< draft-xu-ipsecme-esp-in-udp-lb-01.txt		draft-xu-ipsecme-esp-in-udp-lb-02.txt >
	Network Working Group X. Xu		Network Working Group X. Xu
	Internet-Draft D. Zhang		Internet-Draft D. Zhang
	Intended status: Standards Track L. Xia		Intended status: Standards Track L. Xia
	Expires: May 28, 2018 Huawei		Expires: July 13, 2018 Huawei
	November 24, 2017		January 9, 2018
	Encapsulating IPsec ESP in UDP for Load-balancing		Encapsulating IPsec ESP in UDP for Load-balancing
	draft-xu-ipsecme-esp-in-udp-lb-01		draft-xu-ipsecme-esp-in-udp-lb-02
	Abstract		Abstract
	IPsec Virtual Private Network (VPN) is widely used by enterprises to		IPsec Virtual Private Network (VPN) is widely used by enterprises to
	interconnect their geographical dispersed branch office locations		interconnect their geographical dispersed branch office locations
	across IP Wide Area Network (WAN) or the Internet, especially in the		across IP Wide Area Network (WAN) or the Internet, especially in the
	Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth		Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth
	available in IP WAN or the Internet, load balancing of traffic		available in IP WAN or the Internet, load balancing of traffic
	between different IPsec VPN sites over Equal Cost Multi-Path (ECMP)		between different IPsec VPN sites over Equal Cost Multi-Path (ECMP)
	and/or Link Aggregation Group (LAG) is attractive to those		and/or Link Aggregation Group (LAG) is attractive to those
	skipping to change at page 1, line 41 ¶		skipping to change at page 1, line 41 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on May 28, 2018.		This Internet-Draft will expire on July 13, 2018.
	Copyright Notice		Copyright Notice
	Copyright (c) 2017 IETF Trust and the persons identified as the		Copyright (c) 2018 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must		to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of		include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as		the Trust Legal Provisions and are provided without warranty as
	skipping to change at page 5, line 21 ¶		skipping to change at page 5, line 21 ¶
	UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation		UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation
	procedure is performed and then a formatted UDP header is inserted		procedure is performed and then a formatted UDP header is inserted
	between ESP header and IP header. The Source Port field of the UDP		between ESP header and IP header. The Source Port field of the UDP
	header is filled with an entropy value which is generated by the		header is filled with an entropy value which is generated by the
	IPsec VPN gateway. Upon receiving these UDP encapsulated packets,		IPsec VPN gateway. Upon receiving these UDP encapsulated packets,
	remote IPsec VPN gateway MUST decapsulate these packets by removing		remote IPsec VPN gateway MUST decapsulate these packets by removing
	the UDP header and then perform ordinary ESP decapsulation procedure		the UDP header and then perform ordinary ESP decapsulation procedure
	consequently.		consequently.
	Similar to all other IP-based tunneling technologies, ESP-in-UDP		Similar to all other IP-based tunneling technologies, ESP-in-UDP
	encapsualtion introduces overheads and reduces the effective Maximum		encapsulation introduces overheads and reduces the effective Maximum
	Transmision Unit (MTU) size. ESP-in-UDP encapsulation may also		Transmission Unit (MTU) size. ESP-in-UDP encapsulation may also
	impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated		impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated
	Services (DSCP). Hence, ESP-in-UDP MUST follow the corresponding		Services (DSCP). Hence, ESP-in-UDP MUST follow the corresponding
	procedures defined in [RFC2003].		procedures defined in [RFC2003].
	Encapsulators MUST NOT fragment ESP packet, and when the outer IP		Encapsulators MUST NOT fragment ESP packet, and when the outer IP
	header is IPv4, encapsulators MUST set the DF bit in the outer IPv4		header is IPv4, encapsulators MUST set the DF bit in the outer IPv4
	header. It is strongly RECOMMENDED that IP transit core be		header. It is strongly RECOMMENDED that IP transit core be
	configured to carry an MTU at least large enough to accommodate the		configured to carry an MTU at least large enough to accommodate the
	added encapsulation headers. Meanwhile, it is strongly RECOMMENDED		added encapsulation headers. Meanwhile, it is strongly RECOMMENDED
	that Path MTU Discovery [RFC1191] [RFC1981] or Packetization Layer		that Path MTU Discovery [RFC1191] [RFC1981] or Packetization Layer
	skipping to change at page 7, line 36 ¶		skipping to change at page 7, line 36 ¶
	[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.		[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
	Stenberg, "UDP Encapsulation of IPsec ESP Packets",		Stenberg, "UDP Encapsulation of IPsec ESP Packets",
	RFC 3948, DOI 10.17487/RFC3948, January 2005,		RFC 3948, DOI 10.17487/RFC3948, January 2005,
	<https://www.rfc-editor.org/info/rfc3948>.		<https://www.rfc-editor.org/info/rfc3948>.
	Authors' Addresses		Authors' Addresses
	Xiaohu Xu		Xiaohu Xu
	Huawei		Huawei
	Email: xuxiaohu@huawei.com		Email: xuxh.mail@gmail.com
	Dacheng Zhang		Dacheng Zhang
	Huawei		Huawei
	Email: dacheng.zhang@huawei.com		Email: dacheng.zhang@huawei.com
	Liang Xia		Liang Xia
	Huawei		Huawei
	Email: frank.xialiang@huawei.com		Email: frank.xialiang@huawei.com
End of changes. 6 change blocks.
	8 lines changed or deleted		8 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/