Hi Yoav and Michael, Thanks for your comments.
If I understand it correctly, the dest port number of 4500 has been dedicated for the NAT traversal usage as described in RFC3948 where " the Source Port and Destination Port MUST be the same as that used by IKE traffic", therefore, it'd better for us to request a new dest port for the load-balancing usage as described in this draft. Best regards, Xiaohu > -----邮件原件----- > 发件人: Yoav Nir [mailto:ynir.i...@gmail.com] > 发送时间: 2016年11月3日 0:42 > 收件人: Michael Richardson > 抄送: Xuxiaohu; ipsec@ietf.org > 主题: Re: [IPsec] New Version Notification for > draft-xu-ipsecme-esp-in-udp-lb-00.txt > > > > On 2 Nov 2016, at 18:19, Michael Richardson <mcr+i...@sandelman.ca> > wrote: > > > > > > Yoav Nir <ynir.i...@gmail.com> wrote: > >> 4 Why do we need a new port? What goes wrong if the packets go to > >> port 4500? > > > > I think that TE/load-balancer in the network calculates the same tuple > > hash and so takes the same path. (Presuming that it ignores the source > > UDP port) > > I don’t follow. The draft requests a new destination port from IANA. Let’s > assume it is 14500. > > What is the difference between having every gateway send traffic with the > 5-tuple (me, random_port, UDP, you, 4500) and having every gateway send > traffic with the 5-tuple (me, random_port, UDP, you, 14500) ? > > Sending UDP-encapsulated traffic from a random port works today, and has the > advantage that middleboxes trying to classify traffic already know what it is. > > Yoav > . > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec