From: Vijay Kumar <vjkumar2...@gmail.com> Date: Monday, 22 February 2021 at 16:50 To: Neale Ranns <ne...@graphiant.com> Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] Why does ipsec plugin create ipip interface for each IPSec SA installed by ikev2 plugin Hi Neale,
Please find my comments inline. On Mon, Feb 22, 2021 at 8:41 PM Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote: Hi Vijsy, From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Vijay Kumar via lists.fd.io<http://lists.fd.io> <vjkumar2003=gmail....@lists.fd.io<mailto:gmail....@lists.fd.io>> Date: Monday, 22 February 2021 at 12:59 To: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] Why does ipsec plugin create ipip interface for each IPSec SA installed by ikev2 plugin Hi, I configured VPP as a responder while Strongswan was the initiator. I configured ikev2 profile and tested IPSec. While testing with VPP as responder, I found that for every IPSec created, a logical interface "ipipx" is created in vpp As the peer network route is added via ipip0 interface, this creates an routing extra hop for every pkt that goes out of VPP in the sense that for all IPSec packets the first route entry would have ipipx as outgoing interface while the 2nd lookup for the ipipx would have another route entry with the physical interface as the outgoing interface. When there are thousands of tunnels, say 100K or more IPSec SAs, I think this would cause performance issues due to the extra route lookup for each packet? there is no second lookup, the forwarding to the tunnel’s destination is ‘cached’ when it is created and used in the data-plane. >>>> Ok clear. But where is the route lookup result cached? Is this cache in >>>> SPD entry or SAD entry? It’s in the tunnel’s midchain adjacency. If there are 1K IPSEC SAs with 1K different peers, does it mean that there are 1K ipipx interfaces cre ated in VPP? Yes. Please clarify why the "ipip" tunnel interface creation is required? How can this be avoided for the case where there are many SAs? I think it is better to alter the code to prevent creation of this logical interface and allow IPSec plugin to just do encryption and allow the next node "IP4-lookup" to do the routing (via phy interface) How would you choose which SA to use? Are you referring to route v. policy based VPNs? https://wiki.fd.io/view/VPP/IPSec >>>>> I am referring to policy based VPNs (where one configures ACL/pkt filters and action) Finding an SA based on an ACL/policy is not as efficient as routing and tunneling, since it requires as tuple based lookup. VPP’s implementation of this search, in the SPD, is linear, so scales very poorly. If you want to address interface scale, then maybe you could look at how the IKE plugin could use multipoint tunnels instead. /neale /neale Regards, Vijay Kumar N
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18785): https://lists.fd.io/g/vpp-dev/message/18785 Mute This Topic: https://lists.fd.io/mt/80822509/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
