Sent from my iPhone
> On Nov 15, 2016, at 18:12, Xuxiaohu <xuxia...@huawei.com> wrote:
>
> Hi all,
>
> Just some clarifications of the motivation for Enapsulating ESP in UDP for
> load balancing:
>
> 1) The load-balancing here means distributing IPsec traffic flows over
> mulitple ECMPs (Equal-Cost Multipath) within IP WAN (Wide Area Network),
> rather than multiple IPsec gateways. Since most existing core routers within
> IP WAN can already support balancing IP traffic flows based on the hash of
> the five-tuple of UDP packets, by encapsulating IPsec Encapsulating Security
> Payload (ESP) packets inside UDP packets with the UDP source port being used
> as an entropy field, it will enable existing core routers to perform
> efficient load-balancing of the IPsec tunneled traffic without requiring any
> change to them.
I do not understand "entropy"?
If you have non-NATed endpoints and you do ESPinUDP as per RFC 3948, isn't that
unique enough since you assume no NAT?
On our implementation (libreswan) you can configure this using forceencaps=yes
which results that endpoint in "lying" with the NAT discovery payloads so it
"detects NAT" and uses encapsulation.
Can you explain why you think you need a new document?
Paul
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec