@@ -270,24 +270,6 @@ only be done if the upper level protocol provides this service. See
270270# The Session ID is a multi-purpose attribute with mutually
271271# exclusive values.
272272
273- ** UDP Encapsulation for EESP
274-
275- UDP encapsulation for EESP is largely similar to the ESP UDP
276- encapsulation specified in [[RFC3948]], with the primary difference
277- being the UDP source port used by the EESP Sub SA may be different
278- from IKE SA source port, as specified in [[RFC3947]], for more
279- flexible handling of EESP traffic, particularly ECMP support
280- along the path and in the NIC.
281-
282- A receiver indenting to support both ESP and EESP encapsulated in UDP
283- must be able to distinguish ESP and EESP incoming traffic that will
284- arrive at the same UDP port. To be able to handle this the SPIs
285- for the incoming ESP SAs MUST be choosen in such a way, that they
286- can be distinguished from the EESP base header. Since the
287- most significant bit of the EESP base header is fixed to be one, this
288- can be achieved if ESP SPIs are selected in such a way, that the most
289- significant bit of the ESP SPIs is always set to zero.
290-
291273# [VS] From my recollection of the discussion during the last call,
292274# [VS] we decided that Cryp Offset is carried in the EESP header and
293275# [VS] there is no need to negotiate it. Correct me if I'm wrong, for
@@ -300,37 +282,6 @@ significant bit of the ESP SPIs is always set to zero.
300282# same. USE_EESP_CRYPTOFFSET is not supported in Tunnel mode or BEET
301283# mode.
302284# Note STK: This needs discussion
303- # #
304- # ~NOTE~ Add EESP draft UDP section reference.
305-
306- *** UDP Encapsulation of Sub SAs
307-
308- An EESP SA primarily uses UDP encapsulation to facilitate NAT
309- traversal. However, an additional use case for UDP encapsulation is
310- to introduce source port entropy, which supports ECMP or/and
311- RSS (Receive Side Scaling) mechanisms. In such scenarios, the
312- initiator MAY also use a distinct, ephemeral source port for
313- Sub SA IDs greater than zero.
314- # Both peers MAY independently select
315- # different source ports for the same Sub SA ID.
316-
317- It is important to note that IKE messages MUST NOT utilize these
318- ephemeral source ports. Instead, IKE traffic should be confined to
319- the source and destination ports to ensure proper protocol operation
320- and maintain compatibility with existing implementations.
321-
322- When using ephemeral source ports, the receiver can only set the
323- source port upon arrival of an EESP packet with that Sub SA ID. If
324- the receiver is pre-populating a Sub SA, it may have to install it
325- with a source port set to zero and, upon arrival of a packet,
326- update the source port using a mapping change.
327-
328- Additionally, when multiple Sub SAs exist, the receiver SHOULD
329- maintain a mapping table to track the source port associated with
330- each Sub SA independently. This ensures that traffic is correctly
331- routed and prevents ambiguity in handling packets associated with
332- different Sub SAs when a NAT is present.
333-
334285
335286* EESP SA Negotiation in IKEv2
336287
832783** RFC5840
833784** RFC4303
834785** RFC7296
835- ** RFC3948
836786** RFC4301
837787** RFC8126
838788** I-D.klassert-ipsecme-eesp
844794** RFC2119
845795** RFC9347
846796** RFC9611
847- ** RFC3947
848797** RFC2992
849798** RFC7942
850799** RFC8750
0 commit comments