| draft-xu-ipsecme-esp-in-udp-lb-11.txt | draft-xu-ipsecme-esp-in-udp-lb-12.txt | |||
|---|---|---|---|---|
| Network Working Group X. Xu | Network Working Group X. Xu | |||
| Internet-Draft China Mobile | Internet-Draft China Mobile | |||
| Intended status: Standards Track S. Hegde | Intended status: Standards Track S. Hegde | |||
| Expires: 15 March 2024 Juniper Networks | Expires: 27 September 2024 Juniper Networks | |||
| B. Pismenny | B. Pismenny | |||
| Nvidia | Nvidia | |||
| D. Zhang | D. Zhang | |||
| L. Xia | L. Xia | |||
| Huawei | Huawei | |||
| M. Puttaswamy | M. Puttaswamy | |||
| Juniper Networks | Juniper Networks | |||
| 12 September 2023 | 26 March 2024 | |||
| Encapsulating IPsec ESP in UDP for Load-balancing | Encapsulating IPsec ESP in UDP for Load-balancing | |||
| draft-xu-ipsecme-esp-in-udp-lb-11 | draft-xu-ipsecme-esp-in-udp-lb-12 | |||
| Abstract | Abstract | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across the Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| increasingly used by cloud providers to encrypt IP traffic traversing | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| data center networks and data center interconnect WANs so as to meet | data center networks and data center interconnect WANs so as to meet | |||
| the security and compliance requirements, especially in financial | the security and compliance requirements, especially in financial | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 15 March 2024. | This Internet-Draft will expire on 27 September 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| skipping to change at page 2, line 38 ¶ | skipping to change at page 2, line 38 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 4 | 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 | 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 | 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across the Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| increasingly used by cloud providers to encrypt IP traffic traversing | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| skipping to change at page 5, line 12 ¶ | skipping to change at page 5, line 12 ¶ | |||
| to identify specific applications/protocols) which may be | to identify specific applications/protocols) which may be | |||
| required in some cases, instead of calculating a 16-bit hash, | required in some cases, instead of calculating a 16-bit hash, | |||
| the encapsulator SHOULD calculate a 14-bit hash and use those | the encapsulator SHOULD calculate a 14-bit hash and use those | |||
| 14 bits as the least significant bits of the source port field | 14 bits as the least significant bits of the source port field | |||
| while the most significant two bits SHOULD be set to binary 11. | while the most significant two bits SHOULD be set to binary 11. | |||
| That still conveys 14 bits of entropy information which would | That still conveys 14 bits of entropy information which would | |||
| be enough as well in practice. | be enough as well in practice. | |||
| Destination Port of UDP: | Destination Port of UDP: | |||
| This field is set to a value (TBD1) allocated by IANA to | This field is set to a value (TBD1) allocated by IANA to | |||
| indicate that the UDP tunnel payload is an ESP packet. | indicate that the UDP tunnel payload is an ESP packet. | |||
| UDP Length: | UDP Length: | |||
| The usage of this field is in accordance with the current UDP | The usage of this field is in accordance with the current UDP | |||
| specification [RFC0768]. | specification [RFC0768]. | |||
| UDP Checksum: | UDP Checksum: | |||
| For IPv4 UDP encapsulation, this field is RECOMMENDED to be set | For IPv4 UDP encapsulation, this field is RECOMMENDED to be set | |||
| to zero for performance or implementation reasons because the | to zero for performance or implementation reasons because the | |||
| IPv4 header includes a checksum and use of the UDP checksum is | IPv4 header includes a checksum and use of the UDP checksum is | |||
| optional with IPv4. For IPv6 UDP encapsulation, the IPv6 | optional with IPv4. For IPv6 UDP encapsulation, the IPv6 | |||
| header does not include a checksum, so this field MUST contain | header does not include a checksum, so this field MUST contain | |||
| a UDP checksum that MUST be used as specified in [RFC0768] and | a UDP checksum that MUST be used as specified in [RFC0768] and | |||
| [RFC2460] unless one of the exceptions that allows use of UDP | [RFC2460] unless one of the exceptions that allows use of UDP | |||
| zero-checksum mode (as specified in [RFC6935]) applies. | zero-checksum mode (as specified in [RFC6935]) applies. | |||
| ESP Packet: | ESP Packet: | |||
| This field contains one ESP packet. | This field contains one ESP packet. | |||
| 4. Processing Procedures | 4. Processing Procedures | |||
| This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be | This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be | |||
| forwarded across IP WAN via "UDP tunnels". When performing ESP-in- | forwarded across IP WAN via "UDP tunnels". When performing ESP-in- | |||
| UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation | UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation | |||
| procedure is performed and then a formatted UDP header is inserted | procedure is performed and then a formatted UDP header is inserted | |||
| between ESP header and IP header. The Source Port field of the UDP | between ESP header and IP header. The Source Port field of the UDP | |||
| header is filled with an entropy value which is generated by the | header is filled with an entropy value which is generated by the | |||
| IPsec VPN gateway. Upon receiving these UDP encapsulated packets, | IPsec VPN gateway. Upon receiving these UDP encapsulated packets, | |||
| skipping to change at page 6, line 45 ¶ | skipping to change at page 6, line 45 ¶ | |||
| Service Name: ESP-in-UDP Transport Protocol(s):UDP | Service Name: ESP-in-UDP Transport Protocol(s):UDP | |||
| Assignee: IESG <iesg@ietf.org> | Assignee: IESG <iesg@ietf.org> | |||
| Contact: IETF Chair <chair@ietf.org>. | Contact: IETF Chair <chair@ietf.org>. | |||
| Description: Encapsulate ESP packets in UDP tunnels. | Description: Encapsulate ESP packets in UDP tunnels. | |||
| Reference: This document. | Reference: This document. | |||
| Port Number: TBD1 -- To be assigned by IANA. | Port Number: TBD1 -- To be assigned by IANA. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| TBD. | If source port is generated using inner packet parameters, care | |||
| should be taken to not reveal those parameters. Including some | ||||
| random bytes along with the inner packet parameters will ensure the | ||||
| information of inner IP header is not revealed. | ||||
| Because packets are traversing different paths and the ESP sequence | ||||
| number is assigned sequencially by the encapsulator irrespective of | ||||
| the packet flow, the receiver might receive packets out-of-order and | ||||
| end up dropping them as delayed/out-of-order packets. Based on the | ||||
| network speed and load, administrator should be able to adjust the | ||||
| replay window size or entirely disable the replay check. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| DOI 10.17487/RFC0768, August 1980, | DOI 10.17487/RFC0768, August 1980, | |||
| <https://www.rfc-editor.org/info/rfc768>. | <https://www.rfc-editor.org/info/rfc768>. | |||
| [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | |||
| End of changes. 11 change blocks. | ||||
| 12 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||