SPI load balancing provides a mechanism to improve the hashing performance of IPSec encrypted traffic. IPSec-tunneled traffic transported over a LAG typically relies on IP header hashing only. For example, in LTE deployments, TEID hashing cannot be performed because of encryption, and the system performs IP-only tunnel-level hashing. Because each SPI in the IPSec header identifies a unique SA, and therefore a unique flow, these flows can be hashed individually without impacting packet ordering. In this way,
The 7705 SAR allows enabling SPI hashing per Layer 3 interface (this is the incoming interface for hash on system egress) or per Layer 2 VPLS service. When SPI hashing is enabled, an SPI value from the ESP/AH header is used in addition to any other IP hash input based on the per-flow hash configuration: source/destination IPv4/IPv6 addresses and Layer 4 source/destination ports in case NAT traversal is required and Layer 4 load balancing is enabled. If the ESP/AH header is not present in a packet received on a given interface, the SPI will not be part of the hash inputs and the packet is hashed as per other hashing configurations. SPI hashing is not used for fragmented traffic in order to ensure that first and subsequent fragments use the same hash inputs.
SPI hashing is supported for IPv4 and IPv6 tunnel unicast traffic.