Hi, Xiaohu A few comments. Actually, they’re more like questions.
How are IPsec SAs mapped to UDP pseudo-connections? Is it a 1:1 mapping between SPI and source port? If now, how do you deal with the packet reordering that the load balancer will do? IPsec requires ordered or nearly-ordered delivery. How is this negotiated? In IKE? Prior agreement? Why do we need a new port? What goes wrong if the packets go to port 4500? Thanks Yoav > On 1 Nov 2016, at 3:45, Xuxiaohu <xuxia...@huawei.com> wrote: > > Hi all, > > Any comments and suggestions are welcome. > > Best regards, > Xiaohu > >> -----邮件原件----- >> 发件人: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org] >> 发送时间: 2016年10月31日 19:15 >> 收件人: Xuxiaohu; zhangdacheng; Xialiang (Frank) >> 主题: New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt >> >> >> A new version of I-D, draft-xu-ipsecme-esp-in-udp-lb-00.txt >> has been successfully submitted by Liang Xia and posted to the IETF >> repository. >> >> Name: draft-xu-ipsecme-esp-in-udp-lb >> Revision: 00 >> Title: Encapsulating IPsec ESP in UDP for Load-balancing >> Document date: 2016-10-31 >> Group: Individual Submission >> Pages: 7 >> URL: >> https://www.ietf.org/internet-drafts/draft-xu-ipsecme-esp-in-udp-lb-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-xu-ipsecme-esp-in-udp-lb/ >> Htmlized: https://tools.ietf.org/html/draft-xu-ipsecme-esp-in-udp-lb-00 >> >> >> Abstract: >> IPsec Virtual Private Network (VPN) is widely used by enterprises to >> interconnect their geographical dispersed branch office locations >> across IP Wide Area Network (WAN). To fully utilize the bandwidth >> available in IP WAN, load balancing of traffic between different >> IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link >> Aggregation Group (LAG) within IP WAN is attractive to those >> enterprises deploying IPsec VPN solutions. This document defines a >> method to encapsulate IPsec Encapsulating Security Payload (ESP) >> packets inside UDP packets for improving load-balancing of IPsec >> tunneled traffic. In addition, this encapsulation is also applicable >> to some special multi-tenant data center network environment where >> the overlay tunnels need to be secured. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec