**Session Date/Time:** 09 Nov 2022 15:00 # ipsecme ## Summary The ipsecme working group session discussed the status of various drafts, several new proposals, and challenges in scaling IPSec deployments. Key topics included the adoption of optimized multi-child SA rekeying, issues with IKEv2 payload size limits and cookie processing, source address validation using RPKI and IPSec, and a proposal for anti-replay subspaces to improve performance in multi-core and multi-path environments. The session highlighted a clear interest in addressing scalability and performance for large-scale IPSec deployments, particularly in the context of emerging post-quantum cryptography and 5G use cases. ## Key Discussion Points * **Draft Status Update:** * Four drafts are in the RFC Editor queue. * Two documents are in IETF/WG Last Call, with reminders for shepherd review (IKEv2) and additional reviews (P2). * IKEv2-no-ids was noted as ready for Working Group Last Call. * **Multiple Child SAs (draft-wouters-ipsecme-multiple-sas):** * The latest version removes the "special fallback SA," making it an implementation-specific functionality. * Discussion on scalability concerns for large IPSec hubs with many SAs; the expected use case focuses on filling CPU capacity rather than excessive SA multiplication per tunnel. * Support for adoption as a starting point, with calls to potentially limit SA creation. * **IPSec Workshop Report:** * **FIPS requirements for AES-GCM:** Clarified that the same key can be used for more than 2^32 packets in FIPS mode if IV/ICV is greater than 8 octets. * **Decoupled Policies:** Flat SPD data structures improve lookup efficiency. * **Full Hardware Offload for IPSec:** APIs exist for Linux, supported by Melanox Nvidia CX-7 cards, enabling full IPSec data path in hardware. * **Forwarding Fast Path (Linux):** Packet parking, using netfilter flow tables and small code loops, showed a 5x performance boost. * **ANEMA and IPSec:** Problem with VTI interfaces for network name status; XFRM interfaces were proposed as a solution. * **IPTFS:** Aggregation and fragmentation are supported, but constant rate sending is still missing. * **Re-thinking ESP:** Extensive discussion around multi-CPU, QoS, hardware flows, and anti-replay windows, potentially leading to an "ESPv4" due to limitations and new protocols like PLP Crypto. * **Beat Mode:** Despite being an old, unfinished draft (2008), it's implemented in Linux and widely used; a consensus to continue its work towards a Proposed Standard. * **IPComp Extension (draft-hu-ipsecme-ipcomp-extension):** * Proposed extensions to address IPComp issues: 1. **Incompatibility with network functions:** Transport layer (L4) information (ports) is compressed, hindering firewalls/NAT. Solutions proposed: new flag or duplicate CPI code points. 2. **Out-of-order processing:** Uncompressed packets sent without an IPComp header are processed differently. Proposed solution: always send IPComp header with a new CPI for uncompressed packets. * Discussion also touched on decoupling IPComp from IPSec, as its issues are not security-related. * The working group suggested exploring existing alternatives like IPTFS, CHIC over IP, or DIET-ESP for compression and MTU issues, indicating low interest in extending IPComp within ipsecme. * **New IKEv2 Payload Formats (draft-valerie-ipsecme-compact-ikev2-payloads-format, draft-wouters-ikev2-large-payloads):** * Current IKEv2 payload length (2 bytes) limits payloads to 64KB, problematic for Post-Quantum (PQ) algorithms with large public keys and signatures (e.g., Classic McEliece). * Existing formats also exhibit redundancy (reserved fields, fixed-size parameters). * Proposals address either the 64KB limit or redundancy, with different negotiation and implementation complexities. * Working group expressed interest in a single, generic solution for the >64KB limit, with redundancy reduction being a separate, though related, concern. * **IKEv2 Cookie Rework (draft-valerie-ikev2-revised-cookie-processing):** * Identified a protocol flaw where packet loss/reordering or a responder changing its secret key can cause `IKE_SA_INIT` authentication failures due to differing views of the most recent request used in calculation. * Proposed a "revised cookie processing" that excludes the cookie notify payload from authentication calculation, negotiated via a new notify message. * Concerns were raised about modifying the authentication system for a non-security-critical error, with suggestions for less intrusive solutions like the initiator echoing the cookie in `IKE_AUTH` for verification by the responder, leading to an error message if there's a mismatch. * **Receive RPKI and IPSec AS2AS Approach for Source Address Validation (rSAV) (draft-li-ipsecme-rsav):** * Proposal for a cryptographically based inter-AS Source Address Validation (SAV) protocol using RPKI for prefix origin authorization and IPSec (rSAV AH in transport mode) for IP source address authentication. * Key features: RPKI integration, AS Contact Servers (ACS) for IKEv2 negotiation, rSAV announcement in RPKI, and IPSec SA indexed by SPI and AS number. * Discussion touched on specific IPSec protocol details, such as the use of `DELETE` notifications for rejection, the role of ICV in ESP, and the negotiation of transport vs. tunnel mode. * A warning was raised against using Static Diffie-Hellman due to the lack of Post-Quantum equivalents. * The proposal is in early stages, focusing on addressing large-scale IPSec mesh deployments and minimizing state. * **Optimized IKEv2 Rekeying (draft-li-ipsecme-optimized-rekeying):** * Leverages RFC 7296 (section 2.8) to omit Traffic Selector (TS) and Security Association (SA) payloads during rekeying *for child SAs* if they are unchanged. This saves bandwidth and CPU cycles. * Implementation in 5G base stations reported, demonstrating practical value for large-scale, low-power, and constrained environments. * Clarification: This optimization primarily applies to child SAs, not IKE SAs, as IKE SAs can have different algorithms during rekeying. * **IPSec Anti-Replay Subspaces (draft-thompson-ipsecme-anti-replay-subspaces):** * Addresses performance challenges in multi-core, multi-path IPSec hubs handling thousands of peers. Current approach of using many child SAs (e.g., 4M for 6 paths/6 QoS classes) leads to high IKE negotiation load and memory issues. * Proposal: Introduce multiple anti-replay windows within a single child SA, distinguished by a "Subspace ID" in the ESP header. * Discussion points include IKE negotiation mechanisms, where to embed the Subspace ID in the ESP header (e.g., explicit extended sequence number field), and FIPS compliance for AES-GCM nonces. * The working group acknowledged the problem, with some suggesting that separate SAs are the existing solution, while others highlighted the scalability issues of that approach in large-scale deployments. ## Decisions and Action Items * **Multiple Child SAs (draft-wouters-ipsecme-multiple-sas):** A working group adoption call will be issued. * **New IKEv2 Payload Formats:** Valerie to draft a combined solution addressing both the >64KB payload size limit and message redundancy. * **IKEv2 Cookie Rework (draft-valerie-ikev2-revised-cookie-processing):** Valerie to send an email to the mailing list to gather feedback on the problem and the proposed solutions, particularly Tero's suggestion of an explicit cookie copy in `IKE_AUTH`. * **Optimized IKEv2 Rekeying (draft-li-ipsecme-optimized-rekeying):** A working group adoption call will be issued. * **IPSec Anti-Replay Subspaces (draft-thompson-ipsecme-anti-replay-subspaces):** Discussions to continue on the mailing list. ## Next Steps * Chairs to issue adoption calls for `draft-wouters-ipsecme-multiple-sas` and `draft-li-ipsecme-optimized-rekeying`. * Valerie to initiate mailing list discussions for IKEv2 payload formats and IKEv2 cookie rework. * Proponents of IPSec Anti-Replay Subspaces to continue mailing list discussions, with a virtual interim meeting proposed to consolidate ideas. * Continue work on Beat Mode to bring it to Proposed Standard status. * Monitor new developments like ESPv4 and IPTFS as potential solutions for existing problems.