| < draft-xu-ipsecme-esp-in-udp-lb-02.txt | draft-xu-ipsecme-esp-in-udp-lb-03.txt > | |||
|---|---|---|---|---|
| Network Working Group X. Xu | Network Working Group X. Xu | |||
| Internet-Draft D. Zhang | Internet-Draft Alibaba, Inc | |||
| Intended status: Standards Track L. Xia | Intended status: Standards Track S. Hegde | |||
| Expires: July 13, 2018 Huawei | Expires: July 23, 2020 Juniper | |||
| January 9, 2018 | D. Zhang | |||
| L. Xia | ||||
| Huawei | ||||
| January 20, 2020 | ||||
| Encapsulating IPsec ESP in UDP for Load-balancing | Encapsulating IPsec ESP in UDP for Load-balancing | |||
| draft-xu-ipsecme-esp-in-udp-lb-02 | draft-xu-ipsecme-esp-in-udp-lb-03 | |||
| Abstract | Abstract | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across IP Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| available in IP WAN or the Internet, load balancing of traffic | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| between different IPsec VPN sites over Equal Cost Multi-Path (ECMP) | data center interconnect WAN so as to meet the security and | |||
| and/or Link Aggregation Group (LAG) is attractive to those | compliance requirements, especially in financial cloud and | |||
| enterprises deploying IPsec VPN solutions. This document defines a | governmental cloud environments. To fully utilize the bandwidth | |||
| method to encapsulate IPsec Encapsulating Security Payload (ESP) | available in the WAN or the Internet, load balancing of IPsec traffic | |||
| packets over UDP tunnels for improving load-balancing of IPsec ESP | over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) | |||
| traffic. | is much attractive to those enterprises and cloud providers. This | |||
| document defines a method to encapsulate IPsec Encapsulating Security | ||||
| Payload (ESP) packets over UDP tunnels for improving load-balancing | ||||
| of IPsec ESP traffic. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 13, 2018. | This Internet-Draft will expire on July 23, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 | 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 5 | 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Applicability Statements . . . . . . . . . . . . . . . . . . 5 | 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across IP Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| available in IP WAN or the Internet, load balancing of traffic | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| between different IPsec VPN sites over Equal Cost Multi-Path (ECMP) | data center interconnect WAN so as to meet the security and | |||
| and/or Link Aggregation Group (LAG) is much attractive to those | compliance requirements, especially in financial cloud and | |||
| enterprises that deploy IPsec VPN solutions. Since most existing | governmental cloud environments. To fully utilize the bandwidth | |||
| core routers within IP WAN or the Internet can already support | available in the WAN or the Internet, load balancing of IPsec traffic | |||
| balancing IP traffic flows based on the hash of the five-tuple of UDP | over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) | |||
| packets, by encapsulating IPsec Encapsulating Security Payload (ESP) | is much attractive to those enterprises and cloud providers. Since | |||
| packets over UDP tunnels with the UDP source port being used as an | most existing core routers within IP WAN or the Internet can already | |||
| entropy field, it will enable existing core routers to perform | support balancing IP traffic flows based on the hash of the five- | |||
| efficient load-balancing of the IPsec ESP traffic without requiring | tuple of UDP packets, by encapsulating IPsec Encapsulating Security | |||
| any change to them. Therefore, this specification defines a method | Payload (ESP) packets over UDP tunnels with the UDP source port being | |||
| of encapsulating IPsec ESP packets over UDP tunnels for improving | used as an entropy field, it will enable existing core routers to | |||
| load-balancing of IPsec ESP traffic. | perform efficient load-balancing of the IPsec ESP traffic without | |||
| requiring any change to them. Therefore, this specification defines | ||||
| a method of encapsulating IPsec ESP packets over UDP tunnels for | ||||
| improving load-balancing of IPsec ESP traffic. | ||||
| Encapsulating ESP in UDP, as defined in this document, can be used in | Encapsulating ESP in UDP, as defined in this document, can be used in | |||
| both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an | both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an | |||
| entropy field for load balancing in IPv6 network environment | entropy field for load balancing in IPv6 network environment | |||
| [RFC6438]. However, as stated in [RFC6936], the end-to-end use of | [RFC6438]. However, as stated in [RFC6936], the end-to-end use of | |||
| flow labels for load balancing is a long-term solution and therefore | flow labels for load balancing is a long-term solution and therefore | |||
| the use of load balancing using the transport header fields would | the use of load balancing using the transport header fields would | |||
| continue until any widespread deployment is finally achieved. As | continue until any widespread deployment is finally achieved. As | |||
| such, ESP-in-UDP encapsulation would still have a practical | such, ESP-in-UDP encapsulation would still have a practical | |||
| application value in the IPv6 networks during this transition | application value in the IPv6 networks during this transition | |||
| timeframe. | timeframe. | |||
| Note that the difference between the ESP-in-UDP encapsulation as | Note that the difference between the ESP-in-UDP encapsulation as | |||
| proposed in this document and the ESP-in-UDP encapsulation as | proposed in this document and the ESP-in-UDP encapsulation as | |||
| skipping to change at page 7, line 32 ¶ | skipping to change at page 8, line 4 ¶ | |||
| <https://www.rfc-editor.org/info/rfc6936>. | <https://www.rfc-editor.org/info/rfc6936>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | |||
| Stenberg, "UDP Encapsulation of IPsec ESP Packets", | Stenberg, "UDP Encapsulation of IPsec ESP Packets", | |||
| RFC 3948, DOI 10.17487/RFC3948, January 2005, | RFC 3948, DOI 10.17487/RFC3948, January 2005, | |||
| <https://www.rfc-editor.org/info/rfc3948>. | <https://www.rfc-editor.org/info/rfc3948>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Xiaohu Xu | Xiaohu Xu | |||
| Huawei | Alibaba, Inc | |||
| Email: xuxh.mail@gmail.com | Email: xiaohu.xxh@alibaba-inc.com | |||
| Shraddha Hegde | ||||
| Juniper | ||||
| Email: shraddha@juniper.net | ||||
| Dacheng Zhang | Dacheng Zhang | |||
| Huawei | Huawei | |||
| Email: dacheng.zhang@huawei.com | Email: dacheng.zhang@huawei.com | |||
| Liang Xia | Liang Xia | |||
| Huawei | Huawei | |||
| Email: frank.xialiang@huawei.com | Email: frank.xialiang@huawei.com | |||
| End of changes. 11 change blocks. | ||||
| 39 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||