Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

"Bottorff, Paul" <paul.bottorff@hpe.com> Fri, 02 April 2021 21:59 UTC

From: "Bottorff, Paul" <paul.bottorff@hpe.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>
CC: 'IPsec' <ipsec@ietf.org>, "antony.antony@secunet.com" <antony.antony@secunet.com>
Thread-Topic: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
Thread-Index: AdciaiROLLoGnn3oQyW5+9ys0PMxKgJRErFpANOS/JYCNRDTH6tGNXFQq2XEr5A=
Date: Fri, 02 Apr 2021 21:59:12 +0000
Message-ID: <CS1PR8401MB11924CD1BF4CC233523180F3FE7A9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <24678.19440.553333.890224@fireball.acr.fi> <036401d72786$91047b90$b30d72b0$@gmail.com>
In-Reply-To: <036401d72786$91047b90$b30d72b0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
X-MS-Exchange-CrossTenant-Network-Message-Id: 44aa9f96-417b-41ab-93bc-08d8f6228ccb
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2021 21:59:12.2958 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7a/95s2TcEPPfRyqBj1aapHhAUC+nQlUuZaTxVMJHFfDFaUGX+1LJquxjk3+pdFPL9KrpbEMc+MfiK0WBT4AhQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0853
X-OriginatorOrg: hpe.com
X-Proofpoint-GUID: A2aeV4D94yWXslc0W7_1Kfkq4kKz4s4s
X-Proofpoint-ORIG-GUID: A2aeV4D94yWXslc0W7_1Kfkq4kKz4s4s
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-02_15:2021-04-01, 2021-04-02 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 clxscore=1011 suspectscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 spamscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103310000 definitions=main-2104020144
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/77OX6-wkjuM1QHnEfWtZQXzEW3g>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 21:59:22 -0000

Hi Valery:

Agreed that LB only needs control of the source port to provide entropy. 

Our application is for traversal of highly meshed data centre fabrics. We encapsulate and de-encapsulate at the server using smart NICs and so don't have any impact on RSS or host software (nor improvement over their standard operation). We perform the encapsulation/de-encapsulation after the ESP packet is formed. Since encapsulation occurs after and de-encapsulation occurs before the IPsec stack, IPsec does not see any of the new port assignments so we don't have any issues with the SADB or IKE.

Cheers,

Paul

-----Original Message-----
From: Valery Smyslov [mailto:smyslov.ietf@gmail.com] 
Sent: Thursday, April 1, 2021 11:08 PM
To: 'Tero Kivinen' <kivinen@iki.fi>; Bottorff, Paul <paul.bottorff@hpe.com>
Cc: 'IPsec' <ipsec@ietf.org>; antony.antony@secunet.com
Subject: RE: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Hi Tero,

> For the load balancing I think it is enough for just one of the ports 
> to be different, thus initiator could simply allocate n random source 
> port numbers, and initiate IKE from each of them to responder, and 
> then create SAs for each of them separately, thus allowing load 
> balancing using UDP encapsulation using existing hardware.

RFC 7791 + MOBIKE can be used to clone IKE SA  and move it to a different local IP+port.

Regards,
Valery.

> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> INVALID URI REMOVED
> man_listinfo_ipsec&d=DwICAg&c=C5b8zRQO1miGmBeVZ2LFWg&r=CCwOcKkISkWxd8Ymy11M8VW3U6Peq8aJ_DDlgVbQW5E&m=ykseXYzNH5MG1guNwTPMGiGby4o46mBhv92vwoSpb0U&s=nCqbPzmEc1xdTkL0jPmKmNgH252j3dURPVnH8bt4OtE&e=

[IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tero Kivinen
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Valery Smyslov
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters