Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
Robert Raszuk <robert@raszuk.net> Fri, 06 July 2018 20:12 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D60130F08 for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 13:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.592
X-Spam-Level:
X-Spam-Status: No, score=0.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kate_FyBPxtR for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 13:12:44 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 640BA130EEF for <bess@ietf.org>; Fri, 6 Jul 2018 13:12:44 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id n15-v6so326707pgv.4 for <bess@ietf.org>; Fri, 06 Jul 2018 13:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+RiMq8qowZwog5fI5VWAIP1iAn0ABFUbGS1ic84nDhQ=; b=mtwsm+kzR8HGUKqBd83r6k29581G+fNvvhPMJJkof7u4foBvF/LxqmqzZHYpCrIMUU gc9QXJzWULy3UFeCC65VIYI5ZuGO6UeLu5wAl1D2JnxtQgPbTXwsos+yQCUWVYCbQPAM pJW+Rwcw5W1H8DqljY8G+eJyq+Fpk7K6XaiL6/cN3Pn2ZF2JpY+EJaK/byq7Owi4W+bw LGgq+1Jt8KntxoV1LxGHujhEhGk13M/EnHTXKdYTpjiWKyC5ze/pSpBaPKr1RIPpfsbf fNQOOY7pepcf/Zwk4saW2gxrNow9Sh3/UsEDz1HZRquH/s11yZS2Tv2usD43NFMjirh7 BJgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+RiMq8qowZwog5fI5VWAIP1iAn0ABFUbGS1ic84nDhQ=; b=rvNp46Xh6sBd/JLx7Qagtg3mcFrqgwumXqQJj6yRBPIkQGmZ/SVt+e/XGpd7KK/Pcg WCqJmX1oqOHN04vPHxwgFSIPIzo6zXBks1SruByLgdpCZSQpzc81wo+OSmHSMraxVRGb fIn4M3di3eulDaitthnRyIUGSixN+nBTWV/sGVTAB8GHbbqHoxY3jYmglMCtNMAJ6tGK 8Ww7C2svaA0X2opi+fS1TqeNdYYQ/lRfZueGwbILGUcEqXtBauvOgh9/M3fcOLmK98Lq KhQ5OJ7s+A8RRk7uAMGzj2aSEWhRSz/fgFzB1JPox0qGpZq2x97gwezk1Jmtg8AKxIHA 9JWA==
X-Gm-Message-State: APt69E1qmPGzH8PD9xB8WucXYgGTa6+Dt7t1IYoGRdIUS3FeoU2xnAf6 n+Kpj+hOaAoXG+OpR+UXeSrrwte1I2KQYuqX3q4=
X-Google-Smtp-Source: AAOMgpd/D9+zsNHGv9+nRBKT552aE7f9EADNnHLBeNaZGjF3P6l/k77p7j0Agu2KYBMeRWKoYJPY4tuZQoqZOKyws24=
X-Received: by 2002:a65:5641:: with SMTP id m1-v6mr10799126pgs.246.1530907963527; Fri, 06 Jul 2018 13:12:43 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:37e7:0:0:0:0 with HTTP; Fri, 6 Jul 2018 13:12:42 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B07EB23@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B07E161@sjceml521-mbs.china.huawei.com> <DM2PR05MB4485047CBE1ABF17FBE7083AE470@DM2PR05MB448.namprd05.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B07EB23@sjceml521-mbs.china.huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 06 Jul 2018 22:12:42 +0200
X-Google-Sender-Auth: 8ffX7pLX_iUDUgXt9uJVzSAt7is
Message-ID: <CA+b+ERnwvYF4JdoiHhPPBYds-Tm9EPyZm6vPLdscjNtKhqTY4A@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: Ron Bonica <rbonica@juniper.net>, Eric Rosen <erosen@juniper.net>, "bess@ietf.org" <bess@ietf.org>
Content-Type: multipart/related; boundary="00000000000059c8f805705a499e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/hb_lRsS932sYDyBBfRdi9Y7FLnM>
Subject: Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 20:12:47 -0000
Hi Linda, What you are expressing is very clear and in fact happens today on any good SD-WAN controller. But in the context of this discussion are you bringing it here to suggest that draft-rosen-bess-secure-l3vpn should have such functionality build in ? Personally I don't think it really belongs in this draft as perfect sweet spot for it still IMHO resides on a SD-WAN controller. Pushing all that logic into BGP may be a bit excessive ... Many thx, R. On Fri, Jul 6, 2018 at 9:32 PM, Linda Dunbar <linda.dunbar@huawei.com> wrote: > Ron, > > > > This is referring to a Managed Overlay WAN services with many CPEs (large > scale SD-WAN) and where > > - there are many CPEs at each location and multiple WAN ports on > each CPE > > - SD-WAN Controller needs to detour a path between Site -A-& > Site-B via another site (e.g. Site-C) for reasons like Performance, > Regulatory, or others. Instead of designating to specific CPE of the > site-C. > > > > It is preferable to partition CPEs to clusters, as shown in the figure > below: > > > > > > Do I explain well? If not, can we talk face to face in Montreal? > > > > Thanks, Linda Dunbar > > > > *From:* Ron Bonica [mailto:rbonica@juniper.net] > *Sent:* Friday, July 06, 2018 1:25 PM > *To:* Linda Dunbar <linda.dunbar@huawei.com>; Eric Rosen < > erosen@juniper.net>; bess@ietf.org > *Subject:* RE: comments and suggestions to draft-rosen-bess-secure-l3vpn- > 01 > > > > Hi Linda, > > > > I’m not sure that I understand what you mean when you say, “aggregate > CPE-based VPN routes with internet routes that interconnect the CPEs”. > Could you elaborate? > > > > Ron > > > > > > *From:* Linda Dunbar <linda.dunbar@huawei.com> > *Sent:* Thursday, July 5, 2018 11:53 AM > *To:* Eric Rosen <erosen@juniper.net>; Ron Bonica <rbonica@juniper.net>; > bess@ietf.org > *Subject:* comments and suggestions to draft-rosen-bess-secure-l3vpn-01 > > > > Eric and Ron, > > > > We think that the method described in your draft is useful for CPE based > EVPN, especially for SD-WAN between CPEs. > > But, it misses some aspects to aggregate CPE-based VPN routes with > internet routes that interconnect the CPEs. > > > > Question to you: Would you like to expand your draft to cover the scenario > of aggregating CPE-based VPN routes with internet routes that interconnect > the CPEs? > > > > If yes, we think the following areas are needed: > > > > • For RR communication with CPE, this draft only mentioned IPSEC. > Are there any reasons that TLS/DTLS are not added? > > • The draft assumes that C-PE “register” with the RR. But it > doesn’t say how. Should “NHRP” (modified version) be considered? > > • It assumes that C-PE and RR are connected by IPsec tunnel. With > zero touch provisioning, we need an automatic way to synchronize the IPSec > SA between C-PE and RR. The draft assumes: > > p A C-PE must also be provisioned with whatever additional information > is needed in order to set up an IPsec SA with each of the red RRs > > • IPsec requires periodic refreshment of the keys. How to > synchronize the refreshment among multiple nodes? > > • IPsec usually only send configuration parameters to two end > points and let the two end points to negotiate the KEY. Now we assume that > RR is responsible for creating the KEY for all end points. When one end > point is confiscated, all other connections are impacted. > > > > If you are open to expand your draft to cover SD-WAN, we can help > providing the sections to address the bullets mentioned above. > > > > We have a draft analyzing the technological gaps when using SD-WAN to > interconnect workloads & apps hosted in various locations: > https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=zU9RrstHx08_qwVE-_wbaPcJUwA0Cx7W9wg4K6cDAOs&s=1SH5CDBkEFKTyKPWRpPpy-dfxkl19-hrgXiR7nRkq50&e=> > > Appreciate your comments and suggestions to our gap analysis. > > > > > > Thanks, Linda Dunbar > > > > _______________________________________________ > BESS mailing list > BESS@ietf.org > https://www.ietf.org/mailman/listinfo/bess > >
- Re: [bess] comments and suggestions to draft-rose… Ron Bonica
- Re: [bess] comments and suggestions to draft-rose… UTTARO, JAMES
- Re: [bess] comments and suggestions to draft-rose… Jeff Tantsura
- Re: [bess] comments and suggestions to draft-rose… UTTARO, JAMES
- Re: [bess] comments and suggestions to draft-rose… Linda Dunbar
- Re: [bess] comments and suggestions to draft-rose… Jeff Tantsura
- Re: [bess] comments and suggestions to draft-rose… Linda Dunbar
- Re: [bess] comments and suggestions to draft-rose… Robert Raszuk
- Re: [bess] comments and suggestions to draft-rose… Linda Dunbar
- Re: [bess] comments and suggestions to draft-rose… Ron Bonica
- Re: [bess] comments and suggestions to draft-rose… Jeff Tantsura
- [bess] comments and suggestions to draft-rosen-be… Linda Dunbar