Hi Antony, Tero, Valery: I've put forward draft-bottorff-ipsecme-mtdcuc-ipsec-lb-00 to show the use case for esp in udp load balancing I'm concerned with. This case does not require NAT traversal.
With that said I've spent some time looking into NAT traversal and believe it is possible to combine LB and NAT. To do so the responder must not respond with the source port received in the ESP in UDP packets. Instead, the responder should use the port received by the responder in the IKE exchanges. I believe this means turning off dynamic port updating when combining NAT with LB, which does mean that a change in the NAT mapping for IKE packets (resulting from a NAT timeout or reset) could result in packets being lost, however this event would be rare. Though there may be ways to cover this boundary case I don't believe it is worth the effort to fix this problem to support long term use of IPv4. Though my application is not concerned with RSS, it does seems using MOBIKE to generate entropy for RSS is very clumsy since this requires assigning new IP addresses just to force entropy. The LB proposal seems the best way forward for a general RSS solution. Cheers, Paul -----Original Message----- From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Bottorff, Paul Sent: Friday, April 2, 2021 2:59 PM To: Valery Smyslov <smyslov.i...@gmail.com>; 'Tero Kivinen' <kivi...@iki.fi> Cc: 'IPsec' <ipsec@ietf.org>; antony.ant...@secunet.com Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Valery: Agreed that LB only needs control of the source port to provide entropy. Our application is for traversal of highly meshed data centre fabrics. We encapsulate and de-encapsulate at the server using smart NICs and so don't have any impact on RSS or host software (nor improvement over their standard operation). We perform the encapsulation/de-encapsulation after the ESP packet is formed. Since encapsulation occurs after and de-encapsulation occurs before the IPsec stack, IPsec does not see any of the new port assignments so we don't have any issues with the SADB or IKE. Cheers, Paul -----Original Message----- From: Valery Smyslov [mailto:smyslov.i...@gmail.com] Sent: Thursday, April 1, 2021 11:08 PM To: 'Tero Kivinen' <kivi...@iki.fi>; Bottorff, Paul <paul.botto...@hpe.com> Cc: 'IPsec' <ipsec@ietf.org>; antony.ant...@secunet.com Subject: RE: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Tero, > For the load balancing I think it is enough for just one of the ports > to be different, thus initiator could simply allocate n random source > port numbers, and initiate IKE from each of them to responder, and > then create SAs for each of them separately, thus allowing load > balancing using UDP encapsulation using existing hardware. RFC 7791 + MOBIKE can be used to clone IKE SA and move it to a different local IP+port. Regards, Valery. > -- > kivi...@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > INVALID URI REMOVED > man_listinfo_ipsec&d=DwICAg&c=C5b8zRQO1miGmBeVZ2LFWg&r=CCwOcKkISkWxd8Y > my11M8VW3U6Peq8aJ_DDlgVbQW5E&m=ykseXYzNH5MG1guNwTPMGiGby4o46mBhv92vwoS > pb0U&s=nCqbPzmEc1xdTkL0jPmKmNgH252j3dURPVnH8bt4OtE&e= _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
