Hi Tero,
yes you are right about the Child SA and definition. I think what Mike had in
mind is that in some platform architectures the selectors have to be expanded
in TSi x TSr entries which is not very friendly.
When we developed the protocol with IKEv1, multiple SA's simply were a no-no.
When we evaluated IKEv2, the 255 limit was anyway still a problem and we kept
tunneling method unchanged. The 255 limit is definitely too short for practical
designs.
Thanks!
fred
On 07 Nov 2013, at 03:30, Tero Kivinen <[email protected]> wrote:
> Mike Sullenberger (mls) writes:
>> As for scaling, we already have DMVPN networks of 10000+ nodes and
>> looking at building networks of 40000+ nodes. In many cases
>> customers have multiple subnets behind each node, therefore with
>> just IPsec I would need to have multiple SAs/encryption between the
>> same two nodes, even if you are only doing subnet to subnet SPDs.
>
> Why do you need multiple SAs even if there is multiple subnets? IKEv2
> allows you to create Child SAs covering multiple subnets in both ends,
> so you should be able to use just one Child SA as long as the number
> of subnets is less than few hundred... There is limit of 255 traffic
> selector per Child SA, but I would except that implementations might
> not support that high number, but tens of selectors should be ok.
>
>> Take the case of two nodes that each have 4 subnets. I could need as
>> many as 16 SAs to cover all cases. Or even a simpler case between a
>> host (1 local address) and a node at a data center (say 20 subnets),
>> I would need up to 20 SAs to cover this. In many of our networks we
>> are asked to support at least 5 (sometimes 10) subnets per spoke
>> location.
>
> All of those would require one Child SA in IKEv2. If talking about
> obsolete protocols from the historic times, then you might have needed
> multiple SAs....
>
>> As far as IPv4 and IPv6 support, you are correct it would only double the
>> number of SAs needed, assuming that there are the same number of subnets for
>> IPv4 and IPv6. From what I have seen IPv6 tends to increase the number of
>> subnets.
>
> IPv4 and IPv6 traffic most likely do need separate SAs, as some
> implementations do things that way, i.e. if you offer both IPv4 and
> IPv6 addresses in the proposal the other end will narrow it down to
> include only IPv4 or IPv6 addresses (or it can accept the SA if it
> understand internally that even if there is both IPv4 and IPv6 address
> in traffic selector list, that does not mean you can have packets
> where source address is IPv4 and destination IPv6 :-)
> --
> [email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
