IETF Logo Mail Archive

Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Linda Dunbar <ldunbar@futurewei.com> Tue, 05 November 2019 23:50 UTC

Return-Path: <ldunbar@futurewei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E8712013D for <bess@ietfa.amsl.com>; Tue, 5 Nov 2019 15:50:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gj7kSORr84Vw for <bess@ietfa.amsl.com>; Tue, 5 Nov 2019 15:50:56 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720123.outbound.protection.outlook.com [40.107.72.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B019F120121 for <bess@ietf.org>; Tue, 5 Nov 2019 15:50:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Crvkzb18t9E9QN/fvbfEL0d5x83i2fHIUg51d5dDrj8UQxIv9O/dYBk18MhSyM98xjc7YdVl27bpDYowhVNVbQdPAdXD61YoqyRPw15o82GOPvw5FwtbYbmjKB4712ayATzrDJAkrF6SA7DTHSUGXMHxfAQpjRy7GZn+v/VLjT0KvPAM9MkrEK4XeU5iX8MLBLWds2Z8GlF7ZphKBQbRhGNX0DMwLevbFo/zv6Gf166dGecFa+NW1hSArV2XjrNv388FnJRaIxQPDoOoJ+jtz6Y9QCqKJINvGN2ibhVKDfhh/yIautMT2tHCA7vHz6IKK12PMu7wxjFlnX7XX0Ni4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jAxMWewtO1mCLlp4aOrpEVrMnqJjGvDaBhFJ+fuB0FE=; b=fhENf45q3cQt5TxaRCAFbPtl0h47WNE0PgjoWVm5zzItcQCuAE+5vT/BDQSlpYZUafgkNbDw3KzJ1KCdUaoxveA0T0GCE9dwC6d0foM+/4N3v+9pNS8CuGplgtdqEg/JbQBa6S0WQKjTLnZHzqyr61GM2pQSzBkQQSd2ai22paYcQi/hdkLl6S+0zVB6Z5x/TC1NVnbFf1ISh8QSRtaZPqLGrHkJW+21BUhlNnef/BQL8nT+pAAKev9NCaosu4U9Qd/136S+BUaSoySqGBcSBZImR63trICSjSbaENA3rNA9On4NM1iBBewBsYgvE3pQbxzVicf8LVSupL43L4jLgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jAxMWewtO1mCLlp4aOrpEVrMnqJjGvDaBhFJ+fuB0FE=; b=P5ImPx0nErypoiVTE2cFvpf5biMDMkCXwrad+BUDECK2xuZiJGUsMvvUuyLNZTCrvA3/YfU1ipX7+3kS3JXtBpuR8jeoK6z7S1k02KuwHcFj1jFoO5+mNV11c7tFFA18SEa7RPtO/nX7E1d4rCyhNhHN7ug+t+GtSl+5BpGwuVE=
Received: from BN8PR13MB2628.namprd13.prod.outlook.com (20.178.219.10) by BN8PR13MB2852.namprd13.prod.outlook.com (20.178.221.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.13; Tue, 5 Nov 2019 23:50:51 +0000
Received: from BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::cdcb:582a:8e76:9c17]) by BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::cdcb:582a:8e76:9c17%3]) with mapi id 15.20.2430.014; Tue, 5 Nov 2019 23:50:51 +0000
From: Linda Dunbar <ldunbar@futurewei.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "bess@ietf.org" <bess@ietf.org>
Thread-Topic: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
Thread-Index: AdWTYJxA+BN8rE5sRpa1mjWPE2RXqgAEt16AACid20AAAgsOAAABv9iAAAKo7IAAAMN/AA==
Date: Tue, 05 Nov 2019 23:50:51 +0000
Message-ID: <BN8PR13MB262898DC4C28AB4FF0CC2B26A97E0@BN8PR13MB2628.namprd13.prod.outlook.com>
References: <BN8PR13MB262842C35C9955B8B45FAF08A97F0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMFqQNt4g4g+x3K6fn9X0ruOirFGKcXMPcpAUxm7xvHFSw@mail.gmail.com> <BN8PR13MB262822A6F3231D44628ED474A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMHfjEsieECKHV9kTHKTYVMrK4dqecu3-SkzEU39HrzHFg@mail.gmail.com> <BN8PR13MB26284A0D4C3566BFDE147723A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMEk9bM1UB114j3=zpZpaB+U5sEpe_SmjZr6RMBZZ=FgqQ@mail.gmail.com>
In-Reply-To: <CAOj+MMEk9bM1UB114j3=zpZpaB+U5sEpe_SmjZr6RMBZZ=FgqQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ldunbar@futurewei.com;
x-originating-ip: [12.111.81.95]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9635f108-fef4-4a8e-5c89-08d7624afd95
x-ms-traffictypediagnostic: BN8PR13MB2852:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN8PR13MB2852EE9CA3F5F8E26BD23C6AA97E0@BN8PR13MB2852.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(39850400004)(376002)(136003)(366004)(346002)(189003)(199004)(71190400001)(25786009)(5660300002)(229853002)(5070765005)(186003)(6916009)(74316002)(486006)(14454004)(26005)(446003)(236005)(66066001)(8936002)(86362001)(99936001)(64756008)(478600001)(66446008)(66576008)(66476007)(33656002)(6306002)(476003)(66556008)(55016002)(54896002)(966005)(14444005)(256004)(6436002)(11346002)(9686003)(71200400001)(733005)(4326008)(2906002)(76176011)(66946007)(102836004)(7696005)(76116006)(7736002)(3846002)(6116002)(790700001)(8676002)(81156014)(81166006)(6506007)(52536014)(99286004)(53546011)(6246003)(316002)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR13MB2852; H:BN8PR13MB2628.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GGHoYEgH62rcK4NVxWxibEkfYxw0xPp8v1T6om7ccpvM5kM7GgDqWKdL+ZiWlPJTqNAM1C9GQWS+ZBC2oHu0zK+IxySvUhg+Z4sf2BI+V+Mg67ViGAJztb5p5HZol0LN9AUGQM+H9AcvCZ2223DG1aTiG+UIv9mTcGS5SqBfNnvuff9fBJOjUo2pPNzOv/K/RzG96gdZ1WUXUd1ONseE9c8hrRMylzH3k8B8U5+a1gS6Rqw9IMyFUFKHgEmgmHNvm+RylaYeMDgqOJu/uKSErCjczx/eTb9K6zeYrr3wZJw/n76GPOSTTP2EnDVoi9k0Gm/ZCvD94dy6msxgAzHplQ0H9/9f17jMgHp0iPmsECztoQElFuOyb3JAI7JSwOAxsFeo8bYq9zfC0aQjRkIGreawDiA8nXJ8JTvkqn1+0A2oiZAfNjaHvBbr9MOiOJCk8Gn3CriaR44IsFDbm+rvkAV0U5Z2NfHyafme3XvbKO0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_005_BN8PR13MB262898DC4C28AB4FF0CC2B26A97E0BN8PR13MB2628namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9635f108-fef4-4a8e-5c89-08d7624afd95
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 23:50:51.5222 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dqf7kJXpVJqn1qZc4JdjezDquw5a9jsZ+Ok3hq0eVKiI8S45I9xnBid2fuvMS/o/GOxllujZa3N7/f/L5+lTzg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR13MB2852
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/LH6PBEnGO1JgLxOAMB-LSiFw6a4>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 23:51:00 -0000

Robert,

Without getting into any implementation, are there any terrible problems of allowing IPsec tunnel as transport segment and each edge node forward packets destined to other nodes, as done by VRF. What issues do you see? (other than it is not IPsec tunnel per client interface/group)?

[cid:image002.png@01D59401.8E927A20]

Thanks, Linda

From: Robert Raszuk <robert@raszuk.net>
Sent: Tuesday, November 05, 2019 5:21 PM
To: Linda Dunbar <ldunbar@futurewei.com>
Cc: bess@ietf.org
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

> it is tremendous amount of work.

Well I am afraid this is entering implementation space and not subject to any further debate on or off the list. Only note that IPSec is not the only payload encryption option at your disposal for quality SDWANs.

On Tue, Nov 5, 2019 at 11:07 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
Robert,

It is not the FIB size, but the number of IPsec SA maintenance required at each edge node that makes it difficult to scale more than 100 nodes.
Each IPsec SA requires periodical key refreshment. For one node maintaining X number of IPsec SA, it is tremendous amount of work.

Linda

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Tuesday, November 05, 2019 3:15 PM
To: Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Linda,

The key message here is that in properly designed SDWAN your limit is capped by volume of data traffic required to be encrypted and supported by your platform. Number of overlay adjacencies does not matter.

It does not matter since the size of your FIB has orders of magnitude more capacity then any single SDWAN number of endpoints.

Best,
R,

On Tue, Nov 5, 2019 at 9:20 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
Robert,

You said “It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of.”

How many nodes of this deployment?

As you described: just two nodes might need 18 IPsec tunnels. How about 100 node SDWAN network? 100*99 * 18?

“So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic”

Linda

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Monday, November 04, 2019 6:54 PM
To: Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Hi Linda,

> Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec
> Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.

Please observe that any to any encapsulated paths setup in good SDWAN is day one requirement. And that is not only any src/dst to any src/dst. It is actually from any source interface over any available underlay to any available remote interface of the destination.

Imagine if you have two end points each with three interfaces to the underlay. So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic.

Good SDWAN can build such state and not only that .. it can also run in continued fashion SLA probes over all possible paths between given src and destination. When data is sent over selected per application path it is then encrypted. It can even do much more ... it can perform SDWAN-TE treating some endpoints as transits :).

It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of. So I question your observation and do believe that adding vrf based routing over well designed and correctly written SDWAN is of any scalability concern. As a matter of fact the implementation I am familiar with also has built in concept of VRFs too.

No it is not trivial - but clearly possible.

Best,
Robert.


On Mon, Nov 4, 2019 at 11:39 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
In MEF SD-WAN Service Specification WG, there has been a lot of discussion on Application Flow Based Segmentation.
Application Flow based Segmentation refers to separating traffic based on business and security needs, e.g. having different topology for different traffic types or users/apps.
For example, retail business requires traffic from payment applications in all branches only go to the Payment Gateway in its HQ Data Centers, whereas other applications can be multi-point (in Cloud DC too).
Segmentation is a feature that can be provided or enabled for a single SDWAN service (or domain). Each Segment can have its own policy and topology.
In the figure below, the traffic from the Payment application (Red Dotted line) is along the Tree topology, whereas other traffic can be multipoint to multi point topology as in VRF.

[cid:image001.jpg@01D59400.F013ADB0]


Segmentation is analogous to VLAN (in L2 network) and VRF (in L3 network). But unlike VRF where all the intermediate nodes can forward per VRF, in SDWAN Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.

Does anyone know an existing protocol that can handle the above scenario described in https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Cldunbar%40futurewei.com%7C1a8c6ef5c497471433d108d76246e99d%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637085929036137526&sdata=yNCeZ6BHR%2BDhlG18PQdjuABUeTzmjdpjDXbQpUYF8jE%3D&reserved=0>


Thank you very much.

Linda Dunbar



_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fbess&data=02%7C01%7Cldunbar%40futurewei.com%7C1a8c6ef5c497471433d108d76246e99d%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637085929036137526&sdata=0kqN0jefS4%2FftqPrRmmSZDwl6LFYVOPQrTAmsMPEuJ8%3D&reserved=0>

v2.23.0 | Report a Bug | By Email