Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
"Bottorff, Paul" <paul.bottorff@hpe.com> Fri, 16 July 2021 18:05 UTC
Return-Path: <prvs=0831177750=paul.bottorff@hpe.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0011E3A3F7D for <ipsec@ietfa.amsl.com>; Fri, 16 Jul 2021 11:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKtwsUU9bUf6 for <ipsec@ietfa.amsl.com>; Fri, 16 Jul 2021 11:05:04 -0700 (PDT)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA953A3F77 for <ipsec@ietf.org>; Fri, 16 Jul 2021 11:05:03 -0700 (PDT)
Received: from pps.filterd (m0134424.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16GHsHix013135; Fri, 16 Jul 2021 18:02:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=HJFAyXTfE4l/dqHG62/3Zo30BzASo/RI502kq2XdcGc=; b=Ohcispu2uHmXJkcDUPGuTuk4k6MKp4PghICRHZALeKFgvB97NEnh33TrnHds4Dz1Jr0v 1dUFoPufmg77TeyuLY7MRMWLI4utx/RqwjP+w5H9yEN5LmQoInuwkqTTeLbprgxDvpG/ GKmvQh44yRQYpzxBCPgoV/9wfWu56CEbsqs1NDlGxnyVKiaIxfr+DYHrgqVK2mlKZhqO FpnvPS8B81IU/JYVI2L5RSKidvKfXCSYBrVrBm16loJutjuTQCL/zddt9RDD25mvQvq1 nSZYFYhAY9J79CdAGGDobrsTYUYOGxfbqLJ7hXQPc+FzymPON1BouYPeA7shKtom7KLu Uw==
Received: from g9t5008.houston.hpe.com (g9t5008.houston.hpe.com [15.241.48.72]) by mx0b-002e3701.pphosted.com with ESMTP id 39tw81gawg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 16 Jul 2021 18:02:48 +0000
Received: from G9W8455.americas.hpqcorp.net (g9w8455.houston.hp.com [16.216.161.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g9t5008.houston.hpe.com (Postfix) with ESMTPS id C00244F; Fri, 16 Jul 2021 18:02:46 +0000 (UTC)
Received: from G4W9120.americas.hpqcorp.net (2002:10d2:150f::10d2:150f) by G9W8455.americas.hpqcorp.net (2002:10d8:a15e::10d8:a15e) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Fri, 16 Jul 2021 18:02:46 +0000
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (15.241.52.13) by G4W9120.americas.hpqcorp.net (16.210.21.15) with Microsoft SMTP Server (TLS) id 15.0.1497.18 via Frontend Transport; Fri, 16 Jul 2021 18:02:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LrDUjnpHuLI3JIIJjK+Rgli1o65edTx2lCh5znVCx+v4Gz+WLumW0OjSEo6ATlbV8GoMPdiGkOI4JEU4QHq/DjWVenx1db5oag22b+fKf5MRY+9R/6MGibGPFRSziARyIVizxdEsPY3XYaBblWiRxCHkxWk4fQFRbMTxzL4WYWcNhFQOUOYJtfZLztFIo0nfxIxFbwUObDkN1Rr+xeuGY+tT+gS3RgEGynXutb7H5T+/nvtIF/hh+wCGmSz4BkGqESaPiFpeshMeUaQK8VYjOrqkCGUXqsXgatVcJjHR6HOvENMVLz9t/sYWn0NJfJfQQVojJHzlgSm6o02g/nFpTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HJFAyXTfE4l/dqHG62/3Zo30BzASo/RI502kq2XdcGc=; b=bHkRpl1R81HXu+IcXjit4lbVoFbKntLsACIhMsXBxpUoGyxqsRf9ojgqEiM6D0WkJUaQC7OllYFVvHjlQe9XuJj7fnKeJFSCI1GPp7qfCYQqW6emXQqINHuObuBXZgHYx68WkXK0K11F/sPmQEzeaRH4lfFMCeaz3CB4JQEZi4YGYphnXJA5Lh8MDV7I3GAq3RsLsa6WEdaCdNu1XEWM4jlChgOLoXIxxh7dKE9+1gYDbupFWiWgR9wCEHAj6srCL0xNcR+kl1+kgUce4ss4R2TLAE0fMFMZClnAudfRUo/K+l7GARozayjqCM3w7APS5gK6NZVAFHs4ncChtE24sg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7507::23) by CS1PR8401MB0901.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:750f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21; Fri, 16 Jul 2021 18:02:45 +0000
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::a4ff:aeb9:d100:6536]) by CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::a4ff:aeb9:d100:6536%9]) with mapi id 15.20.4331.026; Fri, 16 Jul 2021 18:02:45 +0000
From: "Bottorff, Paul" <paul.bottorff@hpe.com>
To: Tobias Brunner <tobias@strongswan.org>, Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, "antony.antony@secunet.com" <antony.antony@secunet.com>, 'IPsec' <ipsec@ietf.org>
CC: 徐小虎 <xiaohu.xu@capitalonline.net>, Shraddha Hegde <shraddha@juniper.net>, Mahendra Maddur Puttaswamy <mpmahendra@juniper.net>
Thread-Topic: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
Thread-Index: AdciaiROLLoGnn3oQyW5+9ys0PMxKgJRErFpANOS/JYCNRDTH6tGNXFQq2XEr5DWKZkDwNOtc7uA//9oygCAAgxigP//WMdw
Date: Fri, 16 Jul 2021 18:02:45 +0000
Message-ID: <CS1PR8401MB11928BB2C45625F3867EB774FE119@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <24678.19440.553333.890224@fireball.acr.fi> <036401d72786$91047b90$b30d72b0$@gmail.com> <CS1PR8401MB11924CD1BF4CC233523180F3FE7A9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <CS1PR8401MB119239134AD78A9B30754AE4FE139@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <f0cf6bca-f3b8-c991-2257-90def87f40c9@strongswan.org> <CS1PR8401MB11925D7FE5542E0E14F86F6CFE129@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <7cd40215-563d-9860-62fa-4110f1bd3895@strongswan.org>
In-Reply-To: <7cd40215-563d-9860-62fa-4110f1bd3895@strongswan.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: strongswan.org; dkim=none (message not signed) header.d=none;strongswan.org; dmarc=none action=none header.from=hpe.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dce91c14-914e-4fc1-b095-08d94883e9fa
x-ms-traffictypediagnostic: CS1PR8401MB0901:
x-microsoft-antispam-prvs: <CS1PR8401MB090102A6DC73125264889AA0FE119@CS1PR8401MB0901.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xz0XkkH1Etk6R1hkVa5x6my6KfVl60Z4QtFBxsSDN3KjeN2sIKkzyM7hAjCgRXLTDfb0V4prot/SvwpTQ+qdFyBhvUyy8WlgBK7Ot872DVerM7X9Y+rDYrHVEWfayiVeexW/7vp5mnNFf9ePd3JH92c2+YKGaBvWPDCBhF6mrF7lldVNC5oqeouTBaz+R3QFnQQXKuP0shNTzlKvusdP0IO9D99vNSZ8qAdvgKbVizn2WBT3Wo3RoGew8yqW3dNhxueRCAYGxazM6E/JllY3Nu4z8Ejlwip4gW9aZ/oZ8X2F+l4MiJ1HmHsX7inEdyGQ3yH+fOrcLHLxr/vPOQj1R8wa8w/JRKMi1xnyYj4GbSS2KJ2QrqmfKdUyKdx8pq7+FbLH9lakSoXWvfCeRKvSaR8JQQgwavjotD8+utKq5x/6np4ZMAirD+dwJoMtfvv3hzG3+jCHDN4uzHoiJYmJRzZkUaUv+fKg0Bt1QfAymudy47Yk+9Z82Y5VeBXrri7GQAvnKqEnxne/PlB1k4eBJTa2dZGcaT0luywsEkbLbc159WYWvwbN4LEUuOJi3EQf1wvZFgoZ++CyXDoC+PT6VOLa1+1TMY8AnhIO0xL0OWZDHwnDrHRRuLR1TmRENTSse8MEfc3KDhk3lG4iAxCD2ZyJaW9YcDtbG/n/dnHHwvf8isB2+8OtPVtFtkCXzDl7SyDGaE6mXXXYAR9a3SVRjw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(39860400002)(366004)(346002)(396003)(136003)(53546011)(6506007)(7696005)(5660300002)(55236004)(2906002)(52536014)(54906003)(38100700002)(122000001)(8936002)(8676002)(4326008)(71200400001)(66476007)(186003)(83380400001)(316002)(478600001)(110136005)(33656002)(66574015)(26005)(55016002)(86362001)(76116006)(64756008)(66946007)(66446008)(66556008)(9686003)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gG8cmRLNX0V98BTuV7lPXsb9Ayg8M47elSVao+t5T+H9bVYyOBjbWqjK/boAWIzF5/cMrpzxXVoNA5eNEKNTNxWxdwjfiZJrJBMBRMWGWImVFXru7Xt8TWZ/XPHsIh89pa5GrGwCdEz7/9R3NbMfSAc10DOsNZBCthxl/ZS4ZZXZvoTR5wCQY3e8pXsGLDeNAqx4Nff0+DVBv72liwGS60jlPDsCDKJqp9KljgpbZsyvfD9AgunT0hVL6VkvvhfplOL9L5Nlxs6o/AmMay0M7TFtMrBOftIi7/0NDVttC2SVWkiCVBAGwndwH9ed+1qwEW2Lt6/C0hmpoL98yMUG8q9IHl69cupcUjhH9Q4x7L/33H6B//Oju/8w52U8U1MitxX9RWcHSp+6OO8yHeK5zpj5j+VlW8bVd6W29/h167IA7/vjZ1I9cKK+Js8v4VwIvSm6xo6UunXry9Zf7ZM06TUFE8W0Zb4RomyuDXMDYe5hXYLblPeW5KHGigK0K+BqtTFKzWD+MYcyzYlq26F66hnJTbS8c6T6lokbr4iisezqQLtumtXhaod+z9TSaeAHonQtH//cqUyRwKHHUuMK1MEiTdSLUM5mlNCcbd8NWISw6F7/XuFCzXkaZ3/MgL9EVpKJnEaOysIPjEJ2bCRo094pzM2nKXODV8Gn2nKGD9qgM1gkieFYc7b4a/ac+rsJCa9DbNR174PNvF5pOBWWpHXlfg6XOhNYfvmy52v+HQc3mE6TARTkgCVgogs9VRNaARjk8wqW+a/74QSn4caGKhgL68fyWOpFB2cuKAMpCiXvCUhqq56MUQlr/QcZWHPuJ0ICTqUFMgs0aL3G2FVS0us+oKQBE3h8MRDX2MoffiYda80hoQLwjkm9gPfDyMJnjjngq0PzzCCzIZVr0gk5XSMj4XJ9k4H+eVlmEvZ4OdEpYgqaG7tx4rb8Exj2pocW8G5EJE8iRD2c76OeQVjWPs5ZARlgl6tayY4D4WbKisTni5F6odWAwUboQeiq0/VWpL+gPWcTQBUQca4o9+5Q8o7A5E/KTu4hQA5VeiRh/+0+VAaiqdws2D03VHMJcRhMoJRkfgJ1TT+u6/vXXLwrk30WEK7hbQvVLVz24xN9mGQnIqDUVvMeziwUZ3EGul0b+tifZJon4Ig6f5rSlBgsN0+hH1q/O5GZKB7GOKjmFcWF3igjXtQBPAa5Kn5WN1ogfaOLuY7GrvW7CY7n8uOmtm/WirkyAr9h3Engci8Y+UiWj8pBE+ORiq3fzdtc4H8G6FCE1c2d1NR/hHpt7NqBWCe3XU7YfuagrYoiUVnAZVpBybWlgzWMKVD4BDVvjd+X
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: dce91c14-914e-4fc1-b095-08d94883e9fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2021 18:02:45.1362 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Kl0zisuEQPQgS3c6ZYV6LrvLRj3qm19g/uvQ3Z39nbfl6GLxvt7SlO8M8v9T4ArSt55PMyngTTb63RwrUlIyRw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0901
X-OriginatorOrg: hpe.com
X-Proofpoint-GUID: hSA8dYOFCNfL9_QophCgI0Jwq-B_e2Yu
X-Proofpoint-ORIG-GUID: hSA8dYOFCNfL9_QophCgI0Jwq-B_e2Yu
Content-Transfer-Encoding: base64
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-16_06:2021-07-16, 2021-07-16 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 adultscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 clxscore=1011 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107160110
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/eW5aAwbYFzdiT4JbLSUo7NnTih8>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 18:05:09 -0000
Hi Tobias: Somehow I think we are mis-understanding. Please excuse the long introduction to answer your question. Consider an IPSEC initiator sitting behind a NAPT talking with an IPSEC responder on the Internet (within a DC). The initiator will start with IKE. The IKE packets will not be LB and since a NAPT would be detected, the IKE packets would use source and destination port 4500. After IKE established the SA, load balancing will be used with ESPinUDP packet exchanges. Both the initiator and the responder can exchange ESPinUDP with LB after the SA is established. For ESPinUDP with LB the source port will be used for entropy. This does not necessary mean the source port is random, however does mean the source port must cover a range of values sufficient to provide the required level of entropy. Draft-xu-ipsecme-esp-in-udp-lb does not provide specific guidance on entropy values, however for NAT interoperability it is desirable to limit the number of entropy values. At an IPSEC initiator (behind NAPT) using draft-xu-ipsecme-esp-in-udp-lb will generate LB ESPinUDP packets with the entropy value in the source port and a new destination port, however the use of a new port to designate LB complicates the situation. Instead, if we consider both ends of the SA being configured for LB, then we can simply use the existing 4500 port to designate the ESPinUDP encapsulation. Using this observation IPSEC LB packets transmitted from the initiator (behind the NAPT) would have entropy in the source port and 4500 in the destination port. Each IPSEC initiator LB packet with a different entropy value will result in a new mapping at the NAPT. The normal behaviour of the responder (outside the NAPT) is to transmit to the destination address and port of the last packet source address and port (from the initiator), however this is where we deviate for a LB implementation. Instead the responder (outside the NAPT) transmits all responses to the address and port established for IKE, however with an entropy value in the source port. Since the NAPT has the IKE mapping this will deliver the ESPinUDP packet to the initiator where the destination port will be restored to 4500 and the source port will be the entropy value. So to your question about NAPT filtering. If the NAPT follows REQ-8 in RFC 4787, then filtering will pass the responder packets since the destination address and port will be mapped and the source address will also be known. In the event a NAPT violates REQ-8 and does Address and Port - Dependent Filtering then the responder packets might be filtered. There may be solutions for this case, however for the present discussion it does not seem worth pursuing the case were a NAPT violates REQ-8. Cheers, Paul -----Original Message----- From: Tobias Brunner [mailto:tobias@strongswan.org] Sent: Thursday, July 15, 2021 11:52 PM To: Bottorff, Paul <paul.bottorff@hpe.com>; Valery Smyslov <smyslov.ietf@gmail.com>; 'Tero Kivinen' <kivinen@iki.fi>; antony.antony@secunet.com; 'IPsec' <ipsec@ietf.org> Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Paul, > The ports used for IKE packets would not be randomized since IKE would not use source port for LB and so should be stable at the NAT. I was not referring to the IKE but the ESP packets sent by the responder to the natted IKE port for LB. Wasn't that what you were proposing? Regards, Tobias
- [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Antony Antony
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tero Kivinen
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Valery Smyslov
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Tobias Brunner
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Bottorff, Paul
- Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Paul Wouters