[IPsec] 答复: New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt

2016-11-02 Thread Xuxiaohu 
Hi Yoav and Michael,

Thanks for your comments.

If I understand it correctly, the dest port number of 4500 has been dedicated 
for the NAT traversal usage as described in RFC3948 where " the Source Port and 
Destination Port MUST be the same as that used by IKE traffic", therefore, it'd 
better for us to request a new dest port for the load-balancing usage as 
described in this draft.

Best regards,
Xiaohu

> -邮件原件-
> 发件人: Yoav Nir [mailto:ynir.i...@gmail.com]
> 发送时间: 2016年11月3日 0:42
> 收件人: Michael Richardson
> 抄送: Xuxiaohu; ipsec@ietf.org
> 主题: Re: [IPsec] New Version Notification for
> draft-xu-ipsecme-esp-in-udp-lb-00.txt
> 
> 
> > On 2 Nov 2016, at 18:19, Michael Richardson 
> wrote:
> >
> >
> > Yoav Nir  wrote:
> >> 4 Why do we need a new port? What goes wrong if the packets go to
> >> port 4500?
> >
> > I think that TE/load-balancer in the network calculates the same tuple
> > hash and so takes the same path. (Presuming that it ignores the source
> > UDP port)
> 
> I don’t follow. The draft requests a new destination port from IANA. Let’s
> assume it is 14500.
> 
> What is the difference between having every gateway send traffic with the
> 5-tuple (me, random_port, UDP, you, 4500) and having every gateway send
> traffic with the 5-tuple (me, random_port, UDP, you, 14500) ?
> 
> Sending UDP-encapsulated traffic from a random port works today, and has the
> advantage that middleboxes trying to classify traffic already know what it is.
> 
> Yoav
> .
> 

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt

2016-11-02 Thread Yoav Nir 

> On 2 Nov 2016, at 18:19, Michael Richardson  wrote:
> 
> 
> Yoav Nir  wrote:
>> 4 Why do we need a new port? What goes wrong if the
>> packets go to port 4500?
> 
> I think that TE/load-balancer in the network calculates the same tuple hash
> and so takes the same path. (Presuming that it ignores the source UDP port)

I don’t follow. The draft requests a new destination port from IANA. Let’s 
assume it is 14500. 

What is the difference between having every gateway send traffic with the 
5-tuple (me, random_port, UDP, you, 4500) and having every gateway send traffic 
with the 5-tuple (me, random_port, UDP, you, 14500) ?

Sending UDP-encapsulated traffic from a random port works today, and has the 
advantage that middleboxes trying to classify traffic already know what it is.

Yoav
.


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] New Version Notification for draft-xu-ipsecme-esp-in-udp-lb-00.txt

2016-11-02 Thread Michael Richardson 

Yoav Nir  wrote:
> 4 Why do we need a new port? What goes wrong if the
> packets go to port 4500?

I think that TE/load-balancer in the network calculates the same tuple hash
and so takes the same path. (Presuming that it ignores the source UDP port)

--
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-





signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec