idnits 2.17.00 (12 Aug 2021) /tmp/idnits58209/draft-xu-ipsecme-esp-in-udp-lb-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 20, 2020) is 852 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2401 (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2406 (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group X. Xu 3 Internet-Draft Alibaba, Inc 4 Intended status: Standards Track S. Hegde 5 Expires: July 23, 2020 Juniper 6 D. Zhang 7 L. Xia 8 Huawei 9 January 20, 2020 11 Encapsulating IPsec ESP in UDP for Load-balancing 12 draft-xu-ipsecme-esp-in-udp-lb-03 14 Abstract 16 IPsec Virtual Private Network (VPN) is widely used by enterprises to 17 interconnect their geographical dispersed branch office locations 18 across the Wide Area Network (WAN) or the Internet, especially in the 19 Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also 20 increasingly used by cloud providers to encrypt IP traffic traversing 21 data center interconnect WAN so as to meet the security and 22 compliance requirements, especially in financial cloud and 23 governmental cloud environments. To fully utilize the bandwidth 24 available in the WAN or the Internet, load balancing of IPsec traffic 25 over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) 26 is much attractive to those enterprises and cloud providers. This 27 document defines a method to encapsulate IPsec Encapsulating Security 28 Payload (ESP) packets over UDP tunnels for improving load-balancing 29 of IPsec ESP traffic. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on July 23, 2020. 48 Copyright Notice 50 Copyright (c) 2020 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (https://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 69 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 70 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 71 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 72 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 74 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 75 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 77 10.2. Informative References . . . . . . . . . . . . . . . . . 7 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 80 1. Introduction 82 IPsec Virtual Private Network (VPN) is widely used by enterprises to 83 interconnect their geographical dispersed branch office locations 84 across the Wide Area Network (WAN) or the Internet, especially in the 85 Software-Defined-WAN (SD-WAN) era. In addition, IPsec is also 86 increasingly used by cloud providers to encrypt IP traffic traversing 87 data center interconnect WAN so as to meet the security and 88 compliance requirements, especially in financial cloud and 89 governmental cloud environments. To fully utilize the bandwidth 90 available in the WAN or the Internet, load balancing of IPsec traffic 91 over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) 92 is much attractive to those enterprises and cloud providers. Since 93 most existing core routers within IP WAN or the Internet can already 94 support balancing IP traffic flows based on the hash of the five- 95 tuple of UDP packets, by encapsulating IPsec Encapsulating Security 96 Payload (ESP) packets over UDP tunnels with the UDP source port being 97 used as an entropy field, it will enable existing core routers to 98 perform efficient load-balancing of the IPsec ESP traffic without 99 requiring any change to them. Therefore, this specification defines 100 a method of encapsulating IPsec ESP packets over UDP tunnels for 101 improving load-balancing of IPsec ESP traffic. 103 Encapsulating ESP in UDP, as defined in this document, can be used in 104 both IPv4 and IPv6 networks. IPv6 flow label has been proposed as an 105 entropy field for load balancing in IPv6 network environment 106 [RFC6438]. However, as stated in [RFC6936], the end-to-end use of 107 flow labels for load balancing is a long-term solution and therefore 108 the use of load balancing using the transport header fields would 109 continue until any widespread deployment is finally achieved. As 110 such, ESP-in-UDP encapsulation would still have a practical 111 application value in the IPv6 networks during this transition 112 timeframe. 114 Note that the difference between the ESP-in-UDP encapsulation as 115 proposed in this document and the ESP-in-UDP encapsulation as 116 described in [RFC3948] is that the former uses the UDP tunnel for 117 load-balancing improvement purpose and therefore the source port is 118 used as an entropy field while the latter uses the UDP tunnel for NAT 119 traverse purpose and therefore the source port is set to a constant 120 value (i.e., 4500). In addition, this document only discusses about 121 the tunnel mode ESP encapsulation. 123 1.1. Requirements Language 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in RFC 2119 [RFC2119]. 129 2. Terminology 131 This memo makes use of the terms defined in [RFC2401]and [RFC2406]. 133 3. Encapsulation in UDP 135 ESP-in-UDP encapsulation format is shown as follows: 137 0 1 2 3 138 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 140 | Source Port = Entropy | Dest Port = TBD1 | 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | UDP Length | UDP Checksum | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | | 145 ~ ESP Packet ~ 146 | | 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 Figure 1: ESP-in-UDP Encapsulation Format 150 Source Port of UDP: 152 This field contains a 16-bit entropy value that is generated by 153 the encapsulator to uniquely identify a flow. What constitutes 154 a flow is locally determined by the encapsulator and therefore 155 is outside the scope of this document. What algorithm is 156 actually used by the encapsulator to generate an entropy value 157 is outside the scope of this document. 159 In case the tunnel does not need entropy, this field of all 160 packets belonging to a given flow SHOULD be set to a randomly 161 selected constant value so as to avoid packet reordering. 163 To ensure that the source port number is always in the range 164 49152 to 65535 (Note that those ports less than 49152 are 165 reserved by IANA to identify specific applications/protocols) 166 which may be required in some cases, instead of calculating a 167 16-bit hash, the encapsulator SHOULD calculate a 14-bit hash 168 and use those 14 bits as the least significant bits of the 169 source port field while the most significant two bits SHOULD be 170 set to binary 11. That still conveys 14 bits of entropy 171 information which would be enough as well in practice. 173 Destination Port of UDP: 175 This field is set to a value (TBD1) allocated by IANA to 176 indicate that the UDP tunnel payload is an ESP packet. 178 UDP Length: 180 The usage of this field is in accordance with the current UDP 181 specification [RFC0768]. 183 UDP Checksum: 185 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 186 to zero for performance or implementation reasons because the 187 IPv4 header includes a checksum and use of the UDP checksum is 188 optional with IPv4. For IPv6 UDP encapsulation, the IPv6 189 header does not include a checksum, so this field MUST contain 190 a UDP checksum that MUST be used as specified in [RFC0768] and 191 [RFC2460] unless one of the exceptions that allows use of UDP 192 zero-checksum mode (as specified in [RFC6935]) applies. 194 ESP Packet: 196 This field contains one ESP packet. 198 4. Processing Procedures 200 This ESP-in-UDP encapsulation causes ESP [RFC2406] packets to be 201 forwarded across IP WAN via "UDP tunnels". When performing ESP-in- 202 UDP encapsulation by an IPsec VPN gateway, ordinary ESP encapsulation 203 procedure is performed and then a formatted UDP header is inserted 204 between ESP header and IP header. The Source Port field of the UDP 205 header is filled with an entropy value which is generated by the 206 IPsec VPN gateway. Upon receiving these UDP encapsulated packets, 207 remote IPsec VPN gateway MUST decapsulate these packets by removing 208 the UDP header and then perform ordinary ESP decapsulation procedure 209 consequently. 211 Similar to all other IP-based tunneling technologies, ESP-in-UDP 212 encapsulation introduces overheads and reduces the effective Maximum 213 Transmission Unit (MTU) size. ESP-in-UDP encapsulation may also 214 impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated 215 Services (DSCP). Hence, ESP-in-UDP MUST follow the corresponding 216 procedures defined in [RFC2003]. 218 Encapsulators MUST NOT fragment ESP packet, and when the outer IP 219 header is IPv4, encapsulators MUST set the DF bit in the outer IPv4 220 header. It is strongly RECOMMENDED that IP transit core be 221 configured to carry an MTU at least large enough to accommodate the 222 added encapsulation headers. Meanwhile, it is strongly RECOMMENDED 223 that Path MTU Discovery [RFC1191] [RFC1981] or Packetization Layer 224 Path MTU Discovery (PLPMTUD) [RFC4821] is used to prevent or minimize 225 fragmentation. 227 5. Congestion Considerations 229 TBD. 231 6. Applicability Statements 233 TBD. 235 7. Acknowledgements 237 8. IANA Considerations 239 One UDP destination port number indicating ESP needs to be allocated 240 by IANA: 242 Service Name: ESP-in-UDP Transport Protocol(s):UDP 243 Assignee: IESG 244 Contact: IETF Chair . 245 Description: Encapsulate ESP packets in UDP tunnels. 246 Reference: This document. 247 Port Number: TBD1 -- To be assigned by IANA. 249 9. Security Considerations 251 TBD. 253 10. References 255 10.1. Normative References 257 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 258 DOI 10.17487/RFC0768, August 1980, 259 . 261 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 262 DOI 10.17487/RFC1191, November 1990, 263 . 265 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 266 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 267 1996, . 269 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 270 DOI 10.17487/RFC2003, October 1996, 271 . 273 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 274 Requirement Levels", BCP 14, RFC 2119, 275 DOI 10.17487/RFC2119, March 1997, 276 . 278 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 279 Internet Protocol", RFC 2401, DOI 10.17487/RFC2401, 280 November 1998, . 282 [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security 283 Payload (ESP)", RFC 2406, DOI 10.17487/RFC2406, November 284 1998, . 286 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 287 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 288 December 1998, . 290 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 291 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 292 . 294 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 295 for Equal Cost Multipath Routing and Link Aggregation in 296 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 297 . 299 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 300 UDP Checksums for Tunneled Packets", RFC 6935, 301 DOI 10.17487/RFC6935, April 2013, 302 . 304 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 305 for the Use of IPv6 UDP Datagrams with Zero Checksums", 306 RFC 6936, DOI 10.17487/RFC6936, April 2013, 307 . 309 10.2. Informative References 311 [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. 312 Stenberg, "UDP Encapsulation of IPsec ESP Packets", 313 RFC 3948, DOI 10.17487/RFC3948, January 2005, 314 . 316 Authors' Addresses 317 Xiaohu Xu 318 Alibaba, Inc 320 Email: xiaohu.xxh@alibaba-inc.com 322 Shraddha Hegde 323 Juniper 325 Email: shraddha@juniper.net 327 Dacheng Zhang 328 Huawei 330 Email: dacheng.zhang@huawei.com 332 Liang Xia 333 Huawei 335 Email: frank.xialiang@huawei.com