Hi Neale, Thanks for the quick answers
On Mon, Feb 22, 2021 at 9:50 PM Neale Ranns <ne...@graphiant.com> wrote: > > > > > *From: *Vijay Kumar <vjkumar2...@gmail.com> > *Date: *Monday, 22 February 2021 at 16:50 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] Why does ipsec plugin create ipip interface for > each IPSec SA installed by ikev2 plugin > > Hi Neale, > > > > Please find my comments inline. > > > > On Mon, Feb 22, 2021 at 8:41 PM Neale Ranns <ne...@graphiant.com> wrote: > > > > Hi Vijsy, > > > > *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay > Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io> > *Date: *Monday, 22 February 2021 at 12:59 > *To: *vpp-dev <vpp-dev@lists.fd.io> > *Subject: *[vpp-dev] Why does ipsec plugin create ipip interface for each > IPSec SA installed by ikev2 plugin > > Hi, > > > > I configured VPP as a responder while Strongswan was the initiator. I > configured ikev2 profile and tested IPSec. While testing with VPP as > responder, I found that for every IPSec created, a logical interface > "ipipx" is created in vpp > > > > > > As the peer network route is added via ipip0 interface, this creates an > routing extra hop for every pkt that goes out of VPP in the sense that for > all IPSec packets the first route entry would have ipipx as outgoing > interface while the 2nd lookup for the ipipx would have another route entry > with the physical interface as the outgoing interface. > > > > When there are thousands of tunnels, say 100K or more IPSec SAs, I think > this would cause performance issues due to the extra route lookup for each > packet? > > > > there is no second lookup, the forwarding to the tunnel’s destination is > ‘cached’ when it is created and used in the data-plane. > > >>>> Ok clear. But where is the route lookup result cached? Is this cache > in SPD entry or SAD entry? > > > > It’s in the tunnel’s midchain adjacency. > > > > If there are 1K IPSEC SAs with 1K different peers, does it mean > that there are 1K ipipx interfaces cre > > ated in VPP? > > > > Yes. > > > > Please clarify why the "ipip" tunnel interface creation is required? > > How can this be avoided for the case where there are many SAs? > > > > I think it is better to alter the code to prevent creation of this logical > interface and allow IPSec plugin to just do encryption and allow the next > node "IP4-lookup" to do the routing (via phy interface) > > > > How would you choose which SA to use? Are you referring to route v. policy > based VPNs? https://wiki.fd.io/view/VPP/IPSec > > >>>>> I am referring to policy based VPNs (where one configures ACL/pkt > filters and action) > > > > Finding an SA based on an ACL/policy is not as efficient as routing and > tunneling, since it requires as tuple based lookup. VPP’s implementation of > this search, in the SPD, is linear, so scales very poorly. > > If you want to address interface scale, then maybe you could look at how > the IKE plugin could use multipoint tunnels instead. > > > > /neale > > > > > > > > /neale > > > > > > Regards, > > Vijay Kumar N > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18786): https://lists.fd.io/g/vpp-dev/message/18786 Mute This Topic: https://lists.fd.io/mt/80822509/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
