RFC 9611
Internet Key Exchange Protocol Version 2 (IKEv2) Support for Per-Resource Child Security Associations (SAs), July 2024
- File formats:
- Also available: XML file for editing
- Status:
- PROPOSED STANDARD
- Authors:
- A. Antony
T. Brunner
S. Klassert
P. Wouters - Stream:
- IETF
- Source:
- ipsecme (sec)
Cite this RFC: TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC9611
Discuss this RFC: Send questions or comments to the mailing list ipsec@ietf.org
Other actions: Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 9611
Abstract
In order to increase the bandwidth of IPsec traffic between peers, this document defines one Notify Message Status Types and one Notify Message Error Types payload for the Internet Key Exchange Protocol Version 2 (IKEv2) to support the negotiation of multiple Child Security Associations (SAs) with the same Traffic Selectors used on different resources, such as CPUs.
The SA_RESOURCE_INFO notification is used to convey information that the negotiated Child SA and subsequent new Child SAs with the same Traffic Selectors are a logical group of Child SAs where most or all of the Child SAs are bound to a specific resource, such as a specific CPU. The TS_MAX_QUEUE notify conveys that the peer is unwilling to create more additional Child SAs for this particular negotiated Traffic Selector combination.
Using multiple Child SAs with the same Traffic Selectors has the benefit that each resource holding the Child SA has its own Sequence Number Counter, ensuring that CPUs don't have to synchronize their cryptographic state or disable their packet replay protection.
For the definition of Status, see RFC 2026.
For the definition of Stream, see RFC 8729.