[IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-08.txt
Internet-Draft draft-ietf-ipsecme-multi-sa-performance-08.txt is now available. It is a work item of the IP Security Maintenance and Extensions (IPSECME) WG of the IETF. Title: IKEv2 support for per-resource Child SAs Authors: Antony Antony Tobias Brunner Steffen Klassert Paul Wouters Name:draft-ietf-ipsecme-multi-sa-performance-08.txt Pages: 13 Dates: 2024-04-29 Abstract: This document defines one Notify Message Status Types and one Notify Message Error Types payload for the Internet Key Exchange Protocol Version 2 (IKEv2) to support the negotiation of multiple Child SAs with the same Traffic Selectors used on different resources, such as CPUs, to increase bandwidth of IPsec traffic between peers. The SA_RESOURCE_INFO notification is used to convey information that the negotiated Child SA and subsequent new Child SAs with the same Traffic Selectors are a logical group of Child SAs where most or all of the Child SAs are bound to a specific resource, such as a specific CPU. The TS_MAX_QUEUE notify conveys that the peer is unwilling to create more additional Child SAs for this particular negotiated Traffic Selector combination. Using multiple Child SAs with the same Traffic Selectors has the benefit that each resource holding the Child SA has its own Sequence Number Counter, ensuring that CPUs don't have to synchronize their cryptographic state or disable their packet replay protection. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-multi-sa-performance/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-multi-sa-performance-08 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-ipsecme-multi-sa-performance-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-multi-sa-performance-08: (with COMMENT)
Mahesh Jethanandani has entered the following ballot position for draft-ietf-ipsecme-multi-sa-performance-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-multi-sa-performance/ -- COMMENT: -- My comments are split between COMMENTs and NITs. --- COMMENT --- >From an operational perspective, the shepherd write-up brought up the question of how this draft would be operationalized. In other words, is there an augment of the existing YANG model planned that would update the model to add the ability to configure multiple SAs? If not, how does a user specify their interest in enabling this feature? No reference entries found for these items, which were mentioned in the text: [TBD2] and [TBD1]. --- NIT --- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Reference [RFC6982] to RFC6982, which was obsoleted by RFC7942 (this may be on purpose). Section 1.2, paragraph 1 > n initial IKEv2 exchange is used to setup an IKE SA and the initial Child SA. > ^ The verb "set up" is spelled as two words. The noun "setup" is spelled as one. Section 2, paragraph 1 > he Exchange negotiating the Child SA (eg IKE_AUTH or CREATE_CHILD_SA). If thi > ^^ The abbreviation "e.g." (= for example) requires two periods. Section 4, paragraph 2 > hild SAs. If per-CPU packet trigger (eg SADB_ACQUIRE) messages are implemente > ^^ The abbreviation "e.g." (= for example) requires two periods. Section 4, paragraph 3 > ed on the trigger TSi entry, an implementations can select the most optimal t > ^^ The plural noun "implementations" cannot be used with the article "an". Did you mean "an implementation" or "implementations"? Section 5.1, paragraph 5 > identifier in their packet trigger (eg SADB_ACQUIRE) message from the SPD t > ^^ The abbreviation "e.g." (= for example) requires two periods. Section 6, paragraph 1 > lthough having a very large number (eg hundreds or thousands) of SAs may slo > ^^ The abbreviation "e.g." (= for example) requires two periods. Section 6, paragraph 2 > he inbound SA and outbound SA independently from each other. It is likely tha > ^^ The usual collocation for "independently" is "of", not "from". Did you mean "independently of"? Section 6, paragraph 4 > elonging to a specific resource. The notify data SHOULD NOT be an identifier > ^^ The verb "notify" does not usually follow articles like "The". Check that "notify" is spelled correctly; using "notify" as a noun may be non-standard. Section 8, paragraph 4 > the ESP flow, to a specific Q or CPU e.g ethtool ntuple configuration. The SP > ^^^ The abbreviation "e.g." (= for example) requires two periods. ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-multi-sa-performance-08: (with COMMENT)
On Mon, 29 Apr 2024, Mahesh Jethanandani via Datatracker wrote: From an operational perspective, the shepherd write-up brought up the question of how this draft would be operationalized. In other words, is there an augment of the existing YANG model planned that would update the model to add the ability to configure multiple SAs? If not, how does a user specify their interest in enabling this feature? For those without yang it is obviously operationalizable. But yes perhaps it could be added to the IPsec/IKEv2 yang module. That module currently has errors and is also missing PQ related items (intermediate exchange, hybrid exchange, etc etc). I think this item here is minor compared to the other items, so perhaps a bis document for RFC9061 would be the right place to add this. I know some people were discussing doing a bis for this because there are also some errors in the current yang module. No reference entries found for these items, which were mentioned in the text: [TBD2] and [TBD1]. These are for the new IANA entries this document is requesting. Reference [RFC6982] to RFC6982, which was obsoleted by RFC7942 (this may be on purpose). This is fair, and we could update it to RFC7942 but ofcourse the entire section including the number will be removed as part of the RFC Editing :) Anyway, staged for the next version. Section 1.2, paragraph 1 n initial IKEv2 exchange is used to setup an IKE SA and the initial Child SA. ^ The verb "set up" is spelled as two words. The noun "setup" is spelled as one. Staged. Section 2, paragraph 1 he Exchange negotiating the Child SA (eg IKE_AUTH or CREATE_CHILD_SA). If thi ^^ The abbreviation "e.g." (= for example) requires two periods. Staged all occurances. Section 4, paragraph 3 ed on the trigger TSi entry, an implementations can select the most optimal t ^^ The plural noun "implementations" cannot be used with the article "an". Did you mean "an implementation" or "implementations"? Staged. Section 6, paragraph 2 he inbound SA and outbound SA independently from each other. It is likely tha ^^ The usual collocation for "independently" is "of", not "from". Did you mean "independently of"? Staged. Section 6, paragraph 4 elonging to a specific resource. The notify data SHOULD NOT be an identifier ^^ The verb "notify" does not usually follow articles like "The". Check that "notify" is spelled correctly; using "notify" as a noun may be non-standard. It is "the (notify) data", so that is a false positive. Section 8, paragraph 4 the ESP flow, to a specific Q or CPU e.g ethtool ntuple configuration. The SP ^^^ The abbreviation "e.g." (= for example) requires two periods. Staged. Paul ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
