Internet-Draft | UDP encapsulated ESP for ECMP | April 2023 |
Acharya & Holbrook | Expires 23 October 2023 | [Page] |
This document modifies [RFC3948] to allow the UDP source port of a UDP-Encapsulated ESP packet to provide entropy for ECMP load balancing between IPSec tunnel endpoints. This document provides guidelines for safely allowing this behavior and falling back to the encapsulation defined in [RFC3948] when a NAT gateway is discovered in the path.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://example.com/LATEST. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-acharya-ipsecme-esp-ecmp/.¶
Discussion of this document takes place on the WG Working Group mailing list (mailto:[email protected]), which is archived at https://example.com/WG.¶
Source for this draft and an issue tracker can be found at https://github.com/USER/REPO.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Equal Cost Multi-Path (ECMP) can be used to balance traffic across multiple paths between 2 end-points. An important requirement is to have packets belonging to the same “flow” use the same path to prevent reordering of packets within a flow.¶
IPsec can be used to secure traffic between two Tunnel End Points (TEPs). Two ways of doing this are to use¶
Either way, one IPsec session, identified by outer IP addresses and SPI value in the ESP header, can be used to protect packets belonging to multiple “flows”. In this context, a “flow” is a sequence of packets with common inner header fields.. Examples of such inner packet header fields are the original IP addresses of the payload packet inside an IPsec tunnel.¶
The flow to which an IPsec encrypted packet belongs cannot generally be identified because the inner packet headers are encrypted. This document defines a mechanism that allows different flows using the same IPsec session to take different paths, while still maintaining a single path for each flow. In order to do this, the UDP source port of a UDP-encapsulated ESP packet carries a “digest” of inner packet headers. The “digest” enables this outer source port to be used for load balancing in the transport network between TEPs.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP header [RFC4303] | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Note that the use of the UDP source port is consistent with its usage in VXLAN, [RFC7348]¶
When different flows take different paths between tunnel endpoints there can be big differences in path-delay and out-of-order packets are more likely to arrive outside the anti-replay window. Therefore, it is RECOMMENDED that the IPsec anti-replay service, defined in [RFC4301], be disabled for a session using UDP encapsulated ESP for ECMP.¶
If IKE is configured to support NAT-Traversal and detects NAT along the path between IKE peers, then UDP encapsulated ESP is used for NAT-Traversal, per [RFC3947]. In that case, the UDP Source Port number MUST be the same as that used by IKE traffic per [RFC3948], which supersedes the recommendation in this document.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document has no IANA actions.¶