IETF Logo Mail Archive

Re: [bess] solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation

Linda Dunbar <linda.dunbar@futurewei.com> Mon, 03 February 2020 15:40 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E91B1209A4; Mon, 3 Feb 2020 07:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x_lwRDWgBv4Q; Mon, 3 Feb 2020 07:40:00 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2130.outbound.protection.outlook.com [40.107.236.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EEB51209A5; Mon, 3 Feb 2020 07:40:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e/urmg6pMazY6qv5tehXH1xTEPTjx2oCVC/wk7ceTxiRRE0H0ZmCGKq9xaDK2PZjT/7odEIbk43QmpbrdzmSmIFtn0Q1V5i7zwf0fKsDOioeAIrIu/HmdCGD6dkgc1esgqz7r3gj8Svekfoblr+Y7BCpCHpe00AGdbfH+coY3HXvuMfi1vy/QvwnV6vIoR0SURIdjpy4Z/inXT03mA3WMD3HTn+B14amzMFSFQbo7ssh6Fye5N6Hao5PwToIBFycujMnZnAUAFmI/j6zbMiOr94Fj17E0WKLAFpJispsPNLLsb6ym5ZXrpRtZkKwUwWhHwU0dnBI9jx+VbxYjgE1Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lEGNwTrbi9p+LKgg1lBCIxZ78vwa54we8e8g8LI1EM8=; b=mh+6yU2lWlfiHS0E9T6PwPT92EzckNMzuzV4rzO0T36jEaHrvNKFDEzfIgKBaTbmVk999YaGXpvcp6ePKSdLwYmENd4k6poFEexiIWdRkTDb94xMj09phELFU11bok/YLISbhIv2XWufzt+Vzvc2loHEQnLhdNKTE/qFgqpW3EMMWHMhHCKHg7XXNjmsw0zw7LlYK4U3hfQKbJdjpUh7lJpjP4joLakt6qT5spZyZ+sEr3lfHg+bNP+0E5xp42SUDoCQFG+2K2RSCo9QcjqteWxd19ImI8uqRk8Rg02d/S1+lG+BQKIaZozdFK+fiHMlZeq9vXqDXX49jnpoLwB7Fw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lEGNwTrbi9p+LKgg1lBCIxZ78vwa54we8e8g8LI1EM8=; b=paI/eCkj9nyYDaOBNRqMsheXTvP5rBUAYZwRPgym3jlZVDhlArMiC9WJwxNaD1BU8uQQ3z7jkYcELt/mpJQoqTvbrFMiziYlf3Hw8V4F2eO85B9AjEThhzVLz+AEtBXAD5ndKt0UKXwNGEEQafgLryD4NLCYGtqJk51ff/vnV+M=
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com (10.174.170.35) by MWHPR1301MB2141.namprd13.prod.outlook.com (10.174.168.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.16; Mon, 3 Feb 2020 15:39:56 +0000
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33]) by MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33%6]) with mapi id 15.20.2707.018; Mon, 3 Feb 2020 15:39:56 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Najem, Basil" <basil.najem@bell.ca>, "bess@ietf.org" <bess@ietf.org>
CC: "draft-dunbar-bess-bgp-sdwan-usage@ietf.org" <draft-dunbar-bess-bgp-sdwan-usage@ietf.org>
Thread-Topic: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation
Thread-Index: AdXYg+Zzlmc8RhWQTG6sFC31Aq4TmgBmrC+QACGSasA=
Date: Mon, 03 Feb 2020 15:39:56 +0000
Message-ID: <MWHPR1301MB2096C1D997F546148489927A85000@MWHPR1301MB2096.namprd13.prod.outlook.com>
References: <MWHPR1301MB2096BC7F3A028A3C11595F7185070@MWHPR1301MB2096.namprd13.prod.outlook.com> <a276a9e890824d6883bbf3036c1a4393@DG4MBX02-WYN.bell.corp.bce.ca>
In-Reply-To: <a276a9e890824d6883bbf3036c1a4393@DG4MBX02-WYN.bell.corp.bce.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 160f4173-d764-416c-0484-08d7a8bf5209
x-ms-traffictypediagnostic: MWHPR1301MB2141:
x-microsoft-antispam-prvs: <MWHPR1301MB2141081842B79042247B147385000@MWHPR1301MB2141.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0302D4F392
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(39830400003)(366004)(346002)(376002)(136003)(199004)(189003)(33656002)(966005)(55016002)(52536014)(66556008)(64756008)(66446008)(66576008)(66476007)(66946007)(5660300002)(71200400001)(316002)(110136005)(81156014)(81166006)(8936002)(44832011)(8676002)(4326008)(9686003)(478600001)(76116006)(53546011)(6506007)(2906002)(186003)(15650500001)(4743002)(7696005)(86362001)(66574012)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR1301MB2141; H:MWHPR1301MB2096.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H5DgNQGwFkIfZgvn7I7VHsenew41IgW1eaaHrc3dVVM5X5zyTTERz3I4hIkKRiD1Snq7cLe8uNZqvbTTo8SGprvtCtMx8J5NEFPuLGWMLAc/DwI5OuP/1ewPGOuCXVVuneJH9vRtp5k6gcs/J+chDXja+kHc0L9VIQB+ot5rsEBoDPVQ0zs9ZiMi2OnYyWwbdSwi+dGdTIDrmS+/819v02AWmfDTGWQ3pUYH+0dZ3B41mgpyonY1Tj9KzZosiWujbhEExDaf72jnYhNYrb/jHrI+9P4R/966KX6aaP5KyfW4odFlj0wz24xBliq3DgieLOfGGzWQujhXtboPz5iUTH2wCjLC1XAZssA8kHPrUM8zqCXgkkHa7KrqFy69P/YKfjkwN5TFD8lgH+VUTY+uNw11r3KlVDdRxKlgDaEkhSz+/Xk6Xpz1t2AQpQ95IjPQ2it+sOMvmGaOgP8ek0k5f2QIxUTxpRmwqw0lH/vZSSMBdg40pdasuOuXCh7EXA0LmzrgIiukbP+n5z6a5HTRVQ==
x-ms-exchange-antispam-messagedata: vUlyQmIEPiSVvrL4hvcCwHADnmS3PFF4/zmDafrLDfVYaBSPB0UPltZUAJfYYih/JjWkMKnHG+jVu4V9JGnEZILB386lTVaLTB+d2Oqi5aRKriOAlIxrTl3k2jce8nS5EBgZ+1IIqHYQCbunRE8JLg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_005_MWHPR1301MB2096C1D997F546148489927A85000MWHPR1301MB2096_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 160f4173-d764-416c-0484-08d7a8bf5209
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2020 15:39:56.3607 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: d5itUkbt90EShSDwHpXpG+o9bA6les+dAdrQJdnmPJaNHsww9xCvWxhZJPiAsIZpvWO5IXQfXMvtYEPV9OXIDw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1301MB2141
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/RZnNAmAwkSA-cVvtujjQWwgVjvA>
Subject: Re: [bess] solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 15:40:05 -0000

Basil,

Thank you very much for the comments.
Your suggested wording change will be incorporated in the next revision.

As for your suggestion of Segment and Segment ID of a SDWAN node (to be included in the BGP UPDATE), does the "Segment" mean the different Underlay?
In the figure below, C-PE1 has 3 WAN ports: 2 to MPLS network and 1 to Public Internet.
Do you mean C-PE1 has 3 WAN "segments"?
If not, can you elaborate more?

[cid:image002.png@01D5DA75.D86A6DA0]


Thanks, Linda

From: Najem, Basil <basil.najem@bell.ca>
Sent: Sunday, February 02, 2020 5:48 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>; bess@ietf.org
Cc: draft-dunbar-bess-bgp-sdwan-usage@ietf.org
Subject: RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation


Hello Linda;

I haven't gone through the entire document; however, I have the following quick comments


  1.  Regarding the following paragraph:


  1.  Augment of transport, which refers to utilizing overlay paths over different underlay networks. Very often there are multiple parallel overlay paths between any two SDWAN edges, some of which are private networks over which traffic can traverse without encryption, others require encryption, e.g. over untrusted public networks.

The traffic that traverses the privet networks can be either encrypted or unecrypted (in other words, the assumption that the traffic is NOT encrypted is not always correct). I would change the parpagaph to the following (for clarity):


  1.  Augment of transport, which refers to utilizing overlay paths over different underlay networks. Very often there are multiple parallel overlay paths between any two SDWAN edges, some of which are private networks over which traffic can traverse with or without encryption, others require encryption, e.g. over untrusted public networks.



  1.  Another thing that we need to discuss is the Segment ID; each Segment (at the SD-WAN Edge) MUST have an ID. The SD-WAN Policy will map the Application Flow to the Segment. Since the Segment is a "routing domain", the BGP update will be exchanged with the memebers of a particular Segment.



As such: Should we include the Segment ID as an attribute in the BGP update messages? Perhaps we need to further discuss this in details.

Any feedback is welcomed and it's highly appreciated.

Regards;

Basil


From: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Sent: January-31-20 5:17 PM
To: bess@ietf.org<mailto:bess@ietf.org>
Cc: draft-dunbar-bess-bgp-sdwan-usage@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-usage@ietf.org>
Subject: [EXT]solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation

BESS participants:

"SDWAN" networks is characterized by:

  1.  Augment of transport, which refers to utilizing overlay paths over different underlay networks. Very often there are multiple parallel overlay paths between any two SDWAN edges, some of which are private networks over which traffic can traverse without encryption, others require encryption, e.g. over untrusted public networks.
  2.  Enable direct Internet access from remote sites, instead hauling all traffic to Corporate HQ for centralized policy control.
  3.  Some traffic are routed based on application IDs instead of based on destination IP addresses.


https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C1f725814c8924c2e4d6c08d7a83a7306%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637162841310506376&sdata=Z5wrL%2BhyBnovmn7ojkMq6x0TaEJrzhbnPb6PEP2wYB4%3D&reserved=0> describes examples of using BGP UPDATE messages to achieve the SDWAN Application Based Segmentation,  assuming that the applications are assigned with unique IP addresses.
In the Figure below, the following BGP Updates can be advertised to ensure that Payment Application only communicates with the Payment Gateway:

[cid:image001.png@01D5DA73.0566B910]

BGP UPDATE #1 from C-PE2 to RR for the RED P2P topology (only propagated to Payment GW node:

-        MP-NLRI Path Attribute:

        *   30.1.1.x/24

-        Tunnel Encap Path Attribute

        *   IPsec Attributes for PaymentGW ->C-PE2


BGP UPDATE #2 from C-PE2 to RR for the routes to be reached by Purple:

-        MP-NLRI Path Attribute:

        *   10.1.x.x
        *   12.4.x.x

-        TunnelEncap Path Attribute:

        *   Any node to C-PE2


Your feedback is greatly appreciated.

Thank you very much.

Linda Dunbar
________________________________
External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints

v2.23.0 | Report a Bug | By Email