IETF Logo Mail Archive

Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Robert Raszuk <robert@raszuk.net> Fri, 06 July 2018 20:12 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D60130F08 for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 13:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.592
X-Spam-Level:
X-Spam-Status: No, score=0.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kate_FyBPxtR for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 13:12:44 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 640BA130EEF for <bess@ietf.org>; Fri, 6 Jul 2018 13:12:44 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id n15-v6so326707pgv.4 for <bess@ietf.org>; Fri, 06 Jul 2018 13:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+RiMq8qowZwog5fI5VWAIP1iAn0ABFUbGS1ic84nDhQ=; b=mtwsm+kzR8HGUKqBd83r6k29581G+fNvvhPMJJkof7u4foBvF/LxqmqzZHYpCrIMUU gc9QXJzWULy3UFeCC65VIYI5ZuGO6UeLu5wAl1D2JnxtQgPbTXwsos+yQCUWVYCbQPAM pJW+Rwcw5W1H8DqljY8G+eJyq+Fpk7K6XaiL6/cN3Pn2ZF2JpY+EJaK/byq7Owi4W+bw LGgq+1Jt8KntxoV1LxGHujhEhGk13M/EnHTXKdYTpjiWKyC5ze/pSpBaPKr1RIPpfsbf fNQOOY7pepcf/Zwk4saW2gxrNow9Sh3/UsEDz1HZRquH/s11yZS2Tv2usD43NFMjirh7 BJgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+RiMq8qowZwog5fI5VWAIP1iAn0ABFUbGS1ic84nDhQ=; b=rvNp46Xh6sBd/JLx7Qagtg3mcFrqgwumXqQJj6yRBPIkQGmZ/SVt+e/XGpd7KK/Pcg WCqJmX1oqOHN04vPHxwgFSIPIzo6zXBks1SruByLgdpCZSQpzc81wo+OSmHSMraxVRGb fIn4M3di3eulDaitthnRyIUGSixN+nBTWV/sGVTAB8GHbbqHoxY3jYmglMCtNMAJ6tGK 8Ww7C2svaA0X2opi+fS1TqeNdYYQ/lRfZueGwbILGUcEqXtBauvOgh9/M3fcOLmK98Lq KhQ5OJ7s+A8RRk7uAMGzj2aSEWhRSz/fgFzB1JPox0qGpZq2x97gwezk1Jmtg8AKxIHA 9JWA==
X-Gm-Message-State: APt69E1qmPGzH8PD9xB8WucXYgGTa6+Dt7t1IYoGRdIUS3FeoU2xnAf6 n+Kpj+hOaAoXG+OpR+UXeSrrwte1I2KQYuqX3q4=
X-Google-Smtp-Source: AAOMgpd/D9+zsNHGv9+nRBKT552aE7f9EADNnHLBeNaZGjF3P6l/k77p7j0Agu2KYBMeRWKoYJPY4tuZQoqZOKyws24=
X-Received: by 2002:a65:5641:: with SMTP id m1-v6mr10799126pgs.246.1530907963527; Fri, 06 Jul 2018 13:12:43 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:37e7:0:0:0:0 with HTTP; Fri, 6 Jul 2018 13:12:42 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B07EB23@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B07E161@sjceml521-mbs.china.huawei.com> <DM2PR05MB4485047CBE1ABF17FBE7083AE470@DM2PR05MB448.namprd05.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B07EB23@sjceml521-mbs.china.huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 06 Jul 2018 22:12:42 +0200
X-Google-Sender-Auth: 8ffX7pLX_iUDUgXt9uJVzSAt7is
Message-ID: <CA+b+ERnwvYF4JdoiHhPPBYds-Tm9EPyZm6vPLdscjNtKhqTY4A@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: Ron Bonica <rbonica@juniper.net>, Eric Rosen <erosen@juniper.net>, "bess@ietf.org" <bess@ietf.org>
Content-Type: multipart/related; boundary="00000000000059c8f805705a499e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/hb_lRsS932sYDyBBfRdi9Y7FLnM>
Subject: Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 20:12:47 -0000

Hi Linda,

What you are expressing is very clear and in fact happens today on any good
SD-WAN controller.

But in the context of this discussion are you bringing it here to suggest
that draft-rosen-bess-secure-l3vpn should have such functionality build in
?

Personally I don't think it really belongs in this draft as perfect sweet
spot for it still IMHO resides on a SD-WAN controller. Pushing all that
logic into BGP may be a bit excessive ...

Many thx,
R.


On Fri, Jul 6, 2018 at 9:32 PM, Linda Dunbar <linda.dunbar@huawei.com>
wrote:

> Ron,
>
>
>
> This is referring to a Managed Overlay WAN services with many CPEs (large
> scale SD-WAN) and where
>
> -        there are many CPEs at each location and multiple WAN ports on
> each CPE
>
> -        SD-WAN Controller needs to detour a path between Site -A-&
>  Site-B via another site (e.g. Site-C) for reasons like Performance,
> Regulatory,  or others. Instead of designating to specific CPE of the
> site-C.
>
>
>
> It is preferable to partition CPEs to clusters, as shown in the figure
> below:
>
>
>
>
>
> Do I explain well? If not, can we talk face to face in Montreal?
>
>
>
> Thanks, Linda Dunbar
>
>
>
> *From:* Ron Bonica [mailto:rbonica@juniper.net]
> *Sent:* Friday, July 06, 2018 1:25 PM
> *To:* Linda Dunbar <linda.dunbar@huawei.com>; Eric Rosen <
> erosen@juniper.net>; bess@ietf.org
> *Subject:* RE: comments and suggestions to draft-rosen-bess-secure-l3vpn-
> 01
>
>
>
> Hi Linda,
>
>
>
> I’m not sure that I understand what you mean when you say, “aggregate
> CPE-based VPN routes with internet routes that interconnect the CPEs”.
> Could you elaborate?
>
>
>
>                                                             Ron
>
>
>
>
>
> *From:* Linda Dunbar <linda.dunbar@huawei.com>
> *Sent:* Thursday, July 5, 2018 11:53 AM
> *To:* Eric Rosen <erosen@juniper.net>; Ron Bonica <rbonica@juniper.net>;
> bess@ietf.org
> *Subject:* comments and suggestions to draft-rosen-bess-secure-l3vpn-01
>
>
>
> Eric and Ron,
>
>
>
> We think that the method described in your draft is useful for CPE based
> EVPN, especially for SD-WAN between CPEs.
>
> But, it misses some aspects to aggregate CPE-based VPN routes with
> internet routes that interconnect the CPEs.
>
>
>
> Question to you: Would you like to expand your draft to cover the scenario
> of aggregating CPE-based VPN routes with internet routes that interconnect
> the CPEs?
>
>
>
> If yes, we think the following areas are needed:
>
>
>
> •        For RR communication with CPE, this draft only mentioned IPSEC.
> Are there any reasons that TLS/DTLS are not added?
>
> •        The draft assumes that C-PE “register” with the RR. But it
> doesn’t say how. Should “NHRP” (modified version) be considered?
>
> •        It assumes that C-PE and RR are connected by IPsec tunnel. With
> zero touch provisioning, we need an automatic way to synchronize the IPSec
> SA between C-PE and RR. The draft assumes:
>
> p  A C-PE must also be provisioned with whatever additional information
> is needed in order to set up an IPsec SA with each of the red RRs
>
> •        IPsec requires periodic refreshment of the keys. How to
> synchronize the refreshment among multiple nodes?
>
> •        IPsec usually only send configuration parameters to two end
> points and let the two end points to negotiate the KEY. Now we assume that
> RR is responsible for creating the KEY for all end points. When one end
> point is confiscated, all other connections are impacted.
>
>
>
> If you are open to expand your draft to cover SD-WAN, we can help
> providing the sections to address the bullets mentioned above.
>
>
>
> We have a draft analyzing the technological gaps when using SD-WAN to
> interconnect workloads & apps hosted in various locations:
> https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=zU9RrstHx08_qwVE-_wbaPcJUwA0Cx7W9wg4K6cDAOs&s=1SH5CDBkEFKTyKPWRpPpy-dfxkl19-hrgXiR7nRkq50&e=>
>
> Appreciate your comments and suggestions to our gap analysis.
>
>
>
>
>
> Thanks, Linda Dunbar
>
>
>
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>
>

v2.23.0 | Report a Bug | By Email