Last Call Review of draft-ietf-ipsecme-multi-sa-performance-06
review-ietf-ipsecme-multi-sa-performance-06-tsvart-lc-ihlar-2024-04-10-00

This document has been reviewed as part of the transport area review team's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors and WG to allow them to address any issues raised and also to the IETF
discussion list for information.

When done at the time of IETF Last Call, the authors should consider this
review as part of the last-call comments they receive. Please always CC
tsv-art@ietf.org if you reply to or forward this review.

This document introduces a mechanism for establishing multiple child SAs for a
single traffic selector and binding these SAs to specific resources such as
CPUs. This simplifies parallel crypto processing since there is no need to
synchronize state between CPUs. Overall this is a well written document with a
straight forward solution to a concrete problem.

Packets of a single traffic selector can be mapped to multiple Child SAs that
are bound to specific resources. How individual packets are mapped to Child SAs
can have consequences for end-to-end performance, for instance by introducing
packet reordering and packet delay variation if packets of a single end-to-end
flow are split across Child SAs. Load balancing algorithms and policies are
likely best left as implementation details but I do think a paragraph in the
operational considerations section could be warranted.