Re: [IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-04.txt
On Mon, 18 Mar 2024, Tero Kivinen wrote: Internet-Draft draft-ietf-ipsecme-multi-sa-performance-04.txt is now This seems to cover my comments until section 5, but does not cover the changes for section 5.1, 6, and 9. Is there some issues with those comments? that was an operator error on my side, -05 fixes the remaining issues. Paul ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-04.txt
internet-dra...@ietf.org writes: > Internet-Draft draft-ietf-ipsecme-multi-sa-performance-04.txt is now > available. It is a work item of the IP Security Maintenance and Extensions > (IPSECME) WG of the IETF. > >Title: IKEv2 support for per-resource Child SAs This seems to cover my comments until section 5, but does not cover the changes for section 5.1, 6, and 9. Is there some issues with those comments? -- In section 5.1 you say that Protocol id MUST contain either 2 for AH and 3 for ESP, but on the RFC7296 says that "If the SPI field is empty, this field MUST be sent as zero and MUST be ignored on receipt." and as this notify is sent with empty SPI field, then the Protocol ID field MUST be 0 also. -- In section 5.1 add text saying that SPI Size MUST be zero. -- In section 5.1 fix s/opague/opaque/ twice. -- In section 6 there is text saying: If the IKEv2 extension defined in this document is negotiated with the peer, an implementation which does not support receiving per-CPU packet trigger messages MAY initiate all its Child SAs immediately upon receiving the (only) packet trigger message it will receive from the IPsec stack. On the other hand there is no negotiation of the this extension. What is this text trying to say? Perhaps simply remove change to say "If an implementation does not support ... it MAY ..." -- Section 9 the correct heading for the IANA registries 2nd column are Notify Messages - Status Types and Notify Messages - Error Types Currently the figure 2 is using status type header and even that does not match iana registry. -- kivi...@iki.fi ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] I-D Action: draft-ietf-ipsecme-multi-sa-performance-04.txt
Internet-Draft draft-ietf-ipsecme-multi-sa-performance-04.txt is now available. It is a work item of the IP Security Maintenance and Extensions (IPSECME) WG of the IETF. Title: IKEv2 support for per-resource Child SAs Authors: Antony Antony Tobias Brunner Steffen Klassert Paul Wouters Name:draft-ietf-ipsecme-multi-sa-performance-04.txt Pages: 13 Dates: 2024-03-18 Abstract: This document defines two Notify Message Type Payloads for the Internet Key Exchange Protocol Version 2 (IKEv2) to support the negotiation of multiple Child SAs with the same Traffic Selectors used on different resources, such as CPUs, to increase bandwidth of IPsec traffic between peers. The SA_RESOURCE_INFO notification is used to convey information that the negotiated Child SA and subsequent new Child SAs with the same Traffic Selectors are a logical group of Child SAs where most or all of the Child SAs are bound to a specific resource, such as a specific CPU. The TS_MAX_QUEUE notify conveys that the peer is unwilling to create more additional Child SAs for this particular negotiated Traffic Selector combination. Using multiple Child SAs with the same Traffic Selectors has the benefit that each resource holding the Child SA has its own Sequence Number Counter, ensuring that CPUs don't have to synchronize their crypto state or disable their packet replay protection. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-multi-sa-performance/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-multi-sa-performance-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-ipsecme-multi-sa-performance-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec