| < draft-xu-ipsecme-esp-in-udp-lb-06.txt | draft-xu-ipsecme-esp-in-udp-lb-07.txt > | |||
|---|---|---|---|---|
| Network Working Group X. Xu | Network Working Group X. Xu | |||
| Internet-Draft Alibaba, Inc | Internet-Draft Alibaba, Inc | |||
| Intended status: Standards Track S. Hegde | Intended status: Standards Track S. Hegde | |||
| Expires: May 21, 2021 Juniper | Expires: June 23, 2021 Juniper | |||
| B. Pismenny | B. Pismenny | |||
| Nvidia | Nvidia | |||
| D. Zhang | D. Zhang | |||
| L. Xia | L. Xia | |||
| Huawei | Huawei | |||
| November 17, 2020 | December 20, 2020 | |||
| Encapsulating IPsec ESP in UDP for Load-balancing | Encapsulating IPsec ESP in UDP for Load-balancing | |||
| draft-xu-ipsecme-esp-in-udp-lb-06 | draft-xu-ipsecme-esp-in-udp-lb-07 | |||
| Abstract | Abstract | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across the Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| increasingly used by cloud providers to encrypt IP traffic traversing | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| data center interconnect WAN so as to meet the security and | data center networks and data center interconnect WANs so as to meet | |||
| compliance requirements, especially in financial cloud and | the security and compliance requirements, especially in financial | |||
| governmental cloud environments. To fully utilize the bandwidth | cloud and governmental cloud environments. To fully utilize the | |||
| available in the WAN or the Internet, load balancing of IPsec traffic | bandwidth available in the data center network, the data center | |||
| interconnect WAN or the Internet, load balancing of IPsec traffic | ||||
| over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) | over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) | |||
| is much attractive to those enterprises and cloud providers. This | is much attractive to those enterprises and cloud providers. This | |||
| document defines a method to encapsulate IPsec Encapsulating Security | document defines a method to encapsulate IPsec Encapsulating Security | |||
| Payload (ESP) packets over UDP tunnels for improving load-balancing | Payload (ESP) packets over UDP tunnels for improving load-balancing | |||
| of IPsec ESP traffic. | of IPsec ESP traffic. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 23, 2021. | ||||
| This Internet-Draft will expire on May 21, 2021. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 26 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 | 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 | 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 | 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| IPsec Virtual Private Network (VPN) is widely used by enterprises to | IPsec Virtual Private Network (VPN) is widely used by enterprises to | |||
| interconnect their geographical dispersed branch office locations | interconnect their geographical dispersed branch office locations | |||
| across the Wide Area Network (WAN) or the Internet, especially in the | across the Wide Area Network (WAN) or the Internet, especially in the | |||
| Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also | |||
| increasingly used by cloud providers to encrypt IP traffic traversing | increasingly used by cloud providers to encrypt IP traffic traversing | |||
| data center interconnect WAN so as to meet the security and | data center networks and data center interconnect WANs so as to meet | |||
| compliance requirements, especially in financial cloud and | the security and compliance requirements, especially in financial | |||
| governmental cloud environments. To fully utilize the bandwidth | cloud and governmental cloud environments. To fully utilize the | |||
| available in the WAN or the Internet, load balancing of IPsec traffic | bandwidth available in the WAN or the Internet, load balancing of | |||
| over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) | IPsec traffic over Equal Cost Multi-Path (ECMP) and/or Link | |||
| is much attractive to those enterprises and cloud providers. Since | Aggregation Group (LAG) is much attractive to those enterprises and | |||
| most existing core routers within IP WAN or the Internet can already | cloud providers. Although the ESP SPI field within the IPsec packets | |||
| support balancing IP traffic flows based on the hash of the five- | can be used as the load-balancing key, but it cannot be used by | |||
| tuple of UDP packets, by encapsulating IPsec Encapsulating Security | legacy switches and routers. | |||
| Payload (ESP) packets over UDP tunnels with the UDP source port being | ||||
| used as an entropy field, it will enable existing core routers to | Since most existing switches within data center networks and core | |||
| perform efficient load-balancing of the IPsec ESP traffic without | routers within IP WAN or the Internet can already support balancing | |||
| IP traffic flows based on the hash of the five-tuple of UDP packets, | ||||
| by encapsulating IPsec Encapsulating Security Payload (ESP) packets | ||||
| over UDP tunnels with the UDP source port being used as an entropy | ||||
| field, it will enable existing data center switches and core routers | ||||
| to perform efficient load-balancing of the IPsec ESP traffic without | ||||
| requiring any change to them. Therefore, this specification defines | requiring any change to them. Therefore, this specification defines | |||
| a method of encapsulating IPsec ESP packets over UDP tunnels for | a method of encapsulating IPsec ESP packets over UDP tunnels for | |||
| improving load-balancing of IPsec ESP traffic. | improving load-balancing of IPsec ESP traffic. | |||
| Encapsulating ESP in UDP, as defined in this document, can be used in | Encapsulating ESP in UDP, as defined in this document, can be used in | |||
| both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an | both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an | |||
| entropy field for load balancing in IPv6 network environment | entropy field for load balancing in IPv6 network environment | |||
| [RFC6438]. However, as stated in [RFC6936], the end-to-end use of | [RFC6438]. However, as stated in [RFC6936], the end-to-end use of | |||
| flow labels for load balancing is a long-term solution and therefore | flow labels for load balancing is a long-term solution and therefore | |||
| the use of load balancing using the transport header fields would | the use of load balancing using the transport header fields would | |||
| continue until any widespread deployment is finally achieved. As | continue until any widespread deployment is finally achieved. As | |||
| such, ESP-in-UDP encapsulation would still have a practical | such, ESP-in-UDP encapsulation would still have a practical | |||
| application value in the IPv6 networks during this transition | application value in the IPv6 networks during this transition | |||
| timeframe. | timeframe. | |||
| Note that the difference between the ESP-in-UDP encapsulation as | Note that the difference between the ESP-in-UDP encapsulation as | |||
| proposed in this document and the ESP-in-UDP encapsulation as | proposed in this document and the ESP-in-UDP encapsulation as | |||
| described in [RFC3948] is that the former uses the UDP tunnel for | described in [RFC3948] is that the former uses the UDP tunnel for | |||
| load-balancing improvement purpose and therefore the source port is | load-balancing improvement purpose and therefore the source port is | |||
| used as an entropy field while the latter uses the UDP tunnel for NAT | used as an entropy field while the latter uses the UDP tunnel for NAT | |||
| traverse purpose and therefore the source port is set to a constant | traversal purpose and therefore the source port is set to a constant | |||
| value (i.e., 4500). In addition, the ESP-in-UDP encapsulation as | value (i.e., 4500). In addition, the ESP-in-UDP encapsulation as | |||
| described in this document is applicable to both the tunnel mode ESP | described in this document is applicable to both the tunnel mode ESP | |||
| encapsulation and the transport mode ESP encapsulation. | encapsulation and the transport mode ESP encapsulation. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| skipping to change at page 4, line 32 ¶ | skipping to change at page 4, line 36 ¶ | |||
| a flow is locally determined by the encapsulator and therefore | a flow is locally determined by the encapsulator and therefore | |||
| is outside the scope of this document. What algorithm is | is outside the scope of this document. What algorithm is | |||
| actually used by the encapsulator to generate an entropy value | actually used by the encapsulator to generate an entropy value | |||
| is outside the scope of this document. | is outside the scope of this document. | |||
| In case the tunnel does not need entropy, this field of all | In case the tunnel does not need entropy, this field of all | |||
| packets belonging to a given flow SHOULD be set to a randomly | packets belonging to a given flow SHOULD be set to a randomly | |||
| selected constant value so as to avoid packet reordering. | selected constant value so as to avoid packet reordering. | |||
| To ensure that the source port number is always in the range | To ensure that the source port number is always in the range | |||
| 49152 to 65535 (Note that those ports less than 49152 are | 49152 to 65535 (Note ports less than 49152 are reserved by IANA | |||
| reserved by IANA to identify specific applications/protocols) | to identify specific applications/protocols) which may be | |||
| which may be required in some cases, instead of calculating a | required in some cases, instead of calculating a 16-bit hash, | |||
| 16-bit hash, the encapsulator SHOULD calculate a 14-bit hash | the encapsulator SHOULD calculate a 14-bit hash and use those | |||
| and use those 14 bits as the least significant bits of the | 14 bits as the least significant bits of the source port field | |||
| source port field while the most significant two bits SHOULD be | while the most significant two bits SHOULD be set to binary 11. | |||
| set to binary 11. That still conveys 14 bits of entropy | That still conveys 14 bits of entropy information which would | |||
| information which would be enough as well in practice. | be enough as well in practice. | |||
| Destination Port of UDP: | Destination Port of UDP: | |||
| This field is set to a value (TBD1) allocated by IANA to | This field is set to a value (TBD1) allocated by IANA to | |||
| indicate that the UDP tunnel payload is an ESP packet. | indicate that the UDP tunnel payload is an ESP packet. | |||
| UDP Length: | UDP Length: | |||
| The usage of this field is in accordance with the current UDP | The usage of this field is in accordance with the current UDP | |||
| specification [RFC0768]. | specification [RFC0768]. | |||
| skipping to change at page 8, line 7 ¶ | skipping to change at page 8, line 7 ¶ | |||
| [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | |||
| Stenberg, "UDP Encapsulation of IPsec ESP Packets", | Stenberg, "UDP Encapsulation of IPsec ESP Packets", | |||
| RFC 3948, DOI 10.17487/RFC3948, January 2005, | RFC 3948, DOI 10.17487/RFC3948, January 2005, | |||
| <https://www.rfc-editor.org/info/rfc3948>. | <https://www.rfc-editor.org/info/rfc3948>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Xiaohu Xu | Xiaohu Xu | |||
| Alibaba, Inc | Alibaba, Inc | |||
| Email: xiaohu.xxh@alibaba-inc.com | Email: 13910161692@qq.com | |||
| Shraddha Hegde | Shraddha Hegde | |||
| Juniper | Juniper | |||
| Email: shraddha@juniper.net | Email: shraddha@juniper.net | |||
| Boris Pismenny | Boris Pismenny | |||
| Nvidia | Nvidia | |||
| Email: borisp@nvidia.com | Email: borisp@nvidia.com | |||
| End of changes. 10 change blocks. | ||||
| 32 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||