Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-22 Thread Paul Wouters
...@nohats.ca] Sent: Friday, July 16, 2021 12:46 PM To: Bottorff, Paul Cc: Tobias Brunner ; Valery Smyslov ; 'Tero Kivinen' ; antony.ant...@secunet.com; 'IPsec' ; Mahendra Maddur Puttaswamy ; Shraddha Hegde ; 徐小虎 Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 On Fri, 16 Jul 2021

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-16 Thread Bottorff, Paul
Hegde ; 徐小虎 Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 On Fri, 16 Jul 2021, Bottorff, Paul wrote: > Somehow I think we are mis-understanding. Please excuse the long introduction > to answer your question. I am also very confused. > Consider an IPSEC initiator sitting behi

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-16 Thread Paul Wouters
On Fri, 16 Jul 2021, Bottorff, Paul wrote: Somehow I think we are mis-understanding. Please excuse the long introduction to answer your question. I am also very confused. Consider an IPSEC initiator sitting behind a NAPT talking with an IPSEC responder on the Internet (within a DC). The

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-16 Thread Bottorff, Paul
' Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Paul, > The ports used for IKE packets would not be randomized since IKE would not > use source port for LB and so should be stable at the NAT. I was not referring to the IKE but the ESP packets sent by the responder to the natt

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-16 Thread Tobias Brunner
Hi Paul, The ports used for IKE packets would not be randomized since IKE would not use source port for LB and so should be stable at the NAT. I was not referring to the IKE but the ESP packets sent by the responder to the natted IKE port for LB. Wasn't that what you were proposing?

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-15 Thread Bottorff, Paul
Kivinen' ; antony.ant...@secunet.com; 'IPsec' Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Paul, > Instead, the responder should use the port received by the responder in the > IKE exchanges. Note that if these packets have random source ports, this will only work if th

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-15 Thread Tobias Brunner
Hi Paul, Instead, the responder should use the port received by the responder in the IKE exchanges. Note that if these packets have random source ports, this will only work if the NAT implementation plays along or there is static port forwarding configured. NATs might filter inbound

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-07-14 Thread Bottorff, Paul
-Original Message- From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Bottorff, Paul Sent: Friday, April 2, 2021 2:59 PM To: Valery Smyslov ; 'Tero Kivinen' Cc: 'IPsec' ; antony.ant...@secunet.com Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Valery: Agreed that LB only

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-04-02 Thread Bottorff, Paul
. Cheers, Paul -Original Message- From: Valery Smyslov [mailto:smyslov.i...@gmail.com] Sent: Thursday, April 1, 2021 11:08 PM To: 'Tero Kivinen' ; Bottorff, Paul Cc: 'IPsec' ; antony.ant...@secunet.com Subject: RE: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Tero, > For the load balanc

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-04-02 Thread Valery Smyslov
Hi Tero, > For the load balancing I think it is enough for just one of the ports > to be different, thus initiator could simply allocate n random source > port numbers, and initiate IKE from each of them to responder, and > then create SAs for each of them separately, thus allowing load >

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-04-01 Thread Tero Kivinen
Bottorff, Paul writes: > The RFC3948 specifies one pair of UDP ports 4500-4500. No it does not. It says you must use same ports than what you do for IKE traffic. > Both the IKE flow and the ESP in UDP flow should use the same UDP > flow. The draft seems to suggest new destination port and source

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-04-01 Thread Paul Wouters
On Thu, 1 Apr 2021, Antony Antony wrote: In my experience it would work well when there is no NAT. When there there is NAT the IKE and ESP in UDP should use same ports, otherwise IKE will get established and ESP packets could get dropped in one direction. When there is NAT it would look more

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-04-01 Thread Antony Antony
2 AM > To: Bottorff, Paul ; IPsec > Cc: antony.ant...@secunet.com > Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 > > Hi, > > This is an interesting draft. I would love to see a generic solution for > network paths and receiver use cases, such as RSS. > >

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-03-31 Thread Bottorff, Paul
Hi Antony: Below, Cheers, Paul -Original Message- From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Antony Antony Sent: Wednesday, March 31, 2021 3:32 AM To: Bottorff, Paul ; IPsec Cc: antony.ant...@secunet.com Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-03-31 Thread Antony Antony
Hi, This is an interesting draft. I would love to see a generic solution for network paths and receiver use cases, such as RSS. The RFC3948 specifies one pair of UDP ports 4500-4500. Both the IKE flow and the ESP in UDP flow should use the same UDP flow. The draft seems to suggest new

[IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

2021-03-26 Thread Bottorff, Paul
Hi Xu: We've got a lot of interest in your draft. Are you going to move this forward to a working group draft and RFC? We would be happy to help where needed. Cheers, Paul Bottorff Aruba a Hewlett Packard Enterprise Company ___ IPsec mailing list