Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt
The draft has no text about mapping SA to source port. So if I’m understanding you correctly, the tunnel ingress calculates the port (is there actual calculation, or just picking?), so if it sends all packets for a particular SA with the same UDP source port, they will all traverse the same path and therefore will likely not get re-ordered, or at least will not get any more re-ordered than IPsec packets on the regular Internet. Did I understand this correctly? Yoav > On 3 Nov 2016, at 8:27, Xuxiaohu <xuxia...@huawei.com> wrote: > > Hi Yoav, > > The load-balancing mechanism as described in this draft would ensure a given > traffic flow to be forwarded over a certain path. In other words, there is no > disordering issue. The destination port is assigned by IANA while the source > port is dynamically calculated by the ingress of the IPsec/UDP tunnel. > Furthermore, a given traffic flow would be forwarded over a certain path and > therefore this is no disordering issue. As for why do we need a new port, I > had attempted to reply in another email. > > Best regards, > XIaohu > > 发件人: Yoav Nir [mailto:ynir.i...@gmail.com] > 发送时间: 2016年11月1日 15:31 > 收件人: Xuxiaohu > 抄送: ipsec@ietf.org > 主题: Re: [IPsec] New Version Notification for > draft-xu-ipsecme-esp-in-udp-lb-00.txt > > Hi, Xiaohu > > A few comments. Actually, they’re more like questions. > > How are IPsec SAs mapped to UDP pseudo-connections? Is it a 1:1 mapping > between SPI and source port? > If now, how do you deal with the packet reordering that the load balancer > will do? IPsec requires ordered or nearly-ordered delivery. > How is this negotiated? In IKE? Prior agreement? > Why do we need a new port? What goes wrong if the packets go to port 4500? > > Thanks > > Yoav > On 1 Nov 2016, at 3:45, Xuxiaohu <xuxia...@huawei.com > <mailto:xuxia...@huawei.com>> wrote: > > Hi all, > > Any comments and suggestions are welcome. > > Best regards, > Xiaohu > > > -邮件原件- > 发件人: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> > [mailto:internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>] > 发送时间: 2016年10月31日 19:15 > 收件人: Xuxiaohu; zhangdacheng; Xialiang (Frank) > 主题: New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt > > > A new version of I-D, draft-xu-ipsecme-esp-in-udp-lb-00.txt > has been successfully submitted by Liang Xia and posted to the IETF > repository. > > Name: draft-xu-ipsecme-esp-in-udp-lb > Revision: 00 > Title: Encapsulating IPsec ESP in UDP for Load-balancing > Document date:2016-10-31 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/internet-drafts/draft-xu-ipsecme-esp-in-udp-lb-00.txt > <https://www.ietf.org/internet-drafts/draft-xu-ipsecme-esp-in-udp-lb-00.txt> > Status: > https://datatracker.ietf.org/doc/draft-xu-ipsecme-esp-in-udp-lb/ > <https://datatracker.ietf.org/doc/draft-xu-ipsecme-esp-in-udp-lb/> > Htmlized: https://tools.ietf.org/html/draft-xu-ipsecme-esp-in-udp-lb-00 > <https://tools.ietf.org/html/draft-xu-ipsecme-esp-in-udp-lb-00> > > > Abstract: > IPsec Virtual Private Network (VPN) is widely used by enterprises to > interconnect their geographical dispersed branch office locations > across IP Wide Area Network (WAN). To fully utilize the bandwidth > available in IP WAN, load balancing of traffic between different > IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link > Aggregation Group (LAG) within IP WAN is attractive to those > enterprises deploying IPsec VPN solutions. This document defines a > method to encapsulate IPsec Encapsulating Security Payload (ESP) > packets inside UDP packets for improving load-balancing of IPsec > tunneled traffic. In addition, this encapsulation is also applicable > to some special multi-tenant data center network environment where > the overlay tunnels need to be secured. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > ___ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec> ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt
> On 2 Nov 2016, at 18:19, Michael Richardsonwrote: > > > Yoav Nir wrote: >> 4 Why do we need a new port? What goes wrong if the >> packets go to port 4500? > > I think that TE/load-balancer in the network calculates the same tuple hash > and so takes the same path. (Presuming that it ignores the source UDP port) I don’t follow. The draft requests a new destination port from IANA. Let’s assume it is 14500. What is the difference between having every gateway send traffic with the 5-tuple (me, random_port, UDP, you, 4500) and having every gateway send traffic with the 5-tuple (me, random_port, UDP, you, 14500) ? Sending UDP-encapsulated traffic from a random port works today, and has the advantage that middleboxes trying to classify traffic already know what it is. Yoav . ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt
Yoav Nirwrote: > 4 Why do we need a new port? What goes wrong if the > packets go to port 4500? I think that TE/load-balancer in the network calculates the same tuple hash and so takes the same path. (Presuming that it ignores the source UDP port) -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt
Hi, I have almost the same list of questions as Yoav’s list. But main question is - how are you going to ensure that load balancer delivers ESP packets to the same cluster node where IKE messages that create this ESP SA were delivered? In other words, load balancer must deliver ESP packets to the node that can decrypt them, i.e. to the node that has appropriate keys, i.e. to the node that created this ESP SA, i.e. to the node IKE SA messages that created that ESP SA were delivered, and this messages definitely had different UDP ports. If balancer doesn’t know anything about IKE/IPsec and looks only on UDP ports, then how the above requirement is met? On the other hand, if you spread ESP keys over all cluster nodes, then why do you bother to care that load balancer delivers all ESP SA packets to the same node? Regards, Valery. From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Tuesday, November 01, 2016 10:31 AM To: Xuxiaohu Cc: ipsec@ietf.org Subject: Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt Hi, Xiaohu A few comments. Actually, they’re more like questions. 1. How are IPsec SAs mapped to UDP pseudo-connections? Is it a 1:1 mapping between SPI and source port? 2. If now, how do you deal with the packet reordering that the load balancer will do? IPsec requires ordered or nearly-ordered delivery. 3. How is this negotiated? In IKE? Prior agreement? 4. Why do we need a new port? What goes wrong if the packets go to port 4500? Thanks Yoav On 1 Nov 2016, at 3:45, Xuxiaohu <xuxia...@huawei.com> wrote: Hi all, Any comments and suggestions are welcome. Best regards, Xiaohu -邮件原件- 发件人: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org] 发送时间: 2016年10月31日 19:15 收件人: Xuxiaohu; zhangdacheng; Xialiang (Frank) 主题: New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt A new version of I-D, draft-xu-ipsecme-esp-in-udp-lb-00.txt has been successfully submitted by Liang Xia and posted to the IETF repository. Name: draft-xu-ipsecme-esp-in-udp-lb Revision: 00 Title: Encapsulating IPsec ESP in UDP for Load-balancing Document date:2016-10-31 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-xu-ipsecme-esp-in-udp-lb-00.txt Status: https://datatracker.ietf.org/doc/draft-xu-ipsecme-esp-in-udp-lb/ Htmlized: https://tools.ietf.org/html/draft-xu-ipsecme-esp-in-udp-lb-00 Abstract: IPsec Virtual Private Network (VPN) is widely used by enterprises to interconnect their geographical dispersed branch office locations across IP Wide Area Network (WAN). To fully utilize the bandwidth available in IP WAN, load balancing of traffic between different IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) within IP WAN is attractive to those enterprises deploying IPsec VPN solutions. This document defines a method to encapsulate IPsec Encapsulating Security Payload (ESP) packets inside UDP packets for improving load-balancing of IPsec tunneled traffic. In addition, this encapsulation is also applicable to some special multi-tenant data center network environment where the overlay tunnels need to be secured. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt
Hi, Xiaohu A few comments. Actually, they’re more like questions. How are IPsec SAs mapped to UDP pseudo-connections? Is it a 1:1 mapping between SPI and source port? If now, how do you deal with the packet reordering that the load balancer will do? IPsec requires ordered or nearly-ordered delivery. How is this negotiated? In IKE? Prior agreement? Why do we need a new port? What goes wrong if the packets go to port 4500? Thanks Yoav > On 1 Nov 2016, at 3:45, Xuxiaohuwrote: > > Hi all, > > Any comments and suggestions are welcome. > > Best regards, > Xiaohu > >> -邮件原件- >> 发件人: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org] >> 发送时间: 2016年10月31日 19:15 >> 收件人: Xuxiaohu; zhangdacheng; Xialiang (Frank) >> 主题: New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt >> >> >> A new version of I-D, draft-xu-ipsecme-esp-in-udp-lb-00.txt >> has been successfully submitted by Liang Xia and posted to the IETF >> repository. >> >> Name:draft-xu-ipsecme-esp-in-udp-lb >> Revision:00 >> Title: Encapsulating IPsec ESP in UDP for Load-balancing >> Document date: 2016-10-31 >> Group: Individual Submission >> Pages: 7 >> URL: >> https://www.ietf.org/internet-drafts/draft-xu-ipsecme-esp-in-udp-lb-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-xu-ipsecme-esp-in-udp-lb/ >> Htmlized: https://tools.ietf.org/html/draft-xu-ipsecme-esp-in-udp-lb-00 >> >> >> Abstract: >> IPsec Virtual Private Network (VPN) is widely used by enterprises to >> interconnect their geographical dispersed branch office locations >> across IP Wide Area Network (WAN). To fully utilize the bandwidth >> available in IP WAN, load balancing of traffic between different >> IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link >> Aggregation Group (LAG) within IP WAN is attractive to those >> enterprises deploying IPsec VPN solutions. This document defines a >> method to encapsulate IPsec Encapsulating Security Payload (ESP) >> packets inside UDP packets for improving load-balancing of IPsec >> tunneled traffic. In addition, this encapsulation is also applicable >> to some special multi-tenant data center network environment where >> the overlay tunnels need to be secured. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat > > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec