{"draft":"draft-ietf-ipsecme-multi-sa-performance-09","doc_id":"RFC9611","title":"Internet Key Exchange Protocol Version 2 (IKEv2) Support for Per-Resource Child Security Associations (SAs)","authors":["A. Antony","T. Brunner","S. Klassert","P. Wouters"],"format":["HTML","TEXT","PDF","XML"],"page_count":"9","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"IP Security Maintenance and Extensions","abstract":"In order to increase the bandwidth of IPsec traffic between peers,\r\nthis document defines one Notify Message Status Types and one Notify\r\nMessage Error Types payload for the Internet Key Exchange Protocol\r\nVersion 2 (IKEv2) to support the negotiation of multiple Child\r\nSecurity Associations (SAs) with the same Traffic Selectors used on\r\ndifferent resources, such as CPUs. \r\n\r\nThe SA_RESOURCE_INFO notification is used to convey information that\r\nthe negotiated Child SA and subsequent new Child SAs with the same\r\nTraffic Selectors are a logical group of Child SAs where most or all\r\nof the Child SAs are bound to a specific resource, such as a specific\r\nCPU. The TS_MAX_QUEUE notify conveys that the peer is unwilling to\r\ncreate more additional Child SAs for this particular negotiated\r\nTraffic Selector combination. \r\n\r\nUsing multiple Child SAs with the same Traffic Selectors has the\r\nbenefit that each resource holding the Child SA has its own Sequence\r\nNumber Counter, ensuring that CPUs don't have to synchronize their\r\ncryptographic state or disable their packet replay protection.","pub_date":"July 2024","keywords":["IKEv2","IPsec"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9611","errata_url":null}