Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
"Bottorff, Paul" <paul.bottorff@hpe.com> Thu, 15 July 2021 17:47 UTC
Return-Path: <prvs=08302bef23=paul.bottorff@hpe.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62FFA3A14A5 for <ipsec@ietfa.amsl.com>; Thu, 15 Jul 2021 10:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJDdJz2M0JLa for <ipsec@ietfa.amsl.com>; Thu, 15 Jul 2021 10:47:24 -0700 (PDT)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E46C13A149C for <ipsec@ietf.org>; Thu, 15 Jul 2021 10:47:23 -0700 (PDT)
Received: from pps.filterd (m0134425.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16FHiYYi025346; Thu, 15 Jul 2021 17:47:22 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=84Hu1OyWtfkXnZ0I3bgpnAwl77evabJl8HddlxND68w=; b=cuf1/3qw4qHoMHlsx/M7Vd30kpUZJhH1wdaUaYb+qiVX9lJkydAioVt1yJpbv11nRuEp VRgu75IIG/ip4eBFL9+mJlaUurfWLTFlQayErTSOYvc/4Nk8+Qk7TFHFj8mYi46Xv7+9 6Cmr6bCMAom613ChI96duPxODHpQCqAJoR5U7fN74my8b6Qj7FjrlWYaTAODIngY8Q3Z JpEv/kOfCUvrwxh2iUAbikqlhyrB6S2SY3obObb5B3BsTqmzAcdtoFZQywJCdi8puda0 KT8CKIHYmFKIw/wQ6EuwfRV92ARkfcow0tinYOqlX9f75fPPUmIF0+d1lTg+ZqXxySqn NA==
Received: from g4t3427.houston.hpe.com (g4t3427.houston.hpe.com [15.241.140.73]) by mx0b-002e3701.pphosted.com with ESMTP id 39th7mn5c7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 15 Jul 2021 17:47:17 +0000
Received: from G9W8454.americas.hpqcorp.net (exchangepmrr1.us.hpecorp.net [16.216.161.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g4t3427.houston.hpe.com (Postfix) with ESMTPS id 39B0B57; Thu, 15 Jul 2021 17:47:16 +0000 (UTC)
Received: from G9W8453.americas.hpqcorp.net (2002:10d8:a0d3::10d8:a0d3) by G9W8454.americas.hpqcorp.net (2002:10d8:a104::10d8:a104) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 15 Jul 2021 17:47:16 +0000
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (15.241.52.12) by G9W8453.americas.hpqcorp.net (16.216.160.211) with Microsoft SMTP Server (TLS) id 15.0.1497.18 via Frontend Transport; Thu, 15 Jul 2021 17:47:15 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BoykPIxzpmfWXKFYlNslP7V+3dhi/dyYkd9Nk6kgou8ilQiBcOKDl1lLrauJMPytxiR9Nr/GRozSHg4v7moRKRls6k7CnI9ShjwWaJ9Q+y+nSR3XGmHZI4i5jiBShhtkJZSCSnPrUBrpAc0mGKc8MWmpmc3sA+Q3ljkJP7d7aLcmYFh8vssGrNVNge4Bx+MoO0FXlUOHlxZ85fgmdmhVIIzWCDedX2HgIVmX0Ok5RkT2UCBf3JqSKR/WBizTvwW76lbhusR60pL82Gk8VrGPoA5KVngURxC1B0FULgE8TsAL0OtF81l+KBgdpmu5KPBBROwMuNl7nExm1EPUv9DhoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=84Hu1OyWtfkXnZ0I3bgpnAwl77evabJl8HddlxND68w=; b=XHkvxNo53P4jMrJ183Pw+2U6Kdu3UJpUtZ/ODgHfS0DslLLGlteUk0C0mByYpqJBAUlpj1d4CJvOa8UObaNSQKPPfFHCsatsneK6nv+FxkTvicraeIlKxr6GVoZbVhUp0D9B2LBmmesIxVUgqGdrJiUGmXdaRicaOvdt8cvaVCZaPTkTv4kLgtD3B18TLVNv3U/hBHNaG4KuTctPPD7d93ZNLeTjtw3rQd6Ik3Gfepon0P6WmuH8VRDFNeUsvEj2tjSGI1Zq+sR4A7KeKLCIsOSi5aOpoS4SqhHVp9i13EEMXLkh016oAG8cKgMqkEB3Z+Cay9f35fUw3xst8Xvoyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7507::23) by CS1PR8401MB0837.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:750e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21; Thu, 15 Jul 2021 17:47:14 +0000
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::a4ff:aeb9:d100:6536]) by CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::a4ff:aeb9:d100:6536%9]) with mapi id 15.20.4331.024; Thu, 15 Jul 2021 17:47:14 +0000
From: "Bottorff, Paul" <paul.bottorff@hpe.com>
To: Tobias Brunner <tobias@strongswan.org>, Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, "antony.antony@secunet.com" <antony.antony@secunet.com>, 'IPsec' <ipsec@ietf.org>
Thread-Topic: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
Thread-Index: AdciaiROLLoGnn3oQyW5+9ys0PMxKgJRErFpANOS/JYCNRDTH6tGNXFQq2XEr5DWKZkDwNOtc7uA//9oygA=
Date: Thu, 15 Jul 2021 17:47:14 +0000
Message-ID: <CS1PR8401MB11925D7FE5542E0E14F86F6CFE129@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <24678.19440.553333.890224@fireball.acr.fi> <036401d72786$91047b90$b30d72b0$@gmail.com> <CS1PR8401MB11924CD1BF4CC233523180F3FE7A9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <CS1PR8401MB119239134AD78A9B30754AE4FE139@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <f0cf6bca-f3b8-c991-2257-90def87f40c9@strongswan.org>
In-Reply-To: <f0cf6bca-f3b8-c991-2257-90def87f40c9@strongswan.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: strongswan.org; dkim=none (message not signed) header.d=none;strongswan.org; dmarc=none action=none header.from=hpe.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f66d2d39-352a-40e4-e28c-08d947b894d8
x-ms-traffictypediagnostic: CS1PR8401MB0837:
x-microsoft-antispam-prvs: <CS1PR8401MB08377B84126C555A47A27281FE129@CS1PR8401MB0837.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gwjdHgIYB5alwYJXjxDfFwTtAiymBHRL/udPGTFR8zF2IKwGOKPufnqeDUe5f3Bbf8JTPb4U5nnmLcIr8fUrqD0wqgfh7gHjxqWYNcC/lyKScHjp3AfcgB4ZJaNS1nLfmDn57bSIGAPKm9gC5KpAn3lhDu5bfJI5ySQ0Yvz++440eua1x8D6dY5YOXzjUYIGADz8/R8HPTV4HqWMkD3sKXUHfVZfExTM+QEacCCXNwpqouTqhnfff1A2Rkw4l8ynjqAjIo/FZ7cPnMHQJGbIj1771yxH/7H787g6lcnbujt7NDWA4NoFvo+1Uu3UmqATK1xhOvXoxYSLu+ThVZdlohDwxvNlte6F3bJn3bzK1jukrKqFm2z0/BblTCSSUNZSj4cQd4fGw5XSp0iXVgTmp+0dF0mdn0MHHx5+uj6xx2ji+MEk5s9Kc4v+gSBniTajy7mX/blH1JXQBOcJOjUOyNwiNWcsiCcxtiDjoIfVMhcaB8W4aJIeU/dpkjQE5Md1c+XgMLZznj782OYhZS5qRc9l6ft9M0/gpoV9nVVsIL2AwEJp87ds96bqFPyOGY6217pEFVMosCuwXOtjrGmHh301sAGP7QkpksyeR7G1At6VOyktOLX8oP6Miu1IaKbx1b55uHKcTER9Eyu5JYcwlVhI1qh0tP/NcN305pprkcrrd3ZrVRXuIuCKd/jyqWML4de8Xl7WRUg+4fVJgG0iOQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(2906002)(122000001)(76116006)(33656002)(52536014)(186003)(64756008)(66556008)(38100700002)(66446008)(66946007)(7696005)(478600001)(66476007)(8936002)(8676002)(6506007)(55016002)(55236004)(86362001)(316002)(26005)(53546011)(83380400001)(9686003)(71200400001)(110136005)(5660300002)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 420JD8ty0SaJvmezXioEUjdneCweBrJouaeAPaDLUrXKVVpt5Iro04X8OmBvqqo/s/dBxkgfywcZnYVCa6ns15RkpUKRuiDvqgR7I3OIOIIf+mJeEIRaz0PepVOT0+zhMyDb/Gsty1WgY5nym+GTcNiRfhrNqk/Hmwi4exsC3cXKAiPVh49I9LFRtOYBqgUHnYI7Hgrug6PD41dGkXuRtt+GLXeuHuoo8tKsP1iGEQyO9CnCS1+BcDgnHXLAOsyuo/IzyoCG+qLcaWjI/FE4SA3x0UTAZS8BD3wz8OFATS1wOpxiy3kEav2969ivC4L8L7l5L0qMn6jPcOYok7/D3U6tvqt3JihxpGmiQFDAucIaoRF3x/s9cdP84fr0/7iQ/J3xhqCmDasZ03r9312A3qJtt98Qt4pITsGZ5ZJVNx4hvo5bmORT+I27bBk08TdAHFE1KajdJwhL6gNiLVTIY1K1/vA8VO24mUC2WwPwcp0L4eHux3Y9chkc/4aDSuaOxj+b270jdAZ/W/nLFknOAVj3PsPp19gzNnmm/+TaEKywery62+jaG+xVK9kq/ZXNZyJTp97u+MXPuUvNEwh2oG1AOMuzprwl87BYRYYgkmXC8QDcKGq4qHrQhTBYaxElbGC9ioZSfnuh8/B7+i69wAsryY7d3OybB1HeiKrk3KlngJqCBJddHw1mCpXOz/ObaO47Nc6gfX/cmKLm3DfadWeXlk7LjAlHshG00gJtm5/H9twuQGGsaJ1In7eeptA/VZpLHXDydXh1z36VdreIHY0H5+/FWzotQyFpHel4gVLitj7dffQRUTcfYWIxS3FXGEUuSSzC9qwdv30eJGVTYef490vPc6Tj9Q91GsQ7+l8qvIWe9wyQ7D+9baHvWxhmtRuTOdU0JMKp8gUmldtJb+++3TgnIr55e+O235TSmbu+HnuqLePRhP9IPOufc8UMf70Za/1L40c8ERAz+TN8B00FHD7NbMMxqBhS5mJm3SfJc+k9Oawo5ggHBjK79yZ5kyzPyoPitdjGdqJ69wtU4V0RDHLUamObkBEXLKYua+dC0vIuh+vLnBTBgQRv0AhT0DHSuXnxv2iidin3hofOYtaaWi1gHZ3fyPxg9jQzcDvs6FLx5txA2U7QccDJhxbhYfsyTJbbJWzXVMbfUig9kVL3s/KljSkYUnyOsVpurn4JPFpofXAMwmHNoRMNydQPkC6sv25/Plet0+qeurKNVQWAOU4tQkRjRiP67zVv70uDNTQy+Rzzh7BNWzaMs3i7WL8x2ZdVwYJswq+WW9pDfU74pZWOm/yOx+6sffWQfTEFBrshPAxsjEKOi7ZQbVS/
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f66d2d39-352a-40e4-e28c-08d947b894d8
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2021 17:47:14.4862 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ruMDB89CDiB8imBqK/Xa1QxLSPFJN4H9cMJ6OKLnLB9F76pnKXivQ7WbvxDJhMK0uyAjps4evnJ0VE29oyzdOQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0837
X-OriginatorOrg: hpe.com
X-Proofpoint-GUID: 1BUIfuWnip2azyprapiDFQJShTHY2xTC
X-Proofpoint-ORIG-GUID: 1BUIfuWnip2azyprapiDFQJShTHY2xTC
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-15_10:2021-07-14, 2021-07-15 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107150121
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0N1EJpAbrv_ILJ1nrJCpQP6sTCQ>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 17:47:29 -0000
Hi Tobias: The ports used for IKE packets would not be randomized since IKE would not use source port for LB and so should be stable at the NAT. Cheers, Paul -----Original Message----- From: Tobias Brunner <tobias@strongswan.org> Sent: Thursday, July 15, 2021 1:36 AM To: Bottorff, Paul <paul.bottorff@hpe.com>; Valery Smyslov <smyslov.ietf@gmail.com>; 'Tero Kivinen' <kivinen@iki.fi>; antony.antony@secunet.com; 'IPsec' <ipsec@ietf.org> Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Paul, > Instead, the responder should use the port received by the responder in the IKE exchanges. Note that if these packets have random source ports, this will only work if the NAT implementation plays along or there is static port forwarding configured. NATs might filter inbound packets from endpoints that don't equal the IP/port to which the host behind the NAT originally sent packets when the NAT mapping was created (address and port-dependent filtering in terms of RFC 4787). I guess the same could happen in scenarios where there are no NATs but restrictive firewalls that block traffic from endpoints to which the host behind the firewall did not send traffic. Regards, Tobias
- [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tero Kivinen
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Valery Smyslov
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters