On Wed, Mar 31, 2021 at 23:38:01 +, Bottorff, Paul wrote:
> Hi Antony:
>
> Below,
>
> Cheers,
>
> Paul
>
>
>
> -Original Message-
> From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Antony Antony
> Sent: Wednesday, March 31, 2021 3:32 AM
> To: Bottorff, Paul ; IPsec
> Cc:
On Thu, 1 Apr 2021, Antony Antony wrote:
In my experience it would work well when there is no NAT. When there
there is NAT the IKE and ESP in UDP should use same ports, otherwise
IKE will get established and ESP packets could get dropped in one
direction. When there is NAT it would look more lik
Bottorff, Paul writes:
> The RFC3948 specifies one pair of UDP ports 4500-4500.
No it does not. It says you must use same ports than what you do for
IKE traffic.
> Both the IKE flow and the ESP in UDP flow should use the same UDP
> flow. The draft seems to suggest new destination port and source
Hi Nancy,
Regarding ISSUE 3, I have the impression that the concern that AES-GCM,
Chacha20-Poly1305 or AES-CCM only send a 64 bit IV which suggest that only
64 bit IV can be sent with ESP.
In fact the IV is not a field in ESP but is defined for each suite, as a
result, ESP would be able to support
Hi Tero,
> For the load balancing I think it is enough for just one of the ports
> to be different, thus initiator could simply allocate n random source
> port numbers, and initiate IKE from each of them to responder, and
> then create SAs for each of them separately, thus allowing load
> balancin
