idnits 2.17.1 draft-xu-ipsecme-esp-in-udp-lb-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 24, 2017) is 2344 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2401 (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2406 (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group X. Xu 3 Internet-Draft D. Zhang 4 Intended status: Standards Track L. Xia 5 Expires: May 28, 2018 Huawei 6 November 24, 2017 8 Encapsulating IPsec ESP in UDP for Load-balancing 9 draft-xu-ipsecme-esp-in-udp-lb-01 11 Abstract 13 IPsec Virtual Private Network (VPN) is widely used by enterprises to 14 interconnect their geographical dispersed branch office locations 15 across IP Wide Area Network (WAN) or the Internet, especially in the 16 Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth 17 available in IP WAN or the Internet, load balancing of traffic 18 between different IPsec VPN sites over Equal Cost Multi-Path (ECMP) 19 and/or Link Aggregation Group (LAG) is attractive to those 20 enterprises deploying IPsec VPN solutions. This document defines a 21 method to encapsulate IPsec Encapsulating Security Payload (ESP) 22 packets over UDP tunnels for improving load-balancing of IPsec ESP 23 traffic. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on May 28, 2018. 42 Copyright Notice 44 Copyright (c) 2017 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 63 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 64 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 5 65 6. Applicability Statements . . . . . . . . . . . . . . . . . . 5 66 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 68 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 69 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 71 10.2. Informative References . . . . . . . . . . . . . . . . . 7 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 74 1. Introduction 76 IPsec Virtual Private Network (VPN) is widely used by enterprises to 77 interconnect their geographical dispersed branch office locations 78 across IP Wide Area Network (WAN) or the Internet, especially in the 79 Software-Defined-WAN (SD-WAN) era. To fully utilize the bandwidth 80 available in IP WAN or the Internet, load balancing of traffic 81 between different IPsec VPN sites over Equal Cost Multi-Path (ECMP) 82 and/or Link Aggregation Group (LAG) is much attractive to those 83 enterprises that deploy IPsec VPN solutions. Since most existing 84 core routers within IP WAN or the Internet can already support 85 balancing IP traffic flows based on the hash of the five-tuple of UDP 86 packets, by encapsulating IPsec Encapsulating Security Payload (ESP) 87 packets over UDP tunnels with the UDP source port being used as an 88 entropy field, it will enable existing core routers to perform 89 efficient load-balancing of the IPsec ESP traffic without requiring 90 any change to them. Therefore, this specification defines a method 91 of encapsulating IPsec ESP packets over UDP tunnels for improving 92 load-balancing of IPsec ESP traffic. 94 Encapsulating ESP in UDP, as defined in this document, can be used in 95 both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an 96 entropy field for load balancing in IPv6 network environment 98 [RFC6438]. However, as stated in [RFC6936], the end-to-end use of 99 flow labels for load balancing is a long-term solution and therefore 100 the use of load balancing using the transport header fields would 101 continue until any widespread deployment is finally achieved. As 102 such, ESP-in-UDP encapsulation would still have a practical 103 application value in the IPv6 networks during this transition 104 timeframe. 106 Note that the difference between the ESP-in-UDP encapsulation as 107 proposed in this document and the ESP-in-UDP encapsulation as 108 described in [RFC3948] is that the former uses the UDP tunnel for 109 load-balancing improvement purpose and therefore the source port is 110 used as an entropy field while the latter uses the UDP tunnel for NAT 111 traverse purpose and therefore the source port is set to a constant 112 value (i.e., 4500). In addition, this document only discusses about 113 the tunnel mode ESP encapsulation. 115 1.1. Requirements Language 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 2. Terminology 123 This memo makes use of the terms defined in [RFC2401]and [RFC2406]. 125 3. Encapsulation in UDP 127 ESP-in-UDP encapsulation format is shown as follows: 129 0 1 2 3 130 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 132 | Source Port = Entropy | Dest Port = TBD1 | 133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 134 | UDP Length | UDP Checksum | 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 136 | | 137 ~ ESP Packet ~ 138 | | 139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 140 Figure 1: ESP-in-UDP Encapsulation Format 142 Source Port of UDP: 144 This field contains a 16-bit entropy value that is generated by 145 the encapsulator to uniquely identify a flow. What constitutes 146 a flow is locally determined by the encapsulator and therefore 147 is outside the scope of this document. What algorithm is 148 actually used by the encapsulator to generate an entropy value 149 is outside the scope of this document. 151 In case the tunnel does not need entropy, this field of all 152 packets belonging to a given flow SHOULD be set to a randomly 153 selected constant value so as to avoid packet reordering. 155 To ensure that the source port number is always in the range 156 49152 to 65535 (Note that those ports less than 49152 are 157 reserved by IANA to identify specific applications/protocols) 158 which may be required in some cases, instead of calculating a 159 16-bit hash, the encapsulator SHOULD calculate a 14-bit hash 160 and use those 14 bits as the least significant bits of the 161 source port field while the most significant two bits SHOULD be 162 set to binary 11. That still conveys 14 bits of entropy 163 information which would be enough as well in practice. 165 Destination Port of UDP: 167 This field is set to a value (TBD1) allocated by IANA to 168 indicate that the UDP tunnel payload is an ESP packet. 170 UDP Length: 172 The usage of this field is in accordance with the current UDP 173 specification [RFC0768]. 175 UDP Checksum: 177 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 178 to zero for performance or implementation reasons because the 179 IPv4 header includes a checksum and use of the UDP checksum is 180 optional with IPv4. For IPv6 UDP encapsulation, the IPv6 181 header does not include a checksum, so this field MUST contain 182 a UDP checksum that MUST be used as specified in [RFC0768] and 183 [RFC2460] unless one of the exceptions that allows use of UDP 184 zero-checksum mode (as specified in [RFC6935]) applies. 186 ESP Packet: 188 This field contains one ESP packet. 190 4. Processing Procedures 192 This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be 193 forwarded across IP WAN via "UDP tunnels". When performing ESP-in- 194 UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation 195 procedure is performed and then a formatted UDP header is inserted 196 between ESP header and IP header. The Source Port field of the UDP 197 header is filled with an entropy value which is generated by the 198 IPsec VPN gateway. Upon receiving these UDP encapsulated packets, 199 remote IPsec VPN gateway MUST decapsulate these packets by removing 200 the UDP header and then perform ordinary ESP decapsulation procedure 201 consequently. 203 Similar to all other IP-based tunneling technologies, ESP-in-UDP 204 encapsualtion introduces overheads and reduces the effective Maximum 205 Transmision Unit (MTU) size. ESP-in-UDP encapsulation may also 206 impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated 207 Services (DSCP). Hence, ESP-in-UDP MUST follow the corresponding 208 procedures defined in [RFC2003]. 210 Encapsulators MUST NOT fragment ESP packet, and when the outer IP 211 header is IPv4, encapsulators MUST set the DF bit in the outer IPv4 212 header. It is strongly RECOMMENDED that IP transit core be 213 configured to carry an MTU at least large enough to accommodate the 214 added encapsulation headers. Meanwhile, it is strongly RECOMMENDED 215 that Path MTU Discovery [RFC1191] [RFC1981] or Packetization Layer 216 Path MTU Discovery (PLPMTUD) [RFC4821] is used to prevent or minimize 217 fragmentation. 219 5. Congestion Considerations 221 TBD. 223 6. Applicability Statements 225 TBD. 227 7. Acknowledgements 229 8. IANA Considerations 231 One UDP destination port number indicating ESP needs to be allocated 232 by IANA: 234 Service Name: ESP-in-UDP Transport Protocol(s):UDP 235 Assignee: IESG 236 Contact: IETF Chair . 237 Description: Encapsulate ESP packets in UDP tunnels. 238 Reference: This document. 239 Port Number: TBD1 -- To be assigned by IANA. 241 9. Security Considerations 243 TBD. 245 10. References 247 10.1. Normative References 249 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 250 DOI 10.17487/RFC0768, August 1980, 251 . 253 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 254 DOI 10.17487/RFC1191, November 1990, 255 . 257 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 258 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 259 1996, . 261 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 262 DOI 10.17487/RFC2003, October 1996, 263 . 265 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 266 Requirement Levels", BCP 14, RFC 2119, 267 DOI 10.17487/RFC2119, March 1997, 268 . 270 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 271 Internet Protocol", RFC 2401, DOI 10.17487/RFC2401, 272 November 1998, . 274 [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security 275 Payload (ESP)", RFC 2406, DOI 10.17487/RFC2406, November 276 1998, . 278 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 279 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 280 December 1998, . 282 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 283 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 284 . 286 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 287 for Equal Cost Multipath Routing and Link Aggregation in 288 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 289 . 291 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 292 UDP Checksums for Tunneled Packets", RFC 6935, 293 DOI 10.17487/RFC6935, April 2013, 294 . 296 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 297 for the Use of IPv6 UDP Datagrams with Zero Checksums", 298 RFC 6936, DOI 10.17487/RFC6936, April 2013, 299 . 301 10.2. Informative References 303 [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. 304 Stenberg, "UDP Encapsulation of IPsec ESP Packets", 305 RFC 3948, DOI 10.17487/RFC3948, January 2005, 306 . 308 Authors' Addresses 310 Xiaohu Xu 311 Huawei 313 Email: xuxiaohu@huawei.com 315 Dacheng Zhang 316 Huawei 318 Email: dacheng.zhang@huawei.com 320 Liang Xia 321 Huawei 323 Email: frank.xialiang@huawei.com