►
From YouTube: IETF115-IPSECME-20221109-1500
Description
IPSECME meeting session at IETF115
2022/11/09 1500
https://datatracker.ietf.org/meeting/115/proceedings/
A
Not
positively,
okay,
my
clock
just
turned
to
1500,
so
I
think
we
are
going
to
be
starting.
This
is
ipsec
ma
working
group,
I'm
terracividen
and
my
co-chair.
Is
there
in
the
big
screen
you
can
say
hi,
probably
oh,
you
could
just
be
okay,
that's
fine!
All
right!
So
we
have
a
faithful
agenda.
Today
we
have
five
minutes
overtime
in
that
agenda,
so.
A
Get
closer
to
it
and
take
the
mask
off
so
it
makes
it
easier
all
right.
So
just
a
note,
well,
you'll
probably
see
have
seen
it
several
times
already
and-
and
we
have
already
have
two
note
takers-
that's
fine
and
there's
links
for
the
you
know
meteco
and
notepad.
If
anybody
else
go
to
that
page-
and
you
can
actually
add,
especially
if
you
are
making
comments
on
the
you
know,
microphone
just
go
there
and
check
out
their
comments
are
properly
or
or
type
them
in.
A
You
can
even
type
them
in
before
you
actually
make
the
comments
that
makes
you
very
all
right.
So
we
have
a
full
agenda,
any
comments
on
the
agenda
or
any
I
I,
pretty
sure
we
are
not
going
to
be
getting
to
the
last
two
items
which
are
if
time
permits,
because
there
are
so
many
other
items
in
the
before,
but
any
other
any
comments
on
the
agenda.
A
B
A
C
Paul
voters-
yes,
I,
would
like
to
complain
about
that
because
it
actually
has
been
in
the
the
shepherd's
review
was
was
added
in
March.
It
is
now
November
yeah.
C
But
yeah,
please
do
this
in
the
next
couple.
D
P2
is
in
the
last
call
too,
but
this
last
call
is
lasting
for
I,
don't
know
more
than
half
a
year
and
it
is
still
waiting
for
more
reviews
and
I.
Remember
that
a
couple
ATF
meetings
ago,
a
few
people
volunteered
to
provide
the
review
for
this
draft
and
I
just
determined
it's
a
friendly
reminder
for
those
people
who
volunteer
it
that
it
is
still
not
too
late.
A
Yes,
so
g,
I
question
two:
there
were
several
people
who
one
of
those
are
actually
commenting
there
well
other
things
that
are
not
done
a
promising
to
make
a
review
and
haven't
done
that.
So
yes,
that
actually
would
be
and
I
it's
also
in
my
list
to
do
the
review
one
more
review
and
then
push
it
Forward
regardless.
If
you
get
more
reviews
or
not
but
I
hope
to
get
more
of
those
there's.
A
This
working
group
last
call
First
ADI,
which
I
completely
forget
so
I
will
actually
push
that
one
to
be
say,
I
think
we
are
going
to
be
pushing
that
one
out
and
we
have
a
couple
of
comments
waiting
for
the
you
know,
adoption
course,
which
I
think
are
also
going
to
happen.
Okay
Valerie,
more
comments.
D
A
Right
now,
so
we
have
labeled
ipsec,
which
is
should
be
going
to
the
you
know.
Publication
requested
very
soon.
If
I
get
the
charter
review,
there
are
a
still
rebutron.
We
have
open
group
plus
code
for
Ada
Ike,
which
is
done,
and
then
we
have
an
Ike
analysis
announced
should
be
going
to
work
into
plastical
and
giac
version
2,
which
should
be
going
out
from
the
working
group.
A
C
The
next
slide,
sorry,
so
there's
a
brief
history.
You
can
read
it
if
you
want.
Basically,
the
last
version
only
removes
the
special
fallback.
I
say
this
was
the
essay
that
we
said
always
should
be
up
so
that
you
always
have
one
essay
to
send
a
packet
over
people
didn't
like
the
fact
that
it
was
special,
so
we
removed
it
and
basically
now
becomes
an
implementation
specific
thing.
C
If
you
really
want
that
functionality,
it
is
just
not
specified
in
a
draft,
but
it's
like
implementation,
specific
thing
you
can
implement
that
required
a
little
change
for
the
no
device
to
be
sent
and
there's
no
more
issues
left
that
I'm
aware
of
so.
Hopefully
this
will
make
Valerie
happy
and
well
actually
so
to
be
fair,
Valerie
and
Taro,
didn't
like
the
fallback
I
say
so.
Other
comments
were
not
outstanding.
So
if
there
are
any,
please
let
us
know
as
soon
as
possible.
A
F
Hi
Paul
Thompson
from
Cisco
Meraki,
so
we
are
actually
facing
the
similar
issues
and
we
completely
agree
with
the
problems
based
as
you're
facing
for
performances.
With
this
draft.
We
just
want
to
raise
a
concern
we
have,
which
might
be
that
by
adding
more
essays,
we
could
face
some
scalability
issues
on
big
hub,
for
instance,
ipsec
hubs,
but
yeah.
C
Yes,
sorry
so
you're
using
one
disadvantage
of
this
solution
is
that
you
get
more
essays
more
than
one
I
say
per
tunnel,
and
that
has
a
hardware
implications.
A
And
use
the
queue
by
the
way
for
those
people
who
are
coming
up
to
the
mic
use
the
queue
before
you
come
to
the
mic
because
we
have
remote
people
there.
Okay,
it's.
F
Not
in
the
case
where
you
would
have
like
a
few
more
essays
but
I
think
in
some
situation
you
might
have
a
lot
more
child.
Let's
say
that
you
would
want
to
create
to
benefit
from
the
the
performance
advantage,
and
in
that
case,
if
you
already
have
a
lot
of
already
existing
tunnels,
that
could
multiply
the
number
of
essay
by
a
significant
amount.
Okay,.
C
So
so
let
me
comment
down
in
general
when
you
have
a
a
lot
of
clients
and
a
lot
of
tunnels
and
you're
already
spreading
those
over
your
multiple
CPUs.
So
then
you're
not
really
gaining
much
more
from
adding
even
more
tunnel
so
that
you
have
like
you
know.
Each
of
your
10
tunnels
uses
10
essays
for
the
10
CPUs,
because
your
CPUs
will
be
maxed
out
right.
So
there's
no
point
in
putting
multiple
on
them.
So
in
general.
D
B
F
D
G
So
I
I
think
it's
a
problem
we
have
to
solve.
G
G
And
and
I
also
I
don't
want
to
talk
about
regarding
the
presentation,
that's
going
to
be
done
at
the
end,
but
I
think
we
should
also
try
to
to
limit
the
the
number
of
creation
of
essays
so
I'd
like
that,
we
pay
attention
to
to
the
last
presentation.
H
A
J
Okay,
yeah,
hello,
everyone,
okay,
hello,
everyone:
this
is
a
report
from
the
IP
secret
shop
that
was
held
last
week
here
in
London
next
slide.
First,
some
background
about
that
event.
That
event
is
funded
by
the
ipsecant
network,
security,
Association,
there's
a
yearly
event
and
it
was
held
first
time
in
2018..
J
It
will
somewhat
seeming
public
event
because
we
tried
to
limit
a
number
of
attendees
below
20
to
be
able
to
run
all
that
in
Workshop
mode
with
discussions,
and
so
on
topics
are
usually
ipsec
implementation
protocol,
but
also
other
security
stuff.
That
comes
up
as
welcome
next,
so
we
started
a
workshop
with
a
discussion
about
fips
requirements
for
a
Year's.
Gcm
Paul
came
up
with
a
question
and
he
were
asking
if
we
can
use
the
same
key
for
more
than
due
to
the
the
issue
packets
in
fips
mode.
J
So
we
had
a
discussion
about
it
looked
at
the
specs
and
finally,
we
agreed
that
yes,
that's
possible,
even
in
fixed
fips
mode,
but
there's
one
limitation.
So
if
your
IV
is
on
icv
is
only
eight
octaves,
then
you're
really
limited
to
two
to
the
32,
but
in
all
other
cases
it
should
be
possible
to
use
more
okay
next.
J
So
next
topic
we
had
was
decorated
policies
and
how
to
avoid
overlapping
policies.
Tiro
presented
about
that,
he
gave
an
overview
of
what
D
Colonel
policies
are,
gave
us
some
examples
and
showed
that
just
gives
a
rather
nice
flat,
SPD
data
structure,
where
you
don't
need
to
use
priorities
to
find
actually
the
right
policy,
and
that
makes
lookups
much
more
efficient.
J
B
J
Okay,
next
topic
was
about
a
forwarding,
fast
path,
with
packet
parking
in
Linux.
The
idea
there
was
we
just
take
out
a
net
filter
flow
table
with,
with
that
as
possible
to
skip
the
entire
L3
data
path.
Then
we
are
creating
packet
box
so
that
each
bug
consists
of
packets
that
are
matching
the
same
as
a
and
with
these
packet
piles.
J
We
are
running
small
code
Loops
that
are
rather
cash
friendly,
and
we
were
able
to
show
that
in
our
test
setups
we
got
a
performance,
booster
Factor,
five,
compared
to
that
what
we
had
before.
Okay
next
then
Michael
Richardson
presented
about
anema
and
the
use
of
ipsec
there.
He
gave
a
brief
introduction
about
what
anima
is
and
how
ipsec
is
used
there
and
presented
the
problem
that
she
was
unable
to
cross
network
name
status
with
vti
interfaces.
J
We
discussed
that
a
bit
on
a
proposed
solution
is
to
use
XM
interfaces.
Those
interfaces
were
created
to
replace
ETI
and
Linux,
because
vti
has
well.
Vgi
is
basically
broken
from
most
of
the
use
cases,
so
we
intervented
inventor
text
frame
interface
a
couple
of
years
ago
to
get
rid
of
that.
So
next.
J
Okay
next
was
Chris
presenting
about
iptfs.
He
gave
an
introduction
to
that
and
showed
us.
The
state
of
the
Legends
implementation
So.
Currently
aggregation
and
fragmentation
is
supported
thanks
Chris,
what's
still
missing
is
the
constant
rate
sending,
but
we
hope
that
Chris
will
help
us
there
too,
and
we're
getting
eventually
just
also
supported
in
the
nuts
next
slide.
Please,
okay,
I
think
well.
Paul
talked
about
that.
One
I
think
I
can
skip
that
slide
next.
J
So
then
we
had
a
longer
discussion
about
reassigning
efp.
So
during
the
last
time
there
were
quite
a
lot
of
proposals
around
you
support
the
multi-cpu
use
case,
quality
of
service
classes,
Hardware
flows
and
so
on
and
so
forth.
So
and
all
that
boiled
down
to
the
fact
that
we
kind
of
need
some
separate
anti-replay
windows.
J
Additionally,
to
that
Google
came
in
April
and
published
the
PLP
crypto
protocol,
which
also
looks
pretty
similar
to
ESP,
but
it's
just
not
it
so
we
agreed
that
it
might
be
time
to
rethink
ESP,
put
everything
on
a
table
and
eventually
try
to
create
the
new
ESP
V4
version
with
that.
But
well
time
will
show
next.
J
Okay,
then
we
talked
about
beat
mode.
The
beat
mode
draft
is
rather
old,
just
from
2008,
and
it's
still
unfinished
and
uncontinued,
but
actually
beat
mode,
is
implemented
in
Linux
and
people
are
really
use
it.
So
we
agreed
that
could
be
a
good
idea
to
continue
that
work,
that
we
can
eventually
finish,
beat
mode
and
get
it
to
a
proposed
standards.
J
A
E
I
E
Please
yeah
first,
some
background
on
the
IP
count
is
a
IP
field,
compression
protocol,
it's
just
a
compressed
IV
payload
to
save
some
binder
weights
and
the
compressor
payload
is
prepared
with
an
IP
comp
header.
The
ibcon
has
A3
part.
The
first
part
is
the
next
cutter
and
it
puts
the
original
next
header
in
there
and
the
second
part
is
flex
now
it
must
be
zero
and
ignored
by
the
decompression
side,
and
the
third
part
is
the
compression
parameter
index
to
indicate
the
compression
algorithm
used
and
is
maintained
in
this
and
registry.
E
E
So
you
cannot
put
any
network
function
which
relies
on
this
information,
for
example
the
firewall
nity
or
some
kind
of
HCL.
So
this
will
limit
the
the
IP
count.
Deployment
science
means
oops
yeah,
so
we
propose
the
first
extension
to
solve
this
problem.
The
statistic
extension
is
very
simple:
it's
just
excludes
the
protein
info
from
the
compression
range
to
do
that
to
basically
we
have
two
options.
E
The
first
option
is
that
we
can
change
the
flags
to
to
add
one
bit
indication
to
say
this
compression
will
exclude
the
source,
proton
destination
port
and
the
second
option
that
we
can
duplicate
each
compression
algorithm
code.
Point:
for
example,
in
in
this
table
we
can
say
the
the
CPI
value.
One
is
the
idcom
or
UI,
and
there
is
another
CPI
value
to
indicate
the
test.
E
Basically,
the
reason
is
that
in
the
IB
count,
biopsy
is
specified
that
if
a
package
is
the
compression
is
not
effective,
meaning
the
compression
May
produce
a
longer
pay
node.
Then
the
packet
is
sent
uncompressed
and
the
results,
the
ipcon
header.
But
in
the
compression
side
a
packet
with
the
ID
card
will
go
through
the
decompression
code,
processor
first,
but
if
a
calculate
does
not
have
the
idcom
header,
it
will
be
forward
directly.
So
it
is.
E
No,
no,
the
same
thing,
so
we
propose
the
second
extension
to
solve
the
auto
order
from
the
basically
we
we
can
change
the
behavior
to
to
add
the
ipconocator
email
if
the
payload
is
sent
uncompressed.
So
to
do
that,
we
can
use
a
new
CPI
value
for
the
uncompressed
packet.
Basically,
this
news
API
means
this
packet
is
sent
uncompressed
that
next
sense
Yeah.
So
basically
that
wasn't
what
our
drop
is
about,
and
we
also
would
like
to
talk
about
the
IP
comp,
the
relationship
of
ID,
compound
ipsec.
E
Currently
the
CPI
code
point
you
don't
know
created
in
the
ip7
Regulatory
and
is
negotiated
using
Ike,
but
actually
the
compression
is
not
related
to
the
security
and
the
CPI
value
does
not
have
to
be
unlocked
by
Ike.
Maybe
there
are
other
control
plane
protocol
can
be
used,
so
maybe
this
can
decouple
from
the
ipsec
and
for
the
transport
layer.
It's
including
this
L4
information.
We
want
to
hear
your
opinion
about
whether
we
use
the
CTI
or
you
use
a
new
flag.
L
Yeah
Channel
some
stuff
that
was
said
there
on
the
zulup
for
most
ipsec
implementations,
ipcon.
Well,
it
wasn't
really
removed,
but
it's
kind
of
deprecated
hidden
in
a
d
player
in
the
GUI,
so
kind
of
as
much
deprecated
as
AHS.
So
if
you
want
to
decouple
it
from
ipsec
I
think
that's
a
good
idea,
I'm,
not
sure.
If
it's
I
don't
know
how
useful
it
is
outside
of
the
context
of
ipsec.
A
E
Actually,
with
some
musics
travel
to
the
sixth
man,
because
we
think
it's
an
ipcome
kind
of
go
into
the
maintenance
mode,
but
someone
Samsung
guy
in
sixth
amendment
is
IP
IP
sexy.
It's
also
in
go
here,
yeah
to
to
hear
your
opinion.
C
E
I
B
A
This
documents
as
well
commentators,
there's
also
you
know-
if
you
think
about
the
cases
you
have
this
uncompressed
payload,
that's
using
the
IP
competitor
there.
Even
the
reason
why
they
didn't
into
this
is
that
that
expands
the
bucket,
which
makes
the
MTU
problems
start
to
appear
when
they
didn't
appear
in
the
beginning.
So
that
was
the
reason
why
they
made
it
so
that
it
can't
expand
the
bucket.
So
this
solution
is
actually
not
very
good
for
that.
E
Yeah
actually,
first
first,
this
uncompressive
panel
is
secure.
Ip
comp
enabled
payload
flow,
so
it
only
affects
a
certain
amount
of
load.
You
you
personally
need
to
match
your
flow
to
to
the
ipcon,
so
I'm
I'm,
seeing
here
the
top
of
order,
is
happening
in
the
IP
I
becoming
enable
the
flow
not
any
other
package.
Okay,
so.
G
Yeah,
so
just
to
complement
with
Eric
just
said
about
chick.
We
also
have
one
protocol,
which
is
die
tsp,
which
is
about
compressing.
Some
of
the
fields
in
the
in
the
I
mean
well
ESP,
IP
packet
and
it's.
It
is
expected
to
interface
pretty
well
with
Chic
as
well.
I
mean
that
that
that's
what
we
should
work
on
also.
E
B
D
D
Please
so
you
may
notice
that
there
is
an
a
question
in
the
title,
so
the
purpose
of
this
presentation
it
is
not
concerned
with
any
with
any
particular
draft,
is
to
go
to
an
interest
in
the
working
group
of
their
wise
and
likely
to
openload
format.
So
for
existing
payload
format,
we
have
some
limitations.
First,
the
landfill
occupies
only
two
bytes,
so
it's
below
its
size
is
limited
to
64
carbohydes,
okay
to
both.
D
So
it
made
me
not
enough
for
some
use
cases,
especially
for
post
Quantum,
algorithms
that
have
large
public
keys
and
I
must
note
that
there
is
no
problems.
There
is
a
message
size
itself
which,
which
is
limited
to
four
gigabytes,
so.
L
D
Next
piece
and
the
other
issue,
with
the
current
format
and
both
with
generic
format
and
some
particular
formats,
is
that
they
have
a
lot
of
redundancy,
so
we
have
a
lot
of
not
a
lot,
but
just
a
noticeable
number
of
reserved
fields
that
are
always
zero
and
never
used.
A
load
field
always
occupies
two
bytes
and
most
payloads
are
smaller,
especially
notified
pillows
and
most
parameters
in
say,
pollute
also
occupy
to
buy
it.
So,
while
very
few
numbers
very
few,
will
you
satisfied
so
far?
This
is
just
an
example.
D
So
before
I
say
below
with
these
parameters,
the
lens
is
48
bytes
among
them.
Half
of
these
bikes
are
zeros,
so.
D
Please
and
why
it
is
a
good
sin
to
leave
to
64
kilobyte
size
limits,
so
it
would
allow
using
some
cool
post,
Quantum
algorithm
with
some
public
keys
and
signatures,
and
currently
nist
approved
algorithm
have
a
smaller
public
key
size
and
signature.
But,
for
example,
classic
make
Elise
is
still
an
Eastern
for
candidate,
and
it
is
also
recommended
by
some
national
state
organizations
like
BSI
in
Germany,
and
there
may
also
be
cases
when
we
need
to
transfer
that
chance
of
data,
for
example
in
configuration
below
and
it's.
D
And
why
do
we
need
to
make
a
lot
smaller?
It
would
decrease
power,
Network
bandwidth
consumption,
which
is
important
for
iot
devices,
and
it
will
also
decrease
the
chances
of
Ip.
Fragmentation
in
I
can.
B
B
D
You
take
integration
set,
but
Quantum
algorithms
may
have
different
parameters
as
the
next
piece.
D
So
what
do
we
have
now?
There
are
a
few
existing
proposals.
First,
a
large
internet
key
exchange
version,
2
payload
draft,
then
beyond
64
call
limits
on
my
equator
pillows
and
compared
for
much
of
IQ
products
as.
F
D
Next,
please
so
I
will
try
to
analyze
to
Quick
analyze
all
of
these
proposals,
so
a
large
internet,
key
exchange
version
took
a
load.
It
addresses
only
64
by
its
limitations.
It
is
a
generic
Solutions.
It
is
suitable
for
any
preload
and
below
it.
In
all,
the
different
light
can
be
mixed
in
a
message,
and
this
feature
is
explicitly
negotiated.
A.
D
I
D
So
beyond,
beyond
64.
gigabytes,
a
limited
950
loads,
it
also
addresses
only
64
capellites
limitation.
It
is
suitable
only
for
sample
loads,
so
for
those
that
most
probably
will
have
a
problem
with
post
Quantum
algorithms,
it's
key
exchange,
authentication
and
set
certificate
and
existing
bullet
format
is
fully
preserved,
but
encrypted
per
load
is
mainly
somehow
to
make
possible
to
have
a.
B
B
D
F
D
Next,
please
and
compact
format
of
502
payloads
IT
addresses
redundancy,
a
fight
with
fight
pillows,
and
this
proposes
suitable
for
any
preload,
but
some
preloads
are
well
compaction.
Centered
pillows
can
be
mixed
in
a
message.
Sample
loads
have
special,
extremely
complex
format.
There
is
no
negotiation
and
a
new
initial
exchange
is
used
instead.
Alternative
I
can
say
neat.
This
is
semantically
equal
to
I,
guess
in
it,
but
allows
for
compact
below
to
appear,
and
there.
M
D
There
is
some
kind
of
negotiation,
because
again
initiation
can
also
can
always
relate
to
it
because
they
need,
if,
if
it
receives
a
fatal
error
or
timeout
of
descending
initial
message,
it
is
a
moderative
difficult
to
implement.
It
can
be
implemented
as.
F
B
D
Next,
so
the
question,
which
is
a
working
group,
do
we
want
to
provide
cycle
load
format?
If,
yes,
then,
what
problem
should
they
address,
or
should
you
address
just
make
it
possible
to
to
help
the
Lord
greater
than
64
car
or
decrease
Mass
Equity
message
redundancy
or
both,
and
it
is
not
in
the
presentation?
If
both
then
should
it
be
in
a
single
solution
or
should
it
be
different
solutions?
D
Well,
there
are
some
backup,
slides,
but
Sergeant
is
very
tight.
The
backup
slide
just
proposes
some
way
to
address
both
both
problems.
Some
preliminary
approach,
so
if
the
time
permits
I
will
show
it,
but
if
now
that
we
can
go
to
the
questions.
A
G
I
think
it's
interesting.
One
of
the
questions
I
have
is
that
when
we
decrease
the
redundancy,
do
we
end
up
in
something
easier
to
pass
or
something
more
complex.
D
Oh
well,
it
is
a
bit
complex
sense,
that's
a
simple
solution,
but
I
think
it's
moderate.
Actually,
the
draft
was
written
that
it
can
be
implemented
as
post-processing
of
the
ready,
ipt
messages
and
preprocessing
of
the
received
messages.
So
it
is,
it
can
be
yeah
relatively
easy
built
into
the
current
implementation
without
breaking
it,
but
it
requires
well
some
some
amount
of
work,
but
not
much
from
mind.
D
So
the
question
to
chairs:
oh:
what
do
you
think
about
this
work.
A
So
to
start
again
and
so
I
think
both
of
them
are
actually
separate
items
in
our
Charter
so
with
actually
the
64k
limitation
is
coming
from
the
you
know,
post
Quantum,
algorithm
and
I
think
we
need
to
solve
that
and
I
hope.
We
get
one
solution
for
that,
not
two,
so
I
would
actually
like
to
have.
You
know
people
to
discuss
of
those
two,
because
we
have
to
implement
it.
Two
different
drafts
for
that.
A
So
I
would
actually
like
to
have
a
people
to
actually
discuss
and
and
agree
on
this
of
those
proposals
to
go
forward,
and
hopefully,
when
we
can
decide
on
one,
we
can
actually
go
forward
with
that
and
I
would
actually
I
think
it
would
be
better
to
have
a
solution
that
would
actually
work
for
all
payloads,
because
there's
some
other
like
like
somebody
was
saying
you
know
having
a
configuration
payload
covering
the
whole
networking
structure
of
the
company,
which
is
completely
messed
up
by
bike
week
or
more
than
64
kilowatts,
which
I
think
is
usually
provide
that
the
Enterprise
you
know
ID
department
is
not
doing
very
well
based.
A
They
have
to
have
that
many
networks
separate
Networks
but
anyway,
so
so
I
think
it
would
be
useful
so
at
the
compression
or
or
or
small
things,
I
think
that's
a
separate
issue
and
I
think
we
should
be
probably
keep
them
as
a
separate,
also
and
and
for
that
we
also
have
multiple
I
think
we
have
a
diet,
a
couple
of
diet
versions
that
we
have
at
least
I
think
we
have
multiple
versions
of
that.
Also,
so
I
would
try
to
have
an
outers
to
actually
try
to
find
a
common
ground
and
common
solution.
D
Well,
so,
if
I
try
to
write
a
draft
and
present
it
to
the
working
group,
easy
to
okay,
yep,
okay,
thank
you
and.
A
L
K
D
So
this
presentation
was
presented
a
few
ideas
ago
and
I
just
want
to
raise.
D
Slide
please
well,
this
is
this
diagram
shows
synthetic
using
cookies
in
iq2,
so,
according
to
RFC
70
to
90
96,
the
most
recent
I
can
say
need
request.
Message
is
included
into
the
output
load.
Calculation,
I
think
that
it
goes
exchange.
So
in
this
diagram,
it's
it
is
a
request
to
impose,
initiated
and
responded.
So
it
is
standard
way
so.
I
D
Next,
please,
but
what
happens
if
we
have
some
packet
loss
and
the
original?
Well,
these
there
are
two
possible
problem
scenarios
and
both
are
concerned
with
the
responded.
D
States
change
in
the
middle
of
I
can
say
you
need
request
for
in
this
problem
scenario,
one
first,
the
responder,
since
that
it
is
under
attack
and
request
a
cookie,
but
this
message
get
reordered
and
before
these
the
initiators
sends
another
request,
and
at
this
point
the
responded
since
that
is
no
more
under
attack,
and
it
just
responds
with
a
usual
response
response
rest
to
and
one
of
the
message.
I
D
Only
received
track,
one
so
authentication
would
fail
it's
next,
please
and
tonight's,
a
problem
scenario
if
they
responder
changes,
a
secret
key
that
is
used
to
produce
a
cookie
in
the
middle
of
I
can
say
neat
exchange
again.
This
is
very
simple:
to
prevent
a
scenario:
some
packets
are
reorders
and
someone
pick
it
is
lost,
but
the
outcome
is
the
same.
The.
F
D
M
D
Next,
please,
and
so,
since
the
problem
is
that
I
can
send,
requests
can
be
sent
several
times,
there's
different
content
depending
on
the
respond
to
state
and
if
there
is
high
probability
of
packet
loss
and
Georgians
and
B
is
my
complete
I
guess:
I
need
exchange,
having
a
different
view
of
what
was
the
most
recent
and,
like
I,
say
any
digress,
and
this
request
message
is
used
in
calculation
and
if
PSU.
B
D
Fail,
yes,
please,
and
what
is
about
severity
of
the
problem?
There
must
be
some
precondition
for
the
problem
to
become
noticeable
so
high
package,
hyperability
of
packet
loss
and
delay,
and
a
relative
frequent
frequent
change
of
responder
state
and
in
a
real
situation,
it's
extremely
rare,
but
on
a
stress
tests
that
we
performed
a
few
percent
of
the
essays
failed.
Due
to
this
problem
and
I
think
that
the
most
problem
for
implementers
for
vendors
is
that
customer
would
want
the
voice.
Education
sometimes
failed
with
with
absolutely
proper
credential.
D
F
D
The
next
piece-
and
how
can
we
fix
this,
so
we
can
Define
the
reverse
cookie
processing
by
excluding
notified
per
load
containing
cookie
from
the
hospital
calculation
and
I
think
that
it
it
will
not
bring
a
new
secure
security
issues
because
the
cookie
was
already
verified
by
the
responders.
So
there's
no
need
to
verify
it
again,
but
including
inside
records
and
foreign.
D
Can
be
negotiatable,
let's
please
so
negotiation.
So
if
responder
supports
a
wise
cookie
purchasing,
it
will
Center
wise
cooking
notify
in.
I
I
D
K
D
So
it
is
only
the
case
if
it
requires
cooking
and
if
the
initiator
also
supports
the
Civilized
cookie
process,
and
it
will
include
the
include
the
content
of
the
cookie
notification
into
this
new
upload,
rice,
cookie,
and
so
the
reporter
I
would
know
that
the
revised
booking
processing
is
needed.
D
D
Please,
and
if
yes
agrees
to
you
to
to
go
with
the
revised
cookie
processing,
that
no
change
time
to
antiquality
function
of
cookie
and
responded
still
send
steak
is
Cookie,
but
when
house
politics
calculating
the
way
it
is
done
so.
D
Is
equal
to
real
message,
one
and
non-state
and
marked
ID
for
initiator?
If
Cookie
plot
is
present,
then
we
change
a
real
message,
one
with
a
new
construction
in
the
next
slide
next
piece.
D
So
we
just
exclude
from
this
message
for
the
purpose
of
the
calculation
of
icos
of
holes
below
we
exclude
the
notify
containing
cookie
and
also
make
a
modification
to
next
reload
in
Arcadia
and
message
learning
and
that's
all.
If
we
do
it,
then
the
calculation
will
be
equal,
even
in
the
case.
That
cookie
is
different
because.
A
So
so
they're
still
coming
so
I
think
this
is
that
I'm
talking
about
some
individual
chair.
So
this
is
a
little
bit.
You
know
questionable
if
it
is
worth
of
addressable
I
think
it's
it's
a
flaw
in
the
protocol,
so
that's
why
we
should
fix
it.
The
question
is
that
if
it's
a
flaw
that
doesn't
affect
security,
it
only
affects
you
know
funny
error
messages
now,
every
now
and
then,
when
you
are
doing
stress
tests
and
fixing
it
we
will.
Actually.
You
know,
of
course,
a
completely
new.
You
know.
A
Quite
a
you
know,
big
modification,
the
authentication
system,
I,
would
be
very
hesitant,
but
I
think
we
can
actually
find
a
solution.
That
actually
is
so
works
better.
One
of
the
problems.
What
you
are
doing
here
in
out
I,
say
calculation
is
that
the
those
two
messages
might
not
be
exactly
same.
We
say
that
the
repeat:
retrospectors
must
be
bitwise
identical,
but
there
is
nothing,
not
nothing.
A
They
are
saying
that
we
can't,
for
example,
add
padding
or
put
a
you
know,
payloads
in
different
order
in
the
cookie
message
or
or
or
or
you
know,
when
you
are
actually
adding
cookie
or
not
adding
cookie.
So
that's
actually
would
be
a
different
way,
but
what
we
could
actually
do
is
when
we
are.
Where
is
this
one?
This
case,
for
example,
the
real
issue
is
the
authentication
file
or
a
notification.
A
If
you
could
get
the
separate
notification
saying
oh
Cookie
changed
in
the
middle,
then
the
you
know
any
theater
would
know.
Oh
the
cookie
change
in
the
middle
I
start
from
the
stretch,
I
start
again
and
everything
works
take
a
time
most
likely.
Okay,
so
one
solution
would
be
that
that
the
initiator
would,
in
the
last
you
know,
Ike
out,
it
would
include
the
cookie
that
is
using
for
the
out
calculation,
so
it
would
have
a
repeat
the
cookie
there.
A
A
He
could,
in
theory,
go
and
modify
your
initial
pocket,
but
there
we
have
the
same
problem
that
if
the
cookie
changed
you
know
the
some
of
the
paddings
or
something
especially
if
you
know
cookie
length
is
different.
There
might
be,
you
know
different
amount
of
paddings
because
the
cookie
happens
to
be
you
know:
17
OCTA,
slang
along
and
somebody
had
some
padding
somewhere
or
something
stupid.
So
that's
why
I
was
thinking
about
it.
This
would
probably
work
better
in
that
way,
so
we
only
modify
the
code
in
case.
A
You
actually
detect
this
issue
and
it
would
be
actually
optional
to
you
know
people
to
actually
implement
it
and
it
would
be
very
easy
for
the
imitator
side
to
implement
it.
They
just
need
to
repeat
the
cookie
and
it's
a
notification.
You
can
add
there
without
any
notifications.
Without
any
you
know,
negotiation
beforehand,
you
try
to
add
no
cookie
copy
in
the
ike
out
and
everybody
will
just
ignore
it,
because
an
unknown
status
notification,
a
responder,
can
either
do
or
not
do
the
you
know.
A
D
I
would
I
think
that
sending
cooking
aikos
is
a
good
idea,
but
if
you
go
further
and
use
the
respond
to
notify
and
notice
that
the
cookie
is
different
in
the
in
the
I
can
say
in
each
and
I
goes
then
well
what
what
what
should
we
do,
then?
So.
H
A
Would
be
a
lazy
way
of
doing
it?
Of
course
you
could
try
to
you
know
if
you
have
still
the
original
edit
there's
a
full
packet,
you
could
actually
go
and
try
to
switch
a
cookie
to
be
the
one
that
they
used.
You
know
check
out
this
authentication
track
seeds,
but
that's
quite
a
lot
of
work
for
very
Corner
cases,
so
I
probably
wouldn't
be
in
my
implementations.
I
wouldn't
be
doing
that
I
would
just
take
a
easy
way
out
and
say:
oh
separate
error
message.
That
is
not
how
the
education
failed.
D
For
me
well,
well,
it's
possible,
but
it
will
just
complicate
it's
the
right
stick
machine
because
it
will
a
new
non-fital
errors
that
you
must
handle,
gracefully
just
to
repeat
and.
A
C
I
I,
it
seems
that
this
idea
is
actually
a
nice
idea,
so
I
do
like
it.
So
if
you
need
volunteers,
I
can
help
Valerie
I
I
was
on
a
few
slides.
I
can
start
a
few
slides
forward.
You
had
some
statistics
about
how
bad
this
program
became.
I
was
running.
What
that
was
based
on.
C
Was
it
based
on
the
error,
condition
one
or
the
error
condition
two,
because
I
think
the
one
where
the
secret
changes
couldn't
responder,
who
might
remember
the
last
secret
and
the
current
secret
like
C
like
if
that
is
the
case
or
not
like
like?
Is
that
really
a
case
that
happens
because
you
know
that,
like
you
cycle
between
two
Secrets,
basically
right,
so
if
the
first
one
fills
you
try.
Oh
maybe
this
was
a
cookie
from
the
old
team.
You
are
active
as
part
of
the
cookie
you
prefix
a
byte.
C
D
It
does
because
the
world
responder
can
verify
cookie
and
it's
okay
with
verification
of
the
cookie,
but
then
the
responder
uses
these
cookies.
That
is
it.
It
verified.
It
uses
this
cookie
in
the
icons
calculation
instead
of
using
the
previous
cookie.
So
it
should
not
verify
it
should
reproduce
the
previous
cookie
that
should
that
was
actually
generated
with
a
different
Secret
and
if
it
is
possible
to
do
it,
then
well,
okay,
it's
probably
will
help,
but
it's
it's
not
the
problem
that
it
cannot
verify.
It's
not
elegant.
A
A
That's
a
you
know
in
its
out
payload,
but
the
rest
Pottery
is
only
seeing
the
first
one,
which
has
a
different
cookie
and
it
used
that
as
an
out
calculation
Basin,
and
so
they
do
the
out
calculations
in
different
cookies
and
there
is
no
way
of
knowing.
Of
course,
you
know
if
you
actually
have
a
cookie
copy
here,
then
you
know
responder
can
see.
Oh
yeah,
we
are
using
wrong
coupon,
it
could
actually
go
and
you
know
replace
it,
but
as
I
said,
modifying
somebody
else's
scent
packet
is.
A
So
I
think
this
is
I
would
like
to
get
some
other
people's
feedback
on
this,
and
and
I
would
actually
want
to
get
people's
comments
on
the
list
and
so
on.
Do
you
think
this
is
something
that
we
want
to
solve
and
do
we
actually
want
to
solve
it
in
which
way
so.
A
A
N
Yes,
yes,
okay,
hello,
everyone!
This
is
coming
from
qinghai
University
today,
I
will
talk
about
the
receive
rpk
and
episode
best
as2s
approach
for
social,
gradual,
Edition
and
here
shows
the
document
links
in
data
clicker
and
our
workspace
at
the
GitHub
next
page.
Please,
first
I
should
introduce
the
source
address
relation
problem,
as
defined
in
RC
2827
Source.
Address
validation
is
used
to
defend
the
new
or
service
or
Tech
well,
as
defined
in
RFC
file
to
one
zero.
It
has
been
refinished
three
difficulties.
That
is
vulnerability.
N
It
is
difficult
to
resist
the
attacks
by
disabling
the
IP
Source
address
directly
and
the
second
credibility
attackers
could
conceal
location
and
identity
by
using
a
spoofing
address
and
the
second
major
ability
it
is
difficult
to
realize.
Building
and
other
management
through
the
IP
Source
address,
because
they
may
use
a
supporting
address.
N
Projects
that
about
20
percent
of
network
prefix
could
be
spoofed
Distributing
in
about
40
percent,
as
in
IPv6
networks,
so
does
in
ipv4
Networks
next
page.
Please
thanks.
So
we
promote
and
desire
is
safe.
In
general,
we
saved
is
a
cryptographically
based,
inter
as
source
to
address
relation
protocol.
It
is
ipki
and
IP
stack
to
add
a
message
or
authentication
code
and
source
as
for
the
router
website,
and
delete
the
max
at
the
destination.
As
for
the
router
for
validating
The
Source
address
here
shows
the
main
process
are
receive
on
the
left
picture.
N
First,
rpk
process,
the
five
Regional
internet
regress
piece
authorized
by
Anna
use
their
root
certificate
to
send
the
certificate
Authority.
That
is,
certificate
of
the
local
internet
registry,
which
is
used
to
authorize
the
autonomous
system,
sometimes
in
indirectly,
without
the
internet
service
provider,
when
they
aborting
their
own
CA
certificate.
The,
as
would
sign
an
under
entity
certificate
with
the
road
origin,
authorization
that
is
Roa,
which
is
a
cryptographically
signed,
object
that
states
which,
as
are
authorized
to
originate
a
certain
prefix.
N
N
N
The
excess
negotiate
and
security
Association
using
ikev2
after
our
synchronization
all
is
for
the
routers
would
get
the
security
Association,
including
the
second
key
and
other
parameters,
and
the
last
highest
tag.
Communication
receive
your
ID
stack,
authentication
header
in
transport
mode
for
authentication
of
the
IP
Source
address
by
default.
While
s
model
router
in
ASA
send
the
package
to
ASB.
N
N
A
receive
announcements
includes
Awards
as
number
the
contact
IP
address
and
our
Boolean
type
testing
field
for
indicating
whether
the
content
IP
is
potentially
unreliable,
each,
as
is
as
content
server,
which
has
a
contact.
Id
recorders
that
were
accessed
for
operation
ACS
is
used
to
present
the
whole
as
to
initiate
ake
negotiation
with
other
es
ACS,
where
a
key
negotiation
completes
each.
N
As
for
the
router
in
one
participate,
ins
will
activate
the
same
functions
and
the
next
part
is
disabling,
is
safe
when
disabling
receives
the
participant
team,
as
would
first
stop
requirements
receive
authentication
of
incoming
package.
Second
remove
Reserve
or
announcement
from
the
article
Repository.
N
Third,
when
the
end
is
24
hours
and
last
stop
sending
receive
and
shut
down
the
counter
IP.
Well,
there
may
be
a
open
question
shall
we
use
an
authenticated
permanent
rejection
options
that
helps
to
disable
receive,
as
we
have
Scan
RFC
7
to
6
96,
the
latest
iq2
protocol?
It
has
two
nonification
message
tests
that
may
be
used
here
as
RFC
6023
defense.
N
N
Let's,
let's
introduce
data
planes
when
two
participating
as
Communications.
It
would
add
a
receive
header
to
each
other
package
from
one
participating
as
to
another
participating
as
after
receiving
a
package
coming
from
another
participated.
Yes,
as
for
the
router
would
check
the
SCV
field
and
remove
the
receive
header,
the
headphone
format
depends
on
the
mode
it
use.
Transport
mode
are
turning
mode
as
it
style
has
two
modes
the
same
also
supposedly
two
modes
in
default.
We
may
hope
to
use
receive
authentic
header
in
transport
mode.
N
This
mode
is
only
used
for
S2s
communication.
Here
we
think
the
endpoint
is
the
whole
autonomous
autonomous
system
for
distinguishing
we
save
and
standard
abstract.
We
single
receive
a
security
association
should
be
indexed
by
SP
SPI
and
the
counterpart
as
number
generally,
regardless
of
source
of
IP
address
and
the
destination
I
will
address
in
assay
database
foreign.
N
N
However,
we
also
think
there
is
problem.
As
you
may
know,
the
isability
of
the
USP
is
an
optional
field,
as
it
says
in
RC
for
oswego3,
but
here
it
should
be
our
required
field.
Esp
doesn't
protect
the
source
IP
in
default,
so
our
package
could
be
replaced
by
changing
the
source.
Ip
currently
negotiate
extension
to
ESP
that
covers
IP
header,
or
could
we
always
send
from
the
contact
key
and
encoded?
As
for
the
router
ID
in
the
low
bits
of
the
SPI
on
next
page,
please.
N
This
this
slide
shows
the
possible
extensions.
Where
is
the
possible
extension
for
received
here?
The
force
is
head
only
authentication
as
a
source
address
relation.
We
save
basic
layers
on
Max
in
the
IQ
field.
Is
that
our
tag
so
it
increased
the
computation
cost
here
for
efficiency?
It
could
use
the
East
this
extension
by
just
authenticating
the
IP
Source
address
and
IP
destination
address
and
other
constant
skills
in
the
IP
header.
But
this
tag
for
the
same
flow
could
be
always
the
same
when
the
K
is
unchanged
so
the
attacker.
N
May
we
use
this
tank
for
launching
our
player
tag.
This
could
only
be
used
for
some
non-expensive
traffic,
I
think
and
the
second
extension
is
10
best
K
rotation
for
elevating
the
about
problem.
This
is
the
10
best
resident
machine
key
generating.
This
will
sharing
the
active
time
window
of
the
key
after
receiving
or
security
Association.
The
two
party
will
use
the
key
in
a
security
Association
as
their
initial
State
and
rotate
the
K
periodically,
based
on
the
truth
and
Status
transition
algorithm
or
the
tag
is
generated
as
a
set
product.
N
It
would
allow
us
to
agree
on
shared
circuits
simplified
by
thinking
synchronizing.
The
rtk
database
also
Ike,
is
also
stateless,
as
it
is
iudp
button.
Here's
littlest
simplifies
the
provisioning
of
as
border
routers,
as
we
may
not
use
too
many
security
channels
for
S
models
and
ACS
communication.
However,
this
may
require
a
new
episode
negotiation
mechanism
as
a
supplement,
the
FC
6023
and
that
is
cloudless
initiation
of
iq2
security.
Association
may
be
a
good
choice
on
next
page.
Please.
N
Thanks-
and
here
is
some
security
consideration,
operational
consideration
and
about
the
security
is
consideration
with
with
shows
certain
model.
In
general,
we
save
six
to
provide
us
strong
defense
against
arbitrary,
active
attackers
who
are
external
to
the
source
and
destination.
Yes,
however,
different
real
estate
modes
and
the
configuration
of
a
different
sequel
properties
underway
is,
which
shows
two
attacks.
N
Yeah
option
operational
considerations:
we
talk
about
a
way
questions
about
reliability,
multiple
as
for
the
rotating
synchronization
and
performance,
and
until
on
the
net
scenaries
next
page.
Please.
L
C
So
I
was
gonna
just
give
three
answers
quickly
for
the
things
I
saw.
So
if
we
go
to
slide
four.
C
The
question
was
just
like
video
of
an
authenticated
permanent
rejection.
Yes,
that's
a
delete,
it's
up
to
each
end
where
they
will
restart
a
total
or
not,
but
those
are
independent
decisions.
So
if
you
delete
the
tunnel,
then
then
it
it's
up
to
both
peers
where
they
decide
to
establish
the
tunnel
again
or
not.
There's
no
negotiation
to
say:
don't
ever
come
back
to
me.
C
M
Slide
so
sorry
go
ahead.
I'm
a
benchwartz
I'm,
a
co-author
on
this
draft
I
want
to
ask
for
a
clarification
there.
My
impression
is
that
the
is
that
Ike,
the
the
ike
authorization
step
also
produces
a
child
essay
unless
childless
Ike
V2.
Unless
there's
a
child
with
like
me,
too,.
C
M
I
know
I
do
mean
of
the
child
essay.
My
question
is:
does
delete?
Is
there
a
race
condition?
Basically,
where.
K
M
C
M
L
Yes,
but
there
are,
there
can
be
several
reasons
why
you
would
want
to
listen.
The
RFC
mentions
at
least
some
of
them.
C
Next
slide,
the
icv
is
optional.
I
think
this
needs
a
clarification,
because
the
icv
is
mandatory
for
those
ciphers
that
require
it.
So
if
you
have
a
AES
Shot
2,
then
the
ICP
is
definitely
required,
because
that's
where
your
integrity
is,
if
you're
using
an
aead,
then
since
it
has
a
built-in
Integrity,
there's
no
icv,
so
you
don't
need
it.
So
optional
is
for
the
packet
format,
but
it's
not
optional
to
send
the
human
gets
to
choose.
You
have
to
comply
to
your
cryptographic,
algorithm
foreign.
C
K
M
Okay,
thank
you.
I
want
to
emphasize
that
these
are
possible
extensions,
they're,
not
extensions
that
are
actually
proposed
in
the
draft,
their
their
sort
of
notes
to
self
about
things
we
could
propose
if
we,
if
we
find
it
necessary,
I
just
want
to
briefly
add
that
this
is
a
very,
very
early
stage
proposal
and
we're
still
sort
of
looking
through
the
various
ip6
specifications
and
trying
to
figure
out
which
pieces
fit.
What
and
what's
missing
and
really.
This
is
very
closely
connected
to
to
things
like
the
anti-replay
subspaces
proposal.
A
H
Okay,
next,
please
first
I'd
like
to
introduce
the
background
of
this
draft
and
in
RFC
72
96,
section
2.8.
It
says
that
when
we're
keen
the
new
child
essay
should
not
have
different
traffic
selectors
and
algorithms
than
the
old
one,
so
you
don't
need
to.
You
can
just
resend
the
TS
and
the
sa
payloads,
but
furthermore,
you
can
omit
the
essay
and
TS
payloads
during
the
key
and
it
doesn't
violate
the
RFC
72
96
and
also
it
can
save
the
bandwidth
and
reduce
the
CPU
operations
next
slide,
please.
H
So
this
is
the
solution.
Recap
it's
it
after
itf113
and
there
is
no
change
to
the
solution,
and
there
was
a
lot
of
discussions
about
this
draft
in
the
previous
time
and
so
after,
but
the
solution
gets
got
Pure,
stable
and
mature
step
since
itf113
and
the
solution
is
quite
simple.
H
First,
if
the
negotiating
of
the
support
for
this
optimization
during
the
during
the
for
the
between
the
POS
and
next
is
to
just
send
the
new
Optima
notification
payloads
instead
of
the
TS
and
sa
payloads
for
working,
the
iksa
and
child
essays
next
slide.
Please.
A
H
But
yeah
so
next
about
the
updates,
the
version
9
was
updated
for
itf114
and
there
was
no
change
and
version.
10
was
updated
before
this
meeting
and
only
two
types
typos
were
fixed
and
the
next
slide
please,
and
for
in
the
itf113
Ibis
acne
report.
It
says
this
work
might
be
ready
to
be
adopted
next
slide,
please
and
in
104
report.
It
says
this
should
be
ready
for
adoption
next
slide.
H
Next
slide
yeah,
so
we
sincerely
ask
for
working
group
adoption
of
this
trap,
because
now
we
think
they
it's
as
clear
and
mature
and
also
in
the
future.
We
will
do
the
interrupt
test.
Yep.
O
Hello
I'm
from
Telecom
I
have
questions.
Did
you
have
a
deployed
this
technology
in
any
operators
network.
H
Actually
for
our
base
station
products
as
far
as
I
know,
they
have
deployed
this.
This
function,
yeah
for
the
you
know
the
5G
scenarios
yeah
to
protect
the
because
you
know
the
base
stations
will
need
to
use
the
ipsec
to
protect
their
Communications.
So
they
have
deployed
this
function.
Yeah.
O
Okay,
yes,
I
think
it
is
very
useful
in
the
network
which
deployed
ipsec
in
large
scale
and
yes
in
personal
I'm,
very
interested
in
this
solutions.
Thank
you.
A
B
P
Mailing
train
from
China
mobile
I'm
a
covers
on
this
draft.
It's
very
reducing
size
and
capability
of
i2v
I
gave
me
to
exchange
to
optimize
the
IP
set
used
by
low
power,
sensitive
devices,
and
that
was
concerned
environments.
P
D
A
What
data
tracker
seems
to
be
slow?
Okay,
the
next
one
is
IP
secondary
play,
sub
basis
and
I
got
an
error,
restricted
access,
foreign.
F
And
I'll
be
presenting
the
issue
we
have
with
anti-replay
in
the
multi
passage
and
multicore
processing
for
ipsec
next
slides,
please.
F
So
we
have
a
problem
that
is
quite
similar
to
the
one
that
is
addressed
by
the
draft
from
power,
watches
and
other
previous
draft
as
well,
which
is
to
do
improve
their
performances
of
ipsec
in
the
context
of
multi,
multi-core
and
multi-pass
and
Qs
as
well.
F
The
difference
is
that
we
are
trying
to
do
it
on
a
quite
a
large
ipsec
apps
with
10
or
thousands
of
ipsec
peers
and
in
that
situation,
if
we
try
to
increase
the
number
of
child,
let's
say,
for
instance,
assume
we
have
six
path,
a
cause,
aqs
classes
and
it's
still
quite
a
conservative
number.
So
we
get
to
like
around
4
million
child.
Let's
say
we
would
have
to
exchange
to
establish
all
the
tunnels,
and
so
we
fear
that
this
will
add
an
unnecessarily
load
to
the
the
ike
negotiation
and
re-keying
as
well.
F
I've
will
have
some
issues
with
the
the
cash
and
memory
in
the
CPU
to
do
that.
Next
slide,
please.
F
So
what
we
want
to
do
is
try
and
to
to
change
the
slightly
the
entry
play
processing
and
because
it
cannot
be
done
efficiently
across
multiple
cores
and
in
the
context
of
multi-path
it.
It
is
quite
easy
to
have
out
of
other
packets
that
gets
dropped
because
they're
out
of
the
window.
So
for
that
we
want
to
for
a
single
child.
Let's
say:
I
have
multiple
anti-replay
material
anti-replay
window
that
we
can
spread
across
multiple
Subspace
ID,
and
we
just
need
to
set
the
the
sender.
F
We
just
need
to
set
the
Subspace
ID
in
the
ESP
editor
and
when
the
receiver
see
the
packets,
it
just
has
to
get
the
Subspace
ID
to
use
the
correct
anti-replay
window
next
slide.
Please.
F
So
we
want
to
start
some
discussion
about
that
on
the
the
emailing
list.
The
first
one
is
the
ike
negotiation.
Currently
in
the
draft.
We
have
an
address
that
at
all,
so
any
input
from
the
working
group
is
warmly
welcomed
and
next
slide,
please,
the
second
one
would
be
to
where
to
store
the
the
set
space
ID
in
the
ESP
Adder.
F
One
option
we
started
from
was
to
use
the
sequence
number
field
in
the
ESP
editor,
but
that
limits
the
number
of
bits
we
can
use
and
on
High
beat
threats,
B
trades
link.
It
can
have
some
resync
issue
and
custom
outage.
One
solution
for
that
was
to
use
an
explicit,
extended
sequence
number
field
in
the
ESP
editor.
In
that
case,
we
can
use
more
bits
and
won't
have
this
issue.
F
The
second
option
would
be
to
have
an
additional
field
in
the
ESP
editor
which,
like
we
would
get,
for
instance,
16
bits
to
to
encode
the
Subspace
ID,
but
yeah
next
slide.
Please.
The
last
discussion-
and
this
is
already
started
on
the
mailing
list-
was
to
have
the
fips
compliance.
Especially.
We
talked
about
the
AES
GCM
Phipps
compliance.
So
there
is
a
maximum
number
of
time
you
have
to.
You
can
use
the
the
key
material.
F
So
we
need
to
make
sure
that
you
don't
go
above
the
2264
usage
allowed,
and
for
that
we
think
if
it's
in
the
extended
sequence
number
it's
for
free.
If
it's
not,
then
we
just
have
to
divide
that
by
the
number
of
zip
spaces.
You
will
use,
and
we
also
need
to
make
sure
that
the
iv
used
every
time
is
unique,
and
but
we
think
that
is,
should
not
be
a
big
issue
and
should
be
quite
easy
to
do
next
slide
please.
F
So
we
want
like
what
we
actually
want
is
just
the
input
from
the
the
working
group
to
see,
if
that's
an
issue
that
other
people
would
have
and
are
there
like
how
to
solve
it
and
come
with
a
common
proposal
for
for
that.
So
for
that
problem,
thank
you.
If
anyone
has
any
soul.
K
L
K
For
the
GCM,
a
nonce
issue,
remember,
32
bits
are
actually
coming
right
now
from
the
from
the
key
exchange
from
the
key
exchange.
The
obvious
thing
to
do
is:
take
your
Subspace
ID
and
stir
that
into
those
32
bits
and
therefore
not
Collision
is
impossible.
Okay,.
M
F
M
I
would
prefer
a
like
pure
stateless
solution.
It
looks
to
me
like
option.
Two
is
the
one:
that's
that
that
allows
the
recipient
to
be
basically
stateless,
specifically,
the
the
really
important
thing
is
like
the
for
the
recipient
to
be
able
to
lose
all
its
state
and
and
only
lose
replay
protection
and
still
be
able
to
decrypt
packets.
M
So
anyway,
option
number
two
looks
looks
like
a
good
approach
to
me.
There
are
a
lot
of
different
approaches
here.
The
another
one
that
we
talked
about
was
trying
to
trying
to
Hash
the
The
Source
IP
of
the
sender,
into
the
using
hkdf
to
to
add
the
source
IP
of
the
sender,
into
the
secret
used
for
decryption
and
validation,
which
means
that
every
Source
IP
automatically
gets
its
own
sequence
number
space.
G
F
A
So
we
already
have
32-bit
sender
ID,
which
tells
what
its
reply
counters
use.
It's
called
SPI
so
having
multiple
essays
is
actually
the
solution
for
dust.
The
other
thing
is,
you
have
to
remember
replay
protection,
the
sequence
number
generation
is
mandatory,
the
checking
is
not,
and
I
actually
are
very
I,
don't
think.
Actually
the
replay
protection
in
this
kind
of
in
the
middle
tunnels
gives
that
much
of
benefits,
because
they're
gonna
still
be
replaced
happening
after
your
ipsec
gateway
or
before
I
pick
this
up
Gateway,
which
is
not
detected
by
repay
counter.
A
So
you
can't
actually
really
trust
that
there
is
no
replays
ever
in
the
network,
so
your
upper
layer
protocols
need
to
have
a
sequest
numbers
or
protection
from
replace
anyway,
so
I'm
not
sure
if
it
actually
gives
that
much
of
benefit
in
this
level.
So
I
would
actually
just
you
know,
generate
separate
spis
for
or
separate
child
essays
for
each
of
these,
and
then
simply
you
know,
disabled
or
or
or
perhaps
even
disable,
to
the
replay
checking.
If
you
have
problems
with
that.
J
I,
don't
want
to
make
a
comment
comment
on
any
of
the
possible
options
to
solve
that.
But
a
lot
of
people
have
the
same
problems,
and
this
really
shows
that
we
should
try
to
solve
that.
Rather
sooner
than
later,
and
so
I
would
propose
to
do
a
virtual
interim
before
the
next
ITF
put
things
together
with
all
the
people
that
are
untrusted
and
come
up
with
a
possible
solution
and
Screen
done.
M
Ben
Ben
Schwartz
again
just
responding
to
tiro
to
say
you
know,
this
presentation
proposes
that
the
receiver
might
need
to
hold.
It
might
need
to
be
able
to
talk
to
four
million
different
separate
senders
with
their
own
sequence
number
space,
even
without
replay
protection
that
that
that
or
that
that
recipient
or
that
that
that
Pier
or
those
peers
would
you
know
potentially
then
need
four
million
child
essays
and
no,
they.
A
Yeah
but
I
mean
quality
service
classes
require
separate
essays
or
Republic
replay
counters
and
the
parts
we
only
because
they
might
come
in
the
different
order.
They
are
sent
in
the
same
location,
which
means
that
they
can
generate
sequence.
Numbers
very
I
mean
sequels
number
generation
is
easy
and
it
can
be
done
on
multi-core
environments
without
any
locks.
We
just
you
know,
you
know
what
one
SPI,
because
it's
it's
impossible
to
do
that
there's
you
know
tricks
to
do
that.
A
It's
an
implementation
data,
but
even
if
you
actually
can't
do
you
have
to
have
a
course-
and
you
can't
actually
have
any
communication
between
the
course
you
need
to
have,
and
then
you
need
to
have
one
SPI
or
one
essay
for
each
score.
But
then
we
come
to
the
back
to
the.
What
Paul
was
commented
earlier,
that
if
you
have
10
000
people
or
peers
peers,
you
probably
don't
need
each
core
to
have
a
separate.
You
know
a
child
essay
for
each
of
those.
F
Yes,
but
in
the
context
of
multipass,
you
easily
come
to
a
situation
where
you
actually
have.
You
can't
have
one
essay
for
a
car
yeah.
You
can't
specify
that
each
channel
is
going
to
be
on
one
specific
call,
and
so
you
have
the
issue
of
steering
packets
between
the
core
quite
easily.
That
appears
in
that
situation,
and
so
you
would
need
like
multiple,
like
quite
a
lot
of
these
essay,
maybe
not
all
the
four
million
but
a
number
in
the
same
magnitude
than
those.
Q
Can
you
hear
me
yeah?
Hopefully
it's
working?
Yes,
hi
everyone?
Yes,
so
I'm
here,
I'm
one
of
the
co-authors
of
the
drafts
I
just
want
to
react
to
some
of
the
commands
terra
made.
The
first
is
on
entire
replay
I.
Think
it's
pretty
much
a
concern.
I
mean
the
replay
of
packets
from
an
attacker,
the
IPC
Gateway
or
the
ipsec
route,
or
whatever
it's
used
to
protect
the
internal
Network
entirely
is
actually
expected
from
Standard
Security
standards
and
you
even
okay.
Q
The
attacker
could
not
create
other
packets,
but
it
could
pretty
much
close
or
help
close
DDOS
attack
inside
the
the
network.
If
attackers
could
just
send
more
more
packet,
more
of
the
same
packets
it
could
it
could
help
cause.
The
Adidas
second
command
was
about
the
SPI
and
we
could
use
the
the
SPI
to
do
that
and
so
more
shall
they
say
really
on
that.
I
want
to
stress,
even
though
it
was
mentioned
that
this
has
really
serious
security,
not
security,
scalability
concerned
in
the
implementations.
Q
Right
now,
you
know,
like
I,
looked
at
the
VPP
numbers
because
they
are
public.
The
top
speed
can
be
achieved
with
1
000
peers.
If
you
get
to
10
000
here
so
10
000
child
essays,
you
already
get
the
performance
downgrade
reduction.
Q
Q
Finally,
on
the
the
spreading
of
the
flows
and
the
tunnels
to
the
course,
so
one
aspect
is
that,
okay,
so
when
you
receive
packets,
those
typically
of
one
one
tunnel
typically
goes
to
one
specific
core:
that's
that's
correct,
but
when
you
want
to
transmit
on
a
tunnel,
then
the
flows
that
you
want
to
put
inside
the
tunnel.
They
they
get
processed
on
any
core
that
you're
processing.
A
So
actually
yeah,
we
actually
already
67
minutes
over
time
and
cookies
are
already
gone.
So
so,
if
I
think
that's,
we
actually
managed
to
get
to
the
end
of
the
agenda.
We
didn't
have
time
for
the
extra
items
and
there
seems
to
be
a
lot
of
discussion.
Look,
we
should
do
in
the
list,
so
let's
bring
it
back
to
the
list.