Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

"Bottorff, Paul" <paul.bottorff@hpe.com> Wed, 31 March 2021 23:38 UTC

Return-Path: <prvs=072407822d=paul.bottorff@hpe.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8BD3A12C1 for <ipsec@ietfa.amsl.com>; Wed, 31 Mar 2021 16:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HMgl0-fDxtYy for <ipsec@ietfa.amsl.com>; Wed, 31 Mar 2021 16:38:07 -0700 (PDT)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB0443A125F for <ipsec@ietf.org>; Wed, 31 Mar 2021 16:38:04 -0700 (PDT)
Received: from pps.filterd (m0134420.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12VNWhVm007415; Wed, 31 Mar 2021 23:38:04 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=vepcJAKliAQ25wa5aDreJKcN6VOwr6jusuFJoBg67J8=; b=Rz7SHcIejJrIANAp15oCzo/N+q2HH9Z5P8Sr18gkkkz+voddpUth+2ICAHHzKyI77zB9 arBgJkUmBrDcJAKOiMNYHNeup8rsXh8l4bMnJxCxNeYrbVZFd0w10XcCiZH8z6eAsyXW Qgv+sIFRT//gaNjXVXC1bgpT9fLXA849y7ESSOzTJRV//t3Aul0adKsKDRsMmXCbAO8Q xpmyy7sWTSoQG7QUuJwnNRnj3iSer9k5POZnJR3NoBrEdUngl8A5woo6RncQ0YmN0UpD kU077zxaWrnCg38Y+o64auNFBJE5yUMax77gvxSYj1vT3xtQ31u/tZb1T7CNcIf/zYnR ig==
Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27]) by mx0b-002e3701.pphosted.com with ESMTP id 37n29jr8eq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 31 Mar 2021 23:38:03 +0000
Received: from G4W9121.americas.hpqcorp.net (exchangepmrr1.us.hpecorp.net [16.210.21.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2354.austin.hpe.com (Postfix) with ESMTPS id 24E11AF; Wed, 31 Mar 2021 23:38:03 +0000 (UTC)
Received: from G2W6310.americas.hpqcorp.net (2002:10c5:4034::10c5:4034) by G4W9121.americas.hpqcorp.net (2002:10d2:1510::10d2:1510) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 31 Mar 2021 23:38:02 +0000
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (15.241.52.12) by G2W6310.americas.hpqcorp.net (16.197.64.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 31 Mar 2021 23:38:02 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d/XLLPHahWvUpVKNHpN7E1aOWbNqCA3nbKKHSgB15LQyaK3l2CB+bfej3tvVpsA9EQ2/lU7kUeq0xGA6BsTof+Rd+4R+B/sGyeDaUNYnUVEqBkXz/6Bysw0qgBvLA9gicq2vC2+GfRfwHH0qhNJ7KUVAAf/wKg8hswtY1KhhyWKoO4n3i2ZCoJ6afo4z/NgcF6GuFIhRT/h2GZbEdQ3SnDr3FFsoAtukMi38os7mvG+kNkMI0EobnjT0Q9kiD4gsRYRFIqUurKFUtMPagWqt7COsnd72D44ukXTWaB/GBvlLX7P8QzQkaSaSIcTEFCrsL93mT2oujn0YA1HcL4ENZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b0mxH6FFrMi8oMTbTefBu5akv0dvLJqcdDYq2x3HKuY=; b=Ep1k6T1U/UInWX6ymHuCHc88+eiPWX4ECbz3avFsc7aowmPomB08cp6oXHQ7B3jSqL/ArZL6Sm2c8+v1vA2q48/A7pGlayjZPLqI9kO4G2ju1yks1XZ/a6ea/lriNeuVEiH9XtdppQQPHiHPA6mzLea9m4EJAQcsavLzVG3EjE6RYJdrH1hFd53lX2iHCsOQNYAjTFDpjD/hUbQ17om0gZqEpXMqJZyJVTQM8m94FU9G4nb+xcygr4IadAV3FncC0512r4TOzsf8FqWgr7zH090t0O65aWZnZ8X2fzCIc7fiYkfSUSeS3djEkNXvXpeR4or91FFNxzuJnVcpaEcNfQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7507::23) by CS1PR8401MB0837.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:750e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.29; Wed, 31 Mar 2021 23:38:01 +0000
Received: from CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::bd7d:6948:a6d3:c04]) by CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM ([fe80::bd7d:6948:a6d3:c04%5]) with mapi id 15.20.3977.033; Wed, 31 Mar 2021 23:38:01 +0000
From: "Bottorff, Paul" <paul.bottorff@hpe.com>
To: "antony.antony@secunet.com" <antony.antony@secunet.com>, IPsec <ipsec@ietf.org>
Thread-Topic: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
Thread-Index: AdciaiROLLoGnn3oQyW5+9ys0PMxKgDrvyoAABqrbPA=
Date: Wed, 31 Mar 2021 23:38:01 +0000
Message-ID: <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de>
In-Reply-To: <20210331103220.GA21137@moon.secunet.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: secunet.com; dkim=none (message not signed) header.d=none;secunet.com; dmarc=none action=none header.from=hpe.com;
x-originating-ip: [165.225.243.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 44087797-0e32-4e73-cd62-08d8f49e05f6
x-ms-traffictypediagnostic: CS1PR8401MB0837:
x-microsoft-antispam-prvs: <CS1PR8401MB08371C0512C6DEDDE59E528FFE7C9@CS1PR8401MB0837.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:1923;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WST+snRq81+DILOSHJkCh87JV8/pwNkL8KCJ+1vF8D+MUsbZsllJRGuW4NStj6/FUMjzUbJn7aWbMrQjbn1qBbwEWz85EZh3Z0lRNSYxy2kUeXFleEo5gCr+uoo/fsSwfsGIRTDUl0xTqP+VNdH8IJxkvXPJ570z0A66jh/dNnE7xpAhDbsQNWRahXhC7aKBMrAR5rUopKEfVmMJEz879ZIHZszPl8M0CI6v4+HibyeZUcOKB0M31h8Ev/xFINviNH0wGxmsQoJEW7fAXbfk7L73pWUX+9AYk5zAnLTm3WHgQqjG4aWVZN/33fS/pTwwqfhkBIz9zuMO6RmDwwd2lmRY0W8BvELW0jE/tFLVjz0xbzcRBPRs+oOi9v5w7bQG8RNacjhoySEoKlQwo/Js5TQcVxzRgbbDGeXVXzQ6woHOQP4akuObyDYI2ZfQCt13WUO9l8QlYDaIyjYFHw6weR5bAztQ9of94JBqvo1GRhK61B3J0drtrU6K1+EJacq74gCVgExq610wsBvMyRr3sk3yMLKLTBZl8c36x+6B3PpS9Yllf4KaymGF09KIpQFgJWp3bl0IIMbadLTU0Cmg8HZxngnlGqGOmTeQQ9bIpKiLtW4JO8h/p3y8hBWgvY7Ym3dggFzS6L8/uADbgaXYmaViFVX4Sa3e72+ZZqNjGe12NJ64qFFPucNwgDD8EeMq8vYB6fhacoi8DEdG3JbaMtC2KzVPPpzlSMDGKMtT/x/Oi3iyaYDeUl6BDUliMOrR
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(39860400002)(376002)(346002)(136003)(366004)(26005)(86362001)(55236004)(478600001)(83380400001)(2906002)(38100700001)(8676002)(186003)(8936002)(64756008)(110136005)(71200400001)(6506007)(966005)(66946007)(52536014)(76116006)(66446008)(66556008)(9686003)(7696005)(5660300002)(33656002)(66476007)(53546011)(55016002)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 0SRqhju3W2ZntHF5tGtmmUWUYCUR/vLV9JuLXJP26yAcPh67/dryuixqMIhIlcJ5e6B9Z7mhJpqiT/kmEkUVAEU/U/mE+CGtYTvIA7EKY5gJW3M5D1Av2w/sbKro6dkqVhLeFBiJZ2Xqtj0WQYBOpRb4GQIRAeAoYkD8JTKGXxapWnuwQi/0rGYSC6IwhNH8eEwdqeXkfhr90TQbhUaXbFCzoQldXTieMed4ojIG7fMsN2ZtsUJagiNOvnTLntcMh/pNIDTkVrEIFEzLZiPJTnAAbxubTl0JsHqoCXsP1EufdHTqqyy1rOCG84VnEwbkh2NHWmwX/1w2hoRZ1O0Yvs+SYQcLyx6h+g0TVBONrJ1sT7fnzcd+tyh1xMXp56DWVZvvAwzZ5rdgzkn4S3x5abJ0EzADijgCkTLXuxuN1ztrMPk/2CBlS5gsJ7m/d+yTGX5LmkKuOnIQIIrZRAsiQaY2uyEXkEj5Aj4n2WcYLNb7Qv6yssqfBElXi64ifkf4Vd2i9eldouWqkSkSTkA+PSHSxe1i5NAVDQmNz8XGPepnn45lv5BjTkJTPfKtaaKxz46LdQBT44cEqs6kA4tvsa4dM6vfHpfURukBc+tm7Fbt0o9Lwb9oXiFoDgyNO9eduLkD3GQvFHvuC1afxqUU9iMtBg2CrRFhi+5nSLsdrdJzMesscoHkWVAzdRzasfenw/LYICcx81nmSDq/Hn8l3x4qbhRh0YIcwhSSRGSl3JUbtix9RLJJPpJk8CuvSecN/wiD8jsMEPVb3aXQ5EIFBTNQANZCFP9lZ+1V9m/P+O2df0A7j9l20KWcoIuz4nO9g6sXyAcITW+ObAu+DeQFL1sExV7g6cAi8ReYsc8sk8ItoA7GKq88r1/tDBNYrPKVYjNHRxRG3JyXa72XVJATY1L3q53+LZ10NkScMOqmb4iKQAeVtUMvKSVdv+W+pY76844rsxAMo8nxbBKFASJngvGMSEYoKItSG5cgWrVJ5WPwE7XUeDA2fLnfTNhpR3Sn+JS7SJ2XWXEbiJwDg31MqWu3r7TySLRgy8euZlk1jTaZ0uBytv+lQtU7WkOlMpPkWRnHpQ4m2TJj//6OJWp0XSWhwvM8gRu5ibkXgqtbaZGlCbBBSZBW4yv0uAWDiVkvNMX6LRULa6I6bxNfb4ds810AJqQ8x67K+4uyZbrvKjpQkrtYeiWFjMqCaAfLi+Gbi1NU+mCm1XqGiBv+UVs1RAN9JkM3GAaduud0QUvjsU0o8suSoozg/wQgbvpITI9QoE8/2zy3ysbPMwc83V+cN+iHTApEORMMhzR8JstQtM5Y+tQ+eMm/a6Wjnc1CkjLW
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 44087797-0e32-4e73-cd62-08d8f49e05f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2021 23:38:01.3446 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: co4CvDUxjXxRE3wsmqmEzxqekF12IHUqwNOuXr1FHSxYBEYiXRfhlJWsfo3YCvbuApTmH8ErBp+o9V2Y2xiRuQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0837
X-OriginatorOrg: hpe.com
X-Proofpoint-ORIG-GUID: Lu8hifXRC2rhPpz6E7TzGz4VZYFHRGpq
X-Proofpoint-GUID: Lu8hifXRC2rhPpz6E7TzGz4VZYFHRGpq
Content-Transfer-Encoding: base64
X-Proofpoint-UnRewURL: 1 URL was un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-31_11:2021-03-31, 2021-03-31 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 clxscore=1011 spamscore=0 phishscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 impostorscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103310000 definitions=main-2103310162
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/x-YJKIRmVWmmkx73aVhCJRAhosk>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 23:38:12 -0000

Hi Antony:

Below,

Cheers,

Paul



-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Antony Antony
Sent: Wednesday, March 31, 2021 3:32 AM
To: Bottorff, Paul <paul.bottorff@hpe.com>; IPsec <ipsec@ietf.org>
Cc: antony.antony@secunet.com
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Hi,

This is an interesting draft. I would love to see a generic solution for network paths and receiver use cases, such as RSS.

PB>> Can you explain your use case for RSS a little more? I'd guess you are looking at LB around the RSS queues to get better distribution for the decodes.
<<

The RFC3948 specifies one pair of UDP ports 4500-4500.
Both the IKE flow and the ESP in UDP flow should use the same UDP flow.
The draft seems to suggest new destination port and source ports are only for ESP? How would this change work with IKE?
May you are not intending to use IKE?

PB>>Our use cases use IKE, however as stated in RFC3948 ESPinUDP does not have to be tied to IKE, it is just advantageous to do so for the NAT case since this allows a single mapping for both at the NAT rather than two mappings.
PB>>I've wondered why we could not use the RFC3948 encoding for ESPinUDP, but allow the source port to be chosen differently than IKE. Perhaps Xu has some thoughts on this. 
<<

How would the new ESP flow work when there is a NAT gateway along the path?
I ran into issues with both sides choosing different source ports.
It would cause SADB mapping changes which force changes IKE flows. One coul disable SADB mapping changes. However, that would break real NAT changes.

PB>>We are mostly interested in data centre use cases which don't have intervening NATs, however I believe SD-WAN cases could have NAT and FW traversals between tunnel end points. As it stands draft-xu-ipsecme-esp-in-udp-lb does not specify how the source port value is determined. It seems like it could be based on a hash value within the ESP or based on the SPI and IPs.
<<

Should both sides use the same source port? Or can each peer choose its own source port independently? If both have to use the same port how do peers negotiate on the ephemeral source port. I ran into issues with or without NAT. Or do you disable SADB mapping completely?

When the source port is chosen independently the flow will be asymmetric.
The NAT gateway drops the ESP flow in one direction. A typical NAT gateway only allows symmetric UDP flows. And this flow must be initiated from one side, the side behind the NAT. So, I wonder how changing the source port alone would work.

regards,
-antony

On Fri, Mar 26, 2021 at 18:07:37 +0000, Bottorff, Paul wrote:
>    Hi Xu:
> 
> 
>    We’ve got a lot of interest in your draft. Are you going to move this
>    forward to a working group draft and RFC? We would be happy to help
>    where needed.
> 
> 
>    Cheers,
> 
> 
>    Paul Bottorff
> 
>    Aruba a Hewlett Packard Enterprise Company

> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> INVALID URI REMOVED
> man_listinfo_ipsec&d=DwIGaQ&c=C5b8zRQO1miGmBeVZ2LFWg&r=CCwOcKkISkWxd8Y
> my11M8VW3U6Peq8aJ_DDlgVbQW5E&m=JX7bpCQ1LIaZ00nq77roZTAocRKYbZN5xrZg1Tz
> h2NI&s=6atEv9EBVlm0kUTnUkms-8dETilNOS_OnjeAFn_MGkc&e=



On Fri, Mar 26, 2021 at 18:07:37 +0000, Bottorff, Paul wrote:
>    Hi Xu:
> 
> 
>    We’ve got a lot of interest in your draft. Are you going to move this
>    forward to a working group draft and RFC? We would be happy to help
>    where needed.
> 
> 
>    Cheers,
> 
> 
>    Paul Bottorff
> 
>    Aruba a Hewlett Packard Enterprise Company

> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> INVALID URI REMOVED
> man_listinfo_ipsec&d=DwIGaQ&c=C5b8zRQO1miGmBeVZ2LFWg&r=CCwOcKkISkWxd8Y
> my11M8VW3U6Peq8aJ_DDlgVbQW5E&m=JX7bpCQ1LIaZ00nq77roZTAocRKYbZN5xrZg1Tz
> h2NI&s=6atEv9EBVlm0kUTnUkms-8dETilNOS_OnjeAFn_MGkc&e=

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec