@@ -66,6 +66,12 @@ in stateful decryption configurations, sharing a common SPI namespace
6666while introducing new capabilities to enhance IPsec’s performance
6767and versatility in modern use cases.
6868
69+ EESP Sub SAs provide a unidirectional SA instead of conventional
70+ Child SAs. By deriving unique keys, sequence number spaces, and
71+ IV spaces from an existing Child SA, Sub SAs streamline traffic
72+ flow management, reduce overhead, and enable more efficient
73+ lifecycle operations.
74+
6975This document does not obsolete or update any existing RFCs. While
7076stateless implementations of EESP are referenced, their negotiation,
7177which is similar to [[PSP]], is outside the scope of this document.
@@ -233,55 +239,66 @@ per packet basis inside any inner flow to avoid packet reordering.
233239The Flow Identifier SHOULD be negotiated when creating EESP SA.
234240
235241
236- * Sub SAs
237-
238- An EESP Sub SA is a unidirectional Security Association derived from
239- an existing EESP Child SA pair. It inherits all properties except
240- keys, sequence number space, and IV space. These three are unique for
241- each Sub SA. This allows finer granularity for managing
242- uni-directional traffic flows. Sub SAs avoid the overhead associated
243- with bidirectional Child SAs for identical traffic
244- selections[[RFC7296]], [[RFC9611]]. They enable more efficient
245- resource utilization and improved performance, particularly in
246- scenarios requiring high flexibility. Each Sub SA is uniquely
247- identified by a Sub SA ID, which is used to derive a unique key. The
248- Sub SA ID is carried in each EESP packet, either in the Session ID
249- field or in the Flow ID field, as negotiated during the establishment
250- of the EESP Child SA.
251-
252- Advantages of Sub SAs compared to Child SAs with different keys:
253-
254- - Possibility for unidirectional SAs. Compared to [[RFC9611]], when a
255- per-resource SA is established, it is bidirectional. However, both
256- directions of the SA MAY not always be in use. Using CREATE_CHILD_SA
257- does not allow unidirectional SAs.
258-
259- - No extra setup time, i.e., zero round-trip time to set up
260- additional Sub SAs. This would be more efficient than using large
261- IKE window size specified in [[RFC7296]] to manage multiple SAs.
262-
263- - Sub SAs are more efficient to create, rekey, and delete. Their
264- lifecycle management is simpler compared to traditional Child SAs.
265-
266- - When using hierarchical key derivation, especially when using
267- hardware key derivation, Sub SA keys can be derived on-the-fly
268- per packet. This reduces "Data-plane performance degradation due to
269- the use of a larger number of keys" as noted in
270- [[I-D.ponchon-ipsecme-anti-replay-subspaces]].
271-
272- To negotiate Sub SA SUB_SA_ID in Session ID Transform. Or in a Flow
273- IDs Transform. TBD: expand Sub SA with Flow ID negotiation
274-
275- AEAD transforms, such as AES-GCM or those specified in [[RFC8750]],
276- require that the IV does not repeat within a single Sub SA. Each Sub
277- SA uses a distinct key, ensuring proper cryptographic separation.
278- While the IV may repeat across different Sub SAs, this complies with
279- the requirement that each key must be paired with a unique IV.
280-
281- Each Sub SA MUST maintain an independent sequence number space
282- when using full 64-bit sequence numbers. For a specific key within
283- a Sub SA, sequence numbers MUST BE unique and follow a
284- monotonically increasing order to meet cryptographic requirements.
242+ * Sub SA
243+ Existing mechanisms for establishing Child SAs, as described in
244+ [[RFC7296]], yield bidirectional SAs. When using
245+ per resource as specified [[RFC9611]] or DSCP bidirectional
246+ SAs are not always necessary; think predomently unidirectional TCP
247+ or QUIC flow. In many use cases, several uni directinal SAs
248+ utilized, while others are unused which can result in unnecessary
249+ overhead for management, rekeying, and resource consumption.
250+ Furthermore, using multiple bidirectional Child SAs for granular
251+ traffic flows often leads to additional setup delays and complex
252+ lifetime management. This inefficiency is particularly acute in
253+ high-throughput or low-latency environments, where rapid setup and
254+ teardown of SAs is essential to maintain performance.
255+
256+ An EESP Sub SA provides a unidirectional Security Association
257+ derived from an existing EESP Child SA pair. It inherits all of
258+ the Child SA’s properties except for keys, sequence number space,
259+ and IV space, each of which MUST be unique to each Sub SA. By
260+ defining these unidirectional flows, Sub SAs offer a more efficient
261+ alternative to large numbers of bidirectional Child SAs with the
262+ same traffic selectors [[RFC7296]], [[RFC9611]].
263+
264+ Each Sub SA is identified by a Sub SA ID, which MUST be carried in
265+ each EESP packet—either in the Session ID field or in the Flow ID
266+ field—consistent with the negotiation of the EESP Child SA. This
267+ Sub SA ID is used to derive a unique key, yielding the following
268+ benefits:
269+
270+ - Unidirectional Operation: In contrast to the per-resource
271+ SAs of [[RFC9611]], which are bidirectional, Sub SAs MAY be
272+ defined strictly in one direction when reverse traffic is
273+ absent. CREATE_CHILD_SA does not otherwise support
274+ unidirectional SAs.
275+
276+ - Zero Additional Setup Time: Sub SAs require no extra IKE
277+ message exchanges, unlike requesting more Child SAs or relying
278+ on large IKE windows [[RFC7296]]. This allows rapid provisioning
279+ of extra flows without introducing round-trip delays.
280+
281+ - Simplified Lifecycle Management**: Sub SAs are more efficient
282+ to create, rekey, and delete than traditional Child SAs. Their
283+ narrow scope streamlines both key management and policy
284+ enforcement.
285+
286+ - On-the-Fly Key Derivation: Implementations using hierarchical
287+ key derivation, particularly with hardware offload, MAY derive
288+ Sub SA keys dynamically on a per-packet basis. This mitigates
289+ the risk of data-plane performance degradation caused by a large
290+ number of keys [[I-D.ponchon-ipsecme-anti-replay-subspaces]].
291+
292+ AEAD transforms such as AES-GCM [[RFC4106]], CHACHA20-POLY1305
293+ [[RFC7634]], also using as IIV, [[RFC8750]] ,
294+ require that the IV never repeat within a single Sub SA.
295+ Because each Sub SA uses a distinct key, the IV MAY be reused
296+ across different Sub SAs, satisfying the requirement that each
297+ key be paired with a unique IV. Implementations MUST also maintain
298+ an independent sequence number space for each Sub SA when full
299+ 64-bit sequence numbers are in use. For a given Sub SA key, sequence
300+ numbers MUST remain unique and monotonically increasing to meet
301+ cryptographic requirements.
285302
286303** UDP Encapsulation of Sub SA
287304
608625** RFC7942
609626** RFC8750
610627** RFC4555
628+ ** RFC4106
611629
612630** I-D.mrossberg-ipsecme-multiple-sequence-counters
613631** I-D.ponchon-ipsecme-anti-replay-subspaces
0 commit comments