Hi Neale,
Please find my comments inline.
On Mon, Feb 22, 2021 at 8:41 PM Neale Ranns <ne...@graphiant.com> wrote:
>
>
> Hi Vijsy,
>
>
>
> *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay
> Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io>
> *Date: *Monday, 22 February 2021 at 12:59
> *To: *vpp-dev <vpp-dev@lists.fd.io>
> *Subject: *[vpp-dev] Why does ipsec plugin create ipip interface for each
> IPSec SA installed by ikev2 plugin
>
> Hi,
>
>
>
> I configured VPP as a responder while Strongswan was the initiator. I
> configured ikev2 profile and tested IPSec. While testing with VPP as
> responder, I found that for every IPSec created, a logical interface
> "ipipx" is created in vpp
>
>
>
>
>
> As the peer network route is added via ipip0 interface, this creates an
> routing extra hop for every pkt that goes out of VPP in the sense that for
> all IPSec packets the first route entry would have ipipx as outgoing
> interface while the 2nd lookup for the ipipx would have another route entry
> with the physical interface as the outgoing interface.
>
>
>
> When there are thousands of tunnels, say 100K or more IPSec SAs, I think
> this would cause performance issues due to the extra route lookup for each
> packet?
>
>
>
> there is no second lookup, the forwarding to the tunnel’s destination is
> ‘cached’ when it is created and used in the data-plane.
>
>>>> Ok clear. But where is the route lookup result cached? Is this cache
in SPD entry or SAD entry?
If there are 1K IPSEC SAs with 1K different peers, does it mean
that there are 1K ipipx interfaces created in VPP?
>
>
> Please clarify why the "ipip" tunnel interface creation is required?
>
> How can this be avoided for the case where there are many SAs?
>
>
>
> I think it is better to alter the code to prevent creation of this logical
> interface and allow IPSec plugin to just do encryption and allow the next
> node "IP4-lookup" to do the routing (via phy interface)
>
>
>
> How would you choose which SA to use? Are you referring to route v. policy
> based VPNs? https://wiki.fd.io/view/VPP/IPSec
>
>>>>> I am referring to policy based VPNs (where one configures ACL/pkt
filters and action)
>
>
> /neale
>
>
>
>
>
> Regards,
>
> Vijay Kumar N
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#18784): https://lists.fd.io/g/vpp-dev/message/18784
Mute This Topic: https://lists.fd.io/mt/80822509/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
