< draft-xu-ipsecme-esp-in-udp-lb-00.txt   draft-xu-ipsecme-esp-in-udp-lb-01.txt >
Network Working Group X. Xu
Internet Draft D. Zhang
Category: Standard Track L.Xia
Huawei
Expires: December 2016 October 31, 2016 Network Working Group X. Xu
Internet-Draft D. Zhang
Intended status: Standards Track L. Xia
Expires: May 28, 2018 Huawei
November 24, 2017
Encapsulating IPsec ESP in UDP for Load-balancing Encapsulating IPsec ESP in UDP for Load-balancing
draft-xu-ipsecme-esp-in-udp-lb-01
draft-xu-ipsecme-esp-in-udp-lb-00 Abstract
Abstract IPsec Virtual Private Network (VPN) is widely used by enterprises to
interconnect their geographical dispersed branch office locations
across IP Wide Area Network (WAN) or the Internet, especially in the
Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth
available in IP WAN or the Internet, load balancing of traffic
between different IPsec VPN sites over Equal Cost Multi-Path (ECMP)
and/or Link Aggregation Group (LAG) is attractive to those
enterprises deploying IPsec VPN solutions. This document defines a
method to encapsulate IPsec Encapsulating Security Payload (ESP)
packets over UDP tunnels for improving load-balancing of IPsec ESP
traffic.
IPsec Virtual Private Network (VPN) is widely used by enterprises to Status of This Memo
interconnect their geographical dispersed branch office locations
across IP Wide Area Network (WAN). To fully utilize the bandwidth
available in IP WAN, load balancing of traffic between different
IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link
Aggregation Group (LAG) within IP WAN is attractive to those
enterprises deploying IPsec VPN solutions. This document defines a
method to encapsulate IPsec Encapsulating Security Payload (ESP)
packets inside UDP packets for improving load-balancing of IPsec
tunneled traffic. In addition, this encapsulation is also applicable
to some special multi-tenant data center network environment where
the overlay tunnels need to be secured.
Status of this Memo This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This Internet-Draft is submitted in full conformance with the Internet-Drafts are working documents of the Internet Engineering
provisions of BCP 78 and BCP 79. Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are draft documents valid for a maximum of six months
Task Force (IETF), its areas, and its working groups. Note that and may be updated, replaced, or obsoleted by other documents at any
other groups may also distribute working documents as Internet- time. It is inappropriate to use Internet-Drafts as reference
Drafts. material or to cite them other than as "work in progress."
Internet-Drafts are draft documents valid for a maximum of six This Internet-Draft will expire on May 28, 2018.
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at Copyright (c) 2017 IETF Trust and the persons identified as the
http://www.ietf.org/shadow.html. document authors. All rights reserved.
Internet-Draft Encapsulating ESP in UDP for Load-balancing October This document is subject to BCP 78 and the IETF Trust's Legal
2016 Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This Internet-Draft will expire on December 31, 2016. Table of Contents
Copyright Notice 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3
4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5
5. Congestion Considerations . . . . . . . . . . . . . . . . . . 5
6. Applicability Statements . . . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
9. Security Considerations . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
10.1. Normative References . . . . . . . . . . . . . . . . . . 6
10.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
Copyright (c) 2013 IETF Trust and the persons identified as the 1. Introduction
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal IPsec Virtual Private Network (VPN) is widely used by enterprises to
Provisions Relating to IETF Documents interconnect their geographical dispersed branch office locations
(http://trustee.ietf.org/license-info) in effect on the date of across IP Wide Area Network (WAN) or the Internet, especially in the
publication of this document. Please review these documents Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth
carefully, as they describe your rights and restrictions with available in IP WAN or the Internet, load balancing of traffic
respect to this document. Code Components extracted from this between different IPsec VPN sites over Equal Cost Multi-Path (ECMP)
document must include Simplified BSD License text as described in and/or Link Aggregation Group (LAG) is much attractive to those
Section 4.e of the Trust Legal Provisions and are provided without enterprises that deploy IPsec VPN solutions. Since most existing
warranty as described in the Simplified BSD License. core routers within IP WAN or the Internet can already support
balancing IP traffic flows based on the hash of the five-tuple of UDP
packets, by encapsulating IPsec Encapsulating Security Payload (ESP)
packets over UDP tunnels with the UDP source port being used as an
entropy field, it will enable existing core routers to perform
efficient load-balancing of the IPsec ESP traffic without requiring
any change to them. Therefore, this specification defines a method
of encapsulating IPsec ESP packets over UDP tunnels for improving
load-balancing of IPsec ESP traffic.
Conventions used in this document Encapsulating ESP in UDP, as defined in this document, can be used in
both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an
entropy field for load balancing in IPv6 network environment
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", [RFC6438]. However, as stated in [RFC6936], the end-to-end use of
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this flow labels for load balancing is a long-term solution and therefore
document are to be interpreted as described in RFC-2119 [RFC2119]. the use of load balancing using the transport header fields would
continue until any widespread deployment is finally achieved. As
such, ESP-in-UDP encapsulation would still have a practical
application value in the IPv6 networks during this transition
timeframe.
Table of Contents Note that the difference between the ESP-in-UDP encapsulation as
proposed in this document and the ESP-in-UDP encapsulation as
described in [RFC3948] is that the former uses the UDP tunnel for
load-balancing improvement purpose and therefore the source port is
used as an entropy field while the latter uses the UDP tunnel for NAT
traverse purpose and therefore the source port is set to a constant
value (i.e., 4500). In addition, this document only discusses about
the tunnel mode ESP encapsulation.
1. Introduction ................................................ 3 1.1. Requirements Language
2. Terminology ................................................. 4
3. Encapsulating ESP in UDP .................................... 4
4. Encapsulation and Decapsulation Procedures .................. 5
5. Congestion Considerations ................................... 5
6. Security Considerations ..................................... 5
7. IANA Considerations ......................................... 6
8. Acknowledgements ............................................ 6
9. References .................................................. 6
9.1. Normative References ................................... 6
9.2. Informative References ................................. 6
Authors' Addresses ............................................. 7
Internet-Draft Encapsulating ESP in UDP for Load-balancing October
2016
1. Introduction The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
IPsec Virtual Private Network (VPN) is widely used by enterprises to 2. Terminology
interconnect their geographical dispersed branch office locations
across IP Wide Area Network (WAN). To fully utilize the bandwidth
available in IP WAN, load balancing of traffic between different
IPsec VPN sites over Equal Cost Multi-Path (ECMP) and/or Link
Aggregation Group (LAG) within IP WAN is much attractive to those
enterprises that deploy IPsec VPN solutions. Since most existing
core routers within IP WAN can already support balancing IP traffic
flows based on the hash of the five-tuple of UDP packets, by
encapsulating IPsec Encapsulating Security Payload (ESP) packets
inside UDP packets with the UDP source port being used as an entropy
field, it will enable existing core routers to perform efficient
load-balancing of the IPsec tunneled traffic without requiring any
change to them. Therefore, this specification defines a method of
encapsulating IPsec ESP packets inside UDP packets for improving
load-balancing of IPsec tunneled traffic. This is similar to why
LISP [RFC6830], MPLS-in-UDP [RFC7510] and VXLAN [RFC7348] use UDP
encapsulation.
In addition, this encapsulation is also applicable to some special This memo makes use of the terms defined in [RFC2401]and [RFC2406].
multi-tenant data center network environment where the overlay
tunnels need to be secured while the UDP-based ECMP capability is
desired as well (see [draft-ietf-nvo3-use-case]).
Encapsulating ESP in UDP, as defined in this document, can be used 3. Encapsulation in UDP
in both IPv4 and IPv6 scenarios. IPv6 flow label has been proposed
as an entropy field for load balancing in IPv6 network environment
[RFC6438]. However, as stated in [RFC6936], the end-to-end use of
flow labels for load balancing is a long-term solution and therefore
the use of load balancing using the transport header fields would
continue until any widespread deployment is finally achieved. As
such, IP-in-UDP encapsulation would still have a practical
application value in the IPv6 networks during this transition
timeframe.
Note that the difference between the ESP-in-UDP encapsulation as ESP-in-UDP encapsulation format is shown as follows:
proposed in this document and the ESP-in-UDP encapsulation as
described in [RFC3948] is that the former uses the UDP tunnel for
load-balancing improvement purpose and therefore the source port is
used as an entropy field while the latter uses the UDP tunnel for
NAT traverse purpose and therefore the source port is set to a
constant value (i.e., 4500). In addition, the document only
discusses about the tunnel mode ESP encapsulation.
Internet-Draft Encapsulating ESP in UDP for Load-balancing October 0 1 2 3
2016 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port = Entropy | Dest Port = TBD1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ ESP Packet ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: ESP-in-UDP Encapsulation Format
2. Terminology Source Port of UDP:
This memo makes use of the terms defined in [RFC2401] and [RFC2406]. This field contains a 16-bit entropy value that is generated by
the encapsulator to uniquely identify a flow. What constitutes
a flow is locally determined by the encapsulator and therefore
is outside the scope of this document. What algorithm is
actually used by the encapsulator to generate an entropy value
is outside the scope of this document.
3. Encapsulating ESP in UDP In case the tunnel does not need entropy, this field of all
packets belonging to a given flow SHOULD be set to a randomly
selected constant value so as to avoid packet reordering.
ESP-in-UDP encapsulation format is shown as follows: To ensure that the source port number is always in the range
49152 to 65535 (Note that those ports less than 49152 are
reserved by IANA to identify specific applications/protocols)
which may be required in some cases, instead of calculating a
16-bit hash, the encapsulator SHOULD calculate a 14-bit hash
and use those 14 bits as the least significant bits of the
source port field while the most significant two bits SHOULD be
set to binary 11. That still conveys 14 bits of entropy
information which would be enough as well in practice.
0 1 2 3 Destination Port of UDP:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port = entropy | Dest Port = ESP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ ESP Packet ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Source Port of UDP This field is set to a value (TBD1) allocated by IANA to
indicate that the UDP tunnel payload is an ESP packet.
This field contains a 16-bit entropy value that is UDP Length:
generated by the encapsulator to uniquely identify a
flow. What constitutes a flow is locally determined by
the encapsulator and therefore is outside the scope of
this document. What algorithm is actually used by the
encapsulator to generate an entropy value is outside the
scope of this document. In case the tunnel does not need
entropy, this field of all packets belonging to a given
flow SHOULD be set to a randomly selected constant value
so as to avoid packet reordering.
To ensure that the source port number is always in the The usage of this field is in accordance with the current UDP
range 49152 to 65535 (Note that those ports less than specification [RFC0768].
49152 are reserved by IANA to identify specific
applications/protocols) which may be required in some
cases, instead of calculating a 16-bit hash, the
encapsulator SHOULD calculate a 14-bit hash and use
those 14 bits as the least significant bits of the
source port field while the most significant two bits
SHOULD be set to binary 11. That still conveys 14 bits
of entropy information which would be enough as well in
practice.
Destination Port of UDP UDP Checksum:
Internet-Draft Encapsulating ESP in UDP for Load-balancing October For IPv4 UDP encapsulation, this field is RECOMMENDED to be set
2016 to zero for performance or implementation reasons because the
IPv4 header includes a checksum and use of the UDP checksum is
optional with IPv4. For IPv6 UDP encapsulation, the IPv6
header does not include a checksum, so this field MUST contain
a UDP checksum that MUST be used as specified in [RFC0768] and
[RFC2460] unless one of the exceptions that allows use of UDP
zero-checksum mode (as specified in [RFC6935]) applies.
This field is set to a value (TBD) indicating the ESP Packet:
encapsulated payload in the UDP header is an ESP packet.
UDP Length This field contains one ESP packet.
The usage of this field is in accordance with the 4. Processing Procedures
current UDP specification [RFC768].
UDP Checksum This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be
forwarded across IP WAN via "UDP tunnels". When performing ESP-in-
UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation
procedure is performed and then a formatted UDP header is inserted
between ESP header and IP header. The Source Port field of the UDP
header is filled with an entropy value which is generated by the
IPsec VPN gateway. Upon receiving these UDP encapsulated packets,
remote IPsec VPN gateway MUST decapsulate these packets by removing
the UDP header and then perform ordinary ESP decapsulation procedure
consequently.
For IPv4 UDP encapsulation, this field is RECOMMENDED to Similar to all other IP-based tunneling technologies, ESP-in-UDP
be set to zero for performance or implementation reasons encapsualtion introduces overheads and reduces the effective Maximum
because the IPv4 header includes a checksum and use of Transmision Unit (MTU) size. ESP-in-UDP encapsulation may also
the UDP checksum is optional with IPv4. For IPv6 UDP impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated
encapsulation, the IPv6 header does not include a Services (DSCP). Hence, ESP-in-UDP MUST follow the corresponding
checksum, so this field MUST contain a UDP checksum that procedures defined in [RFC2003].
MUST be used as specified in [RFC0768] and [RFC2460]
unless one of the exceptions that allows use of UDP
zero-checksum mode (as specified in [RFC6935]) applies.
4. Encapsulation and Decapsulation Procedures Encapsulators MUST NOT fragment ESP packet, and when the outer IP
header is IPv4, encapsulators MUST set the DF bit in the outer IPv4
header. It is strongly RECOMMENDED that IP transit core be
configured to carry an MTU at least large enough to accommodate the
added encapsulation headers. Meanwhile, it is strongly RECOMMENDED
that Path MTU Discovery [RFC1191] [RFC1981] or Packetization Layer
Path MTU Discovery (PLPMTUD) [RFC4821] is used to prevent or minimize
fragmentation.
This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be 5. Congestion Considerations
forwarded across IP WAN via "UDP tunnels". When performing ESP-in-
UDP encapsulation by an IPsec VPN gateway, ordinary ESP
encapsulation procedure is performed and then a formatted UDP header
is inserted between ESP header and IP header. The Source Port field
of the UDP header is filled with an entropy value which is generated
by the IPsec VPN gateway.
Upon receiving these UDP encapsulated packets, remote IPsec VPN TBD.
gateway MUST decapsulate these packets by removing the UDP header
and then perform ordinary ESP decapsulation procedure consequently.
5. Congestion Considerations 6. Applicability Statements
TBD TBD.
6. Security Considerations 7. Acknowledgements
TBD. 8. IANA Considerations
Internet-Draft Encapsulating ESP in UDP for Load-balancing October One UDP destination port number indicating ESP needs to be allocated
2016 by IANA:
7. IANA Considerations Service Name: ESP-in-UDP Transport Protocol(s):UDP
Assignee: IESG <iesg@ietf.org>
Contact: IETF Chair <chair@ietf.org>.
Description: Encapsulate ESP packets in UDP tunnels.
Reference: This document.
Port Number: TBD1 -- To be assigned by IANA.
A new UDP destination port number which indicates the encapsulated 9. Security Considerations
payload following the UDP header is an ESP packet needs to be
assigned by IANA.
8. Acknowledgements TBD.
Thanks to. 10. References
9. References 10.1. Normative References
9.1. Normative References [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
Requirement Levels", BCP 14, RFC 2119, March 1997. DOI 10.17487/RFC1191, November 1990,
<https://www.rfc-editor.org/info/rfc1191>.
9.2. Informative References [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery
for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August
1996, <https://www.rfc-editor.org/info/rfc1981>.
[RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
August 1980. DOI 10.17487/RFC2003, October 1996,
<https://www.rfc-editor.org/info/rfc2003>.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Internet Protocol", RFC 2401, November 1998. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Payload (ESP)", RFC 2406, November 1998. Internet Protocol", RFC 2401, DOI 10.17487/RFC2401,
November 1998, <https://www.rfc-editor.org/info/rfc2401>.
[RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "UDP [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
Checksums for Tunneled Packets", RFC6935, Feburary 2013. Payload (ESP)", RFC 2406, DOI 10.17487/RFC2406, November
1998, <https://www.rfc-editor.org/info/rfc2406>.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
Stenberg, "UDP Encapsulation of IPsec Packets", RFC 3948, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
January 2005. December 1998, <https://www.rfc-editor.org/info/rfc2460>.
[RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
for the use of IPv6 UDP Datagrams with Zero Checksums", Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
RFC6936, Feburary 2013. <https://www.rfc-editor.org/info/rfc4821>.
[RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
"Encapsulating MPLS in UDP", RFC 7510, for Equal Cost Multipath Routing and Link Aggregation in
DOI 10.17487/RFC7510, April 2015, Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011,
<http://www.rfc-editor.org/info/rfc7510>. <https://www.rfc-editor.org/info/rfc6438>.
Internet-Draft Encapsulating ESP in UDP for Load-balancing October [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and
2016 UDP Checksums for Tunneled Packets", RFC 6935,
DOI 10.17487/RFC6935, April 2013,
<https://www.rfc-editor.org/info/rfc6935>.
Authors' Addresses [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement
for the Use of IPv6 UDP Datagrams with Zero Checksums",
RFC 6936, DOI 10.17487/RFC6936, April 2013,
<https://www.rfc-editor.org/info/rfc6936>.
Xiaohu Xu 10.2. Informative References
Huawei Technologies,
Beijing, China
Phone: +86-10-60610041
Email: xuxiaohu@huawei.com
Dacheng Zhang [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Huawei Technologies, Stenberg, "UDP Encapsulation of IPsec ESP Packets",
Beijing, China RFC 3948, DOI 10.17487/RFC3948, January 2005,
Phone: +86-13621142434 <https://www.rfc-editor.org/info/rfc3948>.
Email: dacheng.zhang@huawei.com
Liang Xia Authors' Addresses
Huawei Technologies,
Email: frank.xialiang@huawei.com Xiaohu Xu
Huawei
Email: xuxiaohu@huawei.com
Dacheng Zhang
Huawei
Email: dacheng.zhang@huawei.com
Liang Xia
Huawei
Email: frank.xialiang@huawei.com
 End of changes. 70 change blocks. 
226 lines changed or deleted 238 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/