Hi Valery: Agreed that LB only needs control of the source port to provide entropy.
Our application is for traversal of highly meshed data centre fabrics. We encapsulate and de-encapsulate at the server using smart NICs and so don't have any impact on RSS or host software (nor improvement over their standard operation). We perform the encapsulation/de-encapsulation after the ESP packet is formed. Since encapsulation occurs after and de-encapsulation occurs before the IPsec stack, IPsec does not see any of the new port assignments so we don't have any issues with the SADB or IKE. Cheers, Paul -----Original Message----- From: Valery Smyslov [mailto:smyslov.i...@gmail.com] Sent: Thursday, April 1, 2021 11:08 PM To: 'Tero Kivinen' <kivi...@iki.fi>; Bottorff, Paul <paul.botto...@hpe.com> Cc: 'IPsec' <ipsec@ietf.org>; antony.ant...@secunet.com Subject: RE: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Tero, > For the load balancing I think it is enough for just one of the ports > to be different, thus initiator could simply allocate n random source > port numbers, and initiate IKE from each of them to responder, and > then create SAs for each of them separately, thus allowing load > balancing using UDP encapsulation using existing hardware. RFC 7791 + MOBIKE can be used to clone IKE SA and move it to a different local IP+port. Regards, Valery. > -- > kivi...@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > INVALID URI REMOVED > man_listinfo_ipsec&d=DwICAg&c=C5b8zRQO1miGmBeVZ2LFWg&r=CCwOcKkISkWxd8Ymy11M8VW3U6Peq8aJ_DDlgVbQW5E&m=ykseXYzNH5MG1guNwTPMGiGby4o46mBhv92vwoSpb0U&s=nCqbPzmEc1xdTkL0jPmKmNgH252j3dURPVnH8bt4OtE&e= _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec