IETF Logo Mail Archive

Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Robert Raszuk <robert@raszuk.net> Tue, 05 November 2019 21:15 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D10FC12095B for <bess@ietfa.amsl.com>; Tue, 5 Nov 2019 13:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.298
X-Spam-Level:
X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mr30Up6Q0iEa for <bess@ietfa.amsl.com>; Tue, 5 Nov 2019 13:15:25 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8E5120B7E for <bess@ietf.org>; Tue, 5 Nov 2019 13:15:24 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id 15so22598361qkh.6 for <bess@ietf.org>; Tue, 05 Nov 2019 13:15:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lwv4x3Mq+l2b1ulkKTsmnVOUedcdh8ZYf62DEEkAUiI=; b=AX03GUATCRFvsDWUoqu3TiX0euZ5daoLGaIEPmdIjad36GqpwXpQbdn3sOPeaJXeDb sbknQpyLozneLBGlyrEsk82iE514+7Lhc2OXIAkx9aCdJoeZ/EmFlmO9UyQBY/lgeOS3 ZcDoai9Nfsaa5KznKuzBk7zSQmGvwRZbR1sJ0yyngqz6dS57QRchDNCe+Ez6j6xgScbj N6KGqZlEbqGj88ZxVCcmKcDumoMySfYwzvPDRkJXNVDwWpMbEajA1XRWe2ELOsFoK7RR MD67p/HX3KJlnHtsHttN0iWnRJkNsKbnmK7V03YIMrgYEBAlB2XmwgMMbwvlf5by0th4 VcVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lwv4x3Mq+l2b1ulkKTsmnVOUedcdh8ZYf62DEEkAUiI=; b=JX45s7Q9FZAPXVUQeVaaJ9aL1ShQKqvb2butATEvhoFV+6mVrgb7QN5PxwPr73LI2z aLf9qr0ydc3cJcLPsCe8W9qmYtCPFJGGPRRFpv4STN0n//SFQQQfoZlhRuOEfbn5H8dg cvpRpy5zAof2pxQvYpY/ehMa2LbVNHxj+S+xH9HcYlMI7CUl5nu6gHznWhGfu//DhRGd xnbygmx5Va0DZQ34zwoQuEbaQNJJyMnDu6eloRt9YYRexR5V32bIPP6mfmGZ677w0uSS i9s+bHtUNHGhWtFBfxFIgHxa5RZ1CvkNAzUcnxlrzd+mVlVObUI8REb7+gznudgVkoDj IIRg==
X-Gm-Message-State: APjAAAVwKJ/2gJORZsEBbim20NAYT68dqPEyew/UW5aR7Sw6zew5Kev2 icAqsSqZkN5PSuJKLC4P1HCVZXpzOaJJK2+jxho3Ng==
X-Google-Smtp-Source: APXvYqwFYIXWQii/YTwoGexLF5L17r/I6fZYj/QynhUPWhEr0Jsv5MK6exTBtQguqQhuWu5RV7iimqzg16Tx1j8m5vs=
X-Received: by 2002:a37:9d44:: with SMTP id g65mr28362090qke.302.1572988523675; Tue, 05 Nov 2019 13:15:23 -0800 (PST)
MIME-Version: 1.0
References: <BN8PR13MB262842C35C9955B8B45FAF08A97F0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMFqQNt4g4g+x3K6fn9X0ruOirFGKcXMPcpAUxm7xvHFSw@mail.gmail.com> <BN8PR13MB262822A6F3231D44628ED474A97E0@BN8PR13MB2628.namprd13.prod.outlook.com>
In-Reply-To: <BN8PR13MB262822A6F3231D44628ED474A97E0@BN8PR13MB2628.namprd13.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 05 Nov 2019 22:15:14 +0100
Message-ID: <CAOj+MMHfjEsieECKHV9kTHKTYVMrK4dqecu3-SkzEU39HrzHFg@mail.gmail.com>
To: Linda Dunbar <ldunbar@futurewei.com>
Cc: "bess@ietf.org" <bess@ietf.org>
Content-Type: multipart/related; boundary="000000000000311f5d05969feead"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/5YNex33qJaG2rzdcwbfd11pX6ew>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 21:15:28 -0000

Linda,

The key message here is that in properly designed SDWAN your limit is
capped by volume of data traffic required to be encrypted and supported by
your platform. Number of overlay adjacencies does not matter.

It does not matter since the size of your FIB has orders of magnitude more
capacity then any single SDWAN number of endpoints.

Best,
R,

On Tue, Nov 5, 2019 at 9:20 PM Linda Dunbar <ldunbar@futurewei.com> wrote:

> Robert,
>
>
>
> You said “It has been deployed and is fully operating with no concern of
> scalability for number of years at least from one vendor I am aware of.”
>
>
>
> How many nodes of this deployment?
>
>
>
> As you described: just two nodes might need 18 IPsec tunnels. How about
> 100 node SDWAN network? 100*99 * 18?
>
>
>
> “So number of overlay pipes to be created in corresponding SDWAN data
> planes is 9 in each direction just over those *two* end points. 18 if you
> consider bidirectional traffic”
>
>
>
> Linda
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Monday, November 04, 2019 6:54 PM
> *To:* Linda Dunbar <ldunbar@futurewei.com>
> *Cc:* bess@ietf.org
> *Subject:* Re: [bess] Any protocols suitable for Application Flow Based
> Segmentation in draft-bess-bgp-sdwan-usage-3?
>
>
>
> Hi Linda,
>
>
>
> > Overlay, the multipoint to multipoint WAN is an overlay network. If
> using IPsec
>
> > Point to Point tunnel, there would be N*(N-1) tunnels, which is too many
> to many.
>
>
>
> Please observe that any to any encapsulated paths setup in good SDWAN is
> day one requirement. And that is not only any src/dst to any src/dst. It is
> actually from any source interface over any available underlay to any
> available remote interface of the destination.
>
>
>
> Imagine if you have two end points each with three interfaces to the
> underlay. So number of overlay pipes to be created in corresponding
> SDWAN data planes is 9 in each direction just over those *two* end points.
> 18 if you consider bidirectional traffic.
>
>
>
> Good SDWAN can build such state and not only that .. it can also run in
> continued fashion SLA probes over all possible paths between given src and
> destination. When data is sent over selected per application path it is
> then encrypted. It can even do much more ... it can perform
> SDWAN-TE treating some endpoints as transits :).
>
>
>
> It has been deployed and is fully operating with no concern of scalability
> for number of years at least from one vendor I am aware of. So I question
> your observation and do believe that adding vrf based routing over well
> designed and correctly written SDWAN is of any scalability concern. As a
> matter of fact the implementation I am familiar with also has built in
> concept of VRFs too.
>
>
>
> No it is not trivial - but clearly possible.
>
>
>
> Best,
>
> Robert.
>
>
>
>
>
> On Mon, Nov 4, 2019 at 11:39 PM Linda Dunbar <ldunbar@futurewei.com>
> wrote:
>
> In MEF SD-WAN Service Specification WG, there has been a lot of discussion
> on Application Flow Based Segmentation.
>
> Application Flow based Segmentation refers to separating traffic based on
> business and security needs, e.g. having different topology for different
> traffic types or users/apps.
>
> For example, retail business requires traffic from payment applications in
> all branches only go to the Payment Gateway in its HQ Data Centers, whereas
> other applications can be multi-point (in Cloud DC too).
>
> Segmentation is a feature that can be provided or enabled for a single
> SDWAN service (or domain). Each Segment can have its own policy and
> topology.
>
> In the figure below, the traffic from the Payment application (Red Dotted
> line) is along the Tree topology, whereas other traffic can be multipoint
> to multi point topology as in VRF.
>
>
>
>
>
>
>
> Segmentation is analogous to VLAN (in L2 network) and VRF (in L3 network).
> But unlike VRF where all the intermediate nodes can forward per VRF, in
> SDWAN Overlay, the multipoint to multipoint WAN is an overlay network. If
> using IPsec Point to Point tunnel, there would be N*(N-1) tunnels, which is
> too many to many.
>
>
>
> Does anyone know an existing protocol that can handle the above scenario
> described in
> https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/
> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Cldunbar%40futurewei.com%7C3b3333f3d3284c07ad6908d7618aa34a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637085120416218921&sdata=deTxi%2FNkX678x8qEX4hCipAcf%2ByosvtUu%2Fu2iA5aFRA%3D&reserved=0>
>
>
>
>
>
> Thank you very much.
>
>
>
> Linda Dunbar
>
>
>
>
>
>
>
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fbess&data=02%7C01%7Cldunbar%40futurewei.com%7C3b3333f3d3284c07ad6908d7618aa34a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637085120416228917&sdata=ELZ8iXkQd2Jocc4wVYZ6ps%2FAbBLIjeneD5vmLf%2FRdxk%3D&reserved=0>
>
>

v2.23.0 | Report a Bug | By Email