Re: [IPsec] Teaser for pitch talk at IETF 108

Hi, a few thoughts about this proposal. > We have been analyzing issues ESP has in current data-center networks and > came to > the conclusion that changes in the protocol could significantly improve its > behavior. Some > of results will be presented next Tuesday in a pitch talk at IETF 108. T

Re: [IPsec] Teaser for pitch talk at IETF 108

Hi, > @William: The 16-bit sender ID is something we already get from protocols > like GDOI to do IV space > partitioning (details in https://tools.ietf.org/html/rfc6054). So the mistake > is already there. RFC 6054 doesn't limit the number of SID bits to 16, it only says that 8, 12 and 16 bit

Re: [IPsec] Teaser for pitch talk at IETF 108

>>> RFC 6311 allows multiple members in a cluster of IPsec gateways to have >>> independent parallel SAs so as to solve the problem of synchronization and >>> counter re-use among nodes. >>> >>> While the focus there is on different nodes, the synchronization problem >>> also exists between co

Re: [IPsec] Teaser for pitch talk at IETF 108

>> @William: The 16-bit sender ID is something we already get from protocols >> like GDOI to do IV space >> partitioning (details in https://tools.ietf.org/html/rfc6054). So the >> mistake is already there. > My memory was 8 bits, ludicrously small. Reading more carefully, they > illustrated 8 b

[IPsec] Preliminary minutes from the IETF 108 IPsecME WG Meeting

Here is preliminary minues from the IETF 108 IPsecME WG meeting. I copied some discussion about the proposed changes to ESP from Jabber to here, as I think it was important to record those even when we did not have time to have comments during the meeting. If you have any comments, please send th

[IPsec] IPsec WG Report for SAAG

This has also been stored in the datatracker as status update for the IPsecME WG (https://datatracker.ietf.org/group/ipsecme/about/status/). -- Implicit IV was published as RFC8750, and Mixing Preshared Keys in the IKEv2 for Post

Re: [IPsec] Preliminary minutes from the IETF 108 IPsecME WG Meeting

Hi. I uploaded a PDF version to the meeting materials. Also added a list of action items for the chairs. Comments are welcome on that part as well. https://www.ietf.org/proceedings/108/minutes/minutes-108-ipsecme-00 Yoav >

[IPsec] My comments on "Proposed improvements to ESP"

I glanced the proposal, and I have doubts as to how well it works, and in particular, how well it would work in parallelized decryption. As I understand it, the antireplay window the decryptor checks against is specified in the 'Sender ID/Window ID' field. If the decryptor can handle only one

Re: [IPsec] Preliminary minutes from the IETF 108 IPsecME WG Meeting

Hi Yoav, Ben, all, == Ben (AD): (missed first point Belongs in ADD?) Slide with attribute format, for DoH, need to provide URI template Valery: Presentation also requested in ADD, but didn't have room in agenda. Re: URI, will be covered in DoH clarifications (?) == Valery was referring to http

Re: [IPsec] Teaser for pitch talk at IETF 108

Hi Michael, > > The advantage of multiple SAs is that you don’t really need to change the > > other side of the IPsec connection > (especially if the peer already supports 6311). So if you have 30 cluster > members, or 30 CPUs, or 30 virtual > LANs, or 30 QoS classes, you can generate 30 SAs ra

Re: [IPsec] Preliminary minutes from the IETF 108 IPsecME WG Meeting

Hi Tero, > Paul: What Interop testing has been done? > Valery: Tested with Apple, Cisco, libreswan Just for clarification (sorry it wasn't spelled out well at the session) - by "tested" here I meant that these interop tests were performed with us (ELVIS-PLUS), probably more vendors tested betwe