Hi, This is an interesting draft. I would love to see a generic solution for network paths and receiver use cases, such as RSS.
The RFC3948 specifies one pair of UDP ports 4500-4500. Both the IKE flow and the ESP in UDP flow should use the same UDP flow. The draft seems to suggest new destination port and source ports are only for ESP? How would this change work with IKE? May you are not intending to use IKE? How would the new ESP flow work when there is a NAT gateway along the path? I ran into issues with both sides choosing different source ports. It would cause SADB mapping changes which force changes IKE flows. One coul disable SADB mapping changes. However, that would break real NAT changes. Should both sides use the same source port? Or can each peer choose its own source port independently? If both have to use the same port how do peers negotiate on the ephemeral source port. I ran into issues with or without NAT. Or do you disable SADB mapping completely? When the source port is chosen independently the flow will be asymmetric. The NAT gateway drops the ESP flow in one direction. A typical NAT gateway only allows symmetric UDP flows. And this flow must be initiated from one side, the side behind the NAT. So, I wonder how changing the source port alone would work. regards, -antony On Fri, Mar 26, 2021 at 18:07:37 +0000, Bottorff, Paul wrote: > Hi Xu: > > > We’ve got a lot of interest in your draft. Are you going to move this > forward to a working group draft and RFC? We would be happy to help > where needed. > > > Cheers, > > > Paul Bottorff > > Aruba a Hewlett Packard Enterprise Company > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec On Fri, Mar 26, 2021 at 18:07:37 +0000, Bottorff, Paul wrote: > Hi Xu: > > > We’ve got a lot of interest in your draft. Are you going to move this > forward to a working group draft and RFC? We would be happy to help > where needed. > > > Cheers, > > > Paul Bottorff > > Aruba a Hewlett Packard Enterprise Company > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
