To: Guillaume Solignac (gsoligna) <gsoli...@cisco.com>, Mohsin Shaikh (mohsisha) <mohsi...@cisco.com>, Paul Ponchon (pponchon) <pponc...@cisco.com>, Pierre Pfister (ppfister) <ppfis...@cisco.com> Subject: New Version Notification for draft-ponchon-ipsecme-anti-replay-subspaces-00.txt A new version of I-D, draft-ponchon-ipsecme-anti-replay-subspaces-00.txt has been successfully submitted by Paul Ponchon and posted to the IETF repository. Name: draft-ponchon-ipsecme-anti-replay-subspaces Revision: 00 Title: IPsec and IKE anti-replay sequence number subspaces for multi-path tunnels and multi-core processing Document date: 2022-10-24 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-00.txt Status: https://datatracker.ietf.org/doc/draft-ponchon-ipsecme-anti-replay-subspaces/ Htmlized: https://datatracker.ietf.org/doc/html/draft-ponchon-ipsecme-anti-replay-subspaces Abstract: This document discusses the challenges of running IPsec with anti- replay in environments where packets may be re-ordered (e.g., when sent over multiple IP paths, traffic-engineered paths and/or using different QoS classes) as well as when processed on multiple cores. Different approaches to solving this problem are discussed, and a new solution based on splitting the anti-replay sequence number space into multiple different sequencing subspaces is proposed. Since this solution requires support on both parties, an IKE extension is proposed in order to negotiate the use of the Anti-Replay sequence number subspaces. The IETF Secretariat
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
