Linda, The draft references RFC 3948 which already covers this. https://tools.ietf.org/html/rfc3948#section-3.2
Anoop On Tue, Jul 28, 2020 at 4:17 PM Linda Dunbar <[email protected]> wrote: > Ali, > > > > Thank you very much for the explanation. > > > > IPsec ESP Transport mode header is : > > > > Do you need IPsecme WG to agree to insert a new UDP header between IP > header and the ESP header? > > > > > > > > > > > > Thank you, > > > > Linda Dunbar > > > > *From:* Ali Sajassi (sajassi) <[email protected]> > *Sent:* Tuesday, July 28, 2020 8:14 AM > *To:* Linda Dunbar <[email protected]>; [email protected] > *Subject:* Re: Questions about the ESP-Transport and ESP-in-UDP transport > in SECURE-EVPN > > > > Linda, > > > > Please see my responses inline marked with AS> … > > > > *From: *Linda Dunbar <[email protected]> > *Date: *Tuesday, July 28, 2020 at 5:49 AM > *To: *Cisco Employee <[email protected]>, "[email protected]" <[email protected]> > *Subject: *Questions about the ESP-Transport and ESP-in-UDP transport in > SECURE-EVPN > > > > Ali, > > > > Just follow up with my question in the BESS WG session. > > Your draft introduced two Tunnel Types in 5.1: ESP-Transport and > ESP-in-UDP Transport as below. > > > > > > When standard IP Encapsulating Security Payload (ESP) is used > > (without outer UDP header) for encryption of NVO packets, it is used > > in transport mode as depicted below. When such encapsulation is used, > > for BGP signaling, the Tunnel Type of Tunnel Encapsulation TLV is set > > to ESP-Transport and the Tunnel Type of Encapsulation Extended > > Community is set to NVO encapsulation type (e.g., VxLAN, GENEVE, GPE, > > etc.). This implies that the customer packets are first encapsulated > > using NVO encapsulation type and then it is further encapsulated & > > encrypted using ESP-Transport mode. > > > > Question 1: Are you assuming that using IPsec Transport mode? Instead of > IPsec Tunnel mode? > > > > AS> Not assuming but stating ☺ 1st line of section 5.1 says: > > “ … it is used in transport mode as depicted below” > > > > Question 2: Your Figure 3 has two encodings, which one is “ESP-Transport”, > which one is “ESP-in-UDP”? > > > > AS> Figure 3 is for ESP-transport and Figure 4 is for ESP-in-UDP. > Furthermore, section 5.1 is for ESP-transport and section 5.2 is for > ESP-in-UDP. > > > > Question 3: The NVO encapsulation (VxLAN, GENEVE, GRE) can also be inside > the IPsec ESP tunnel. In that case, which type is used? > > > > AS> The tunnel type of the attribute indicates what kind of underlay > tunnel is used and the tunnel type of the extended community indicates what > kind of overlay encap is used. Section 5.1 says: > > > > “the Tunnel Type of Tunnel Encapsulation TLV is set > > to ESP-Transport and the Tunnel Type of Encapsulation Extended > > Community is set to NVO encapsulation type (e.g., VxLAN, GENEVE, GPE, > > etc.).” > > > > And section 5.2 says: > > “the Tunnel Type > > of Tunnel Encapsulation TLV is set to ESP-in-UDP-Transport and the > > Tunnel Type of Encapsulation Extended Community is set to NVO > > encapsulation type (e.g., VxLAN, GENEVE, GPE, etc.). “ > > > > Cheers, > > Ali > > > > Thanks, Linda > > > _______________________________________________ > BESS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/bess >
_______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
