[bess] Re: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn

"Ali Sajassi (sajassi)" <sajassi@cisco.com> Thu, 13 June 2024 21:25 UTC

Return-Path: <sajassi@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D621EC14CF1C; Thu, 13 Jun 2024 14:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.594
X-Spam-Level:
X-Spam-Status: No, score=-9.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="FDIILMgN"; dkim=pass (1024-bit key) header.d=cisco.com header.b="h4L5qLb6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqa5sPMQHxOh; Thu, 13 Jun 2024 14:25:50 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C6D0C14CEFE; Thu, 13 Jun 2024 14:25:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=57930; q=dns/txt; s=iport; t=1718313950; x=1719523550; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=NQaRrRlS/AMyZZL6E0jZ5a9Wub1pC9LEYiTYw3VkAtI=; b=FDIILMgNlrMRX1z4R5IICTZEU+6gghOXwLnZ0hVN3lwX2Lo1uJg47StP OT0f8hsWJEwNZz/sBaF1X0CMn7A+q47WuXIc5A/TV/R/n+sxWOfUg7Ug+ RRIMnr7L9B4MtBUWAvBuoFZZ6ULSll6ALiyx9IVnKymAp8i5drPrqGKvV s=;
X-CSE-ConnectionGUID: SEQqPAnmT2OA+KSoPJATXw==
X-CSE-MsgGUID: 4BRnGTAYQlu+eY+elNfWDg==
X-IPAS-Result: A0AHAAB3YmtmmIUNJK1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAWWBFwUBAQELAYFAMVJ6AoEcSAOEUoNMA4UtiG4DngyBJQNWDwEBAQ0BAUQEAQGFBgIWiFkCJjUIDgECAgIBAQEBAwIDAQEBAQEBAQEGAQEFAQEBAgEHBRQBAQEBAQEBAR4ZBQ4QJ4V0DYZZAQEBAQMSCAkKEwEBJRIBDwIBCBEDAQEBIQECBAMCAgIvFAkIAQEEDgUIGoJeAYIcSAMBo2cBgUACiih6gTKBAYIMAQEGBAXddwmBSAGIMAEkgTECAohjBwEfG4INgRVCgjcxPoJhAoFiAwMYBw+DJTqCL44mGYMQQYFNgiSDQAwBDoMyhFo0A4EVghwiJguBHop+VHciAyYzIQIRAVUTFws+CRYCFgMbFAQwDwkLJioGOQISDAYGBlk0CQQjAwgEA0IDIHERAwQaBAsHd4FxgTQEE0eBN4FSiB0MgXuBNCmBSSeBC4MOS2yEBIFrDGGIboEQgT6BZgGDVEyDWB1AAwttPTUUGwUEgTUFqBYEOIJ5AWsGMwsmBAMKCxIFFBIePSgMBxgmAQMLHgIBAx4FDpJ4JQqBI4I2iy2jUgqEE6FnF6IzhyJklnSBcaMOhVICBAIEBQIPAQEGgWYBOIFbcBWDIglJGQ+OIQwFCAkWg0LHV3gNLgIHAQoBAQMJimgBAQ
IronPort-PHdr: A9a23:umsaNBDUr5eXdUPHi6ipUyQVpxdPi9zP1kY98JErjfdJaqu8usmkN 03E7vIrh1jMDs3X6PNB3vLfqLuoGXcB7pCIrG0YfdRSWgUEh8Qbk01oAMOMBUDhav+/Ryc7B 89FElRi+iLzKlBbTf73fEaauXiu9XgXExT7OxByI7HuE4zblN+2/+uz4JbUJQ5PgWn1bbZ7N h7jtQzKrYFWmd54J6Q8wQeBrnpTLuJRw24pbV7GlBfn7cD295lmmxk=
IronPort-Data: A9a23:rP5khKDcjuRJURVW/w3jw5YqxClBgxIJ4kV8jS/XYbTApD5w3mAOy 2oYXWiEPPuLa2OgLdwiPN7i804G6JHUx9FkOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4SGdIZsCCaE+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357hU2thh fuo+5eDYAH8gGYuWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxMUlaENQ4ZW7 86apF2I1juxEyUFU7tJoZ6nGqE+eYM+CCDV4pZgtwdOtTAZzsA6+v5T2PPx8i67gR3R9zx64 I0lWZBd1W7FM4WU8NnxXSW0HAlFEJRfwJbBJETlluXQ7HbBS1nF/8VxWRRe0Y0woo6bAElH8 fgebTsKdB3G3rvwy7OgQe4qjcMmRCXpFNpA4Tc7k3eAVrB/Gsurr6bivbe02B8rj8JHBu3fT 8EYcjFoKh/HZnWjP39NWc1nzbr53CiXnztw9Hivo4ULylnqyBEy3YmuPd7zdOOmSpAA9qqfj jmbpzuiWE5y2Mak4Taf+3yww+7CgS2+Uo8JD/ij+/V3mlDWy3ILDjUXWEe15/6jhSaWUd9EM GQV9zYg668o+ySWosLVVhm8pjuPuQQRHoMJVeY78wqKjKHT5m51G1ToUBZ6ReU/jOYwQABw8 XbKvOjuPR5GjI2KHCf1GqivkRu+Pi0cLGknbCACTBcY79SLnG3VpkyWJjqEOPDs5uAZCQ3NL ya2QD/Sboj/YOYC06G9uFvAmT/p/8GPRQ8u7QKRVWWghu+YWGJHT9L1gbQ4xa8cRGp8crVnl CNZ8yR5xLtQZaxhbATXHI0w8EiBvp5pygH0j191BIUG/D+w4XOldo04yGghfRcyap1YJmCwP hW7VeZtCHl7YSXCgUhfPt3ZNijW5fWI+SnND6mFM4IWMvCdiifepH0/DaJv44wduBNxyf5kY 8jznTeEBncBAqMv1yutW+oYyvcqwCt4rV4/trilpylLJYG2PSbPIZ9caQPmRrlgsMus/l6Pm /4BbJTi9vmqeLCkCsUh2dRNfQliwLlSLc2elvG7gcbZc1U3Rjp7UK+PqV7jEqQ895loei7z1 ijVcmdTyUH0gjvMLgDiV5ypQOqHsUpXxZ7jARERAA==
IronPort-HdrOrdr: A9a23:BPsiZKxt12swrCtKa9rHKrPxY+gkLtp133Aq2lEZdPULSL36qy n+ppQmPEHP6Qr5AEtQ6OxoWJPtfZvdnaQFmLX5To3SLDUO2VHYY72KiLGSoQEIdBeOi9K1uZ 0QFJSWTeeAc2SS7vyKrjVQcexQvOVvmZrA7YyxvhIdKT2CKZsQkDuRYTzranGeMTM2f6bRY6 DsnfavyQDQH0g/X4CQPFVAde7FoNHAiZLhZjA7JzNP0mOzpALtwoTXVzyD0Dkjcx4n+9ofGG 7+/DDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijsohzAXvUgZ5Sy+BQO5M2/4lcjl9 fB5z06Od5o1n/Xdmap5TPwxgjb1io04XOK8y7avZKjm726eNsJMbsEuWtrSGqf16PmhqA77E t/5RPdi3OQN2KYoM2y3amRa/ggrDvGnZNrq59gs5UYa/peVFeUxrZvpn+81/w7bXnHwZFiH+ 90AM7G4vFKNVuccnDCp2FqhMehR3IpA369MwI/U+GuonBrdUpCvgAl7d1amm1F+IM2SpFC6e iBOqN0lKtWRstTaa5mHu8OTca+F2SIGHv3QS6vCEWiELtCN2PGqpbx7rlw7Oa2eIYQxJ93nJ jaSltXuWM7ZkqrA8yT259A9AzLXQyGLHnQ49Ab44I8tqz3RbLtPyHGQFcyk9G4q/FaGcHfU+ bbAuMePxYiFxqZJW9k5XyIZ3AJEwhqbCQ8gKdOZ26z
X-Talos-CUID: 9a23:Lc8udmi5rvAYje9YcvJjYON/mTJuSVDk1U/5JUqEU0FAC56uTmey0Z9UjJ87
X-Talos-MUID: 9a23:s1IG/A8hrp2Kni9oq9IuycmQf5tC2aKBNGk8qJEb+MS1diF0HTmioDviFw==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2024 21:25:49 +0000
Received: from rcdn-opgw-5.cisco.com (rcdn-opgw-5.cisco.com [72.163.7.169]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 45DLPn02004435 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 13 Jun 2024 21:25:49 GMT
X-CSE-ConnectionGUID: IALfnUMsQuWcSRIkdT1FXA==
X-CSE-MsgGUID: bHYqRPzES8W3zK7/7Z2EZA==
Authentication-Results: rcdn-opgw-5.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=sajassi@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.08,236,1712620800"; d="scan'208,217";a="11004800"
Received: from mail-co1nam11lp2168.outbound.protection.outlook.com (HELO NAM11-CO1-obe.outbound.protection.outlook.com) ([104.47.56.168]) by rcdn-opgw-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2024 21:25:48 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nHdaFzp7YRRbydXxX+6xvc+b3mJrm659X+PAaWwm34g+rzT3n7Lle5L63I3ZxyvYnS8OGXuPBFC4V9247+B/irvvNVs0UTaV2uu/X+uDkiy9quoNEbT3O+WJFKwa1xlpupbZ4OTxcBuiecJ+bIWvwh9LCI7ZxOovG6OQz4HDQArl61DAmSlV+yx+Nbq44v3Xx5u/36CrgJXrt3uae4V5RXXedvcdgU00bduuS2iSYnY1mFSMkjTd973eC9M/B8mKGYnO4S9mSmTlPY9P6ShqcJ6rZfrkUuQ/9UfRBl3RGLIpJLgfTdxx6p+zwXVIJGIR5IuKuTXyzSGQP9c7aexgzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NQaRrRlS/AMyZZL6E0jZ5a9Wub1pC9LEYiTYw3VkAtI=; b=Kyk9hR+kcKq4nVfKC8W2VAShEz0nNDV7XN7M/F0BPNHe4J5A1KHg81eIeuBjLr+RrZL6SnGFfAweR+jTZvYic4z2m9owrn/a4c7Uq0W878FaLWcRCsGOJnQKk6mWq0/FiViuJ3TQyCPnJXpZ4iCj4MMMmwOaLCwizyTkgc5GIvoVKPim+3AZ8K0zYkkDt5NLsNApZViGLpz7svt0l019jzSEniAYoJFxfsskGrCSMwMRTY1EsKPRdxb+21e+TnROXzGNhWZcgOIkROLNQnkcvQgZim8zbvDag+b2Pt9c+i6Yrp0bzlZ8iU1WybA3QdvcYoUk1yg3iRoA00SQXEukYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NQaRrRlS/AMyZZL6E0jZ5a9Wub1pC9LEYiTYw3VkAtI=; b=h4L5qLb6ahWrzghpVQ26pawHw1uMmVSKNhFy5beVzKYPSdhuAGv62cUPipaW9WDaF/FhPp3Ea8DaWkRCY097h2nZxZuSdMB8OhIs6c5BL0S1DB3LDS35uzV5A/dKROxR/m5lsUmn6tcFzzXqNGI11uUmsqNQprnd8Nj1g3cRNq4=
Received: from SJ0PR11MB5770.namprd11.prod.outlook.com (2603:10b6:a03:421::6) by CH3PR11MB8315.namprd11.prod.outlook.com (2603:10b6:610:17e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.21; Thu, 13 Jun 2024 21:25:43 +0000
Received: from SJ0PR11MB5770.namprd11.prod.outlook.com ([fe80::6380:de9d:7f00:e9ea]) by SJ0PR11MB5770.namprd11.prod.outlook.com ([fe80::6380:de9d:7f00:e9ea%2]) with mapi id 15.20.7677.019; Thu, 13 Jun 2024 21:25:43 +0000
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>
Thread-Topic: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
Thread-Index: Adqf5r0n8EGG1Zz4QQiJzOIx39malQYr7WGgARS7ZhAAOyWeAg==
Date: Thu, 13 Jun 2024 21:25:43 +0000
Message-ID: <SJ0PR11MB57701B11640D357D21D4677DB0C12@SJ0PR11MB5770.namprd11.prod.outlook.com>
References: <CO1PR13MB4920ED1F49CFE4D3F16A6772851C2@CO1PR13MB4920.namprd13.prod.outlook.com> <SJ0PR11MB577031DA2A534F38CEDB1223B0FB2@SJ0PR11MB5770.namprd11.prod.outlook.com> <CO1PR13MB4920D561843D0205DA9DB82885C02@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB4920D561843D0205DA9DB82885C02@CO1PR13MB4920.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR11MB5770:EE_|CH3PR11MB8315:EE_
x-ms-office365-filtering-correlation-id: 6006fc65-592c-4b81-d6d1-08dc8bef61f3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230035|376009|1800799019|366011|38070700013;
x-microsoft-antispam-message-info: T7e0PrL9boXv13PbtjRq64+z7jEEUcw0ikkMyFn3t9PAzpCHZ9sMT0W4WBV9BUeHLozbQGPKwPQmDd1niQ2im1dMcrXe8Y7YKRls2LyGZO/vQL8/dphinXFznwf2utxrZ6XubrLVMhll1UL1FQRFdvsgyBsxCGjPv7Ml80FlO4hL8wjwsMpqo5se98+nmTJHRYNCNRMKF6dQus23UG3poy9r6bcrJQxmX9abjvwYm0HNmuDatUIxljD5Q0Fm0S+LKkjbjoVhOVK6Q0KWdo6IAfBQHsU//QnTISUhy7x1UmqMkJLaYRGSaRJojXbvMD6GOdC2Mgh+yIaSPlQaXo9H9ihv0U9b4D7X4amCMcymbJnxc5T4ko0gwbfo3YlojqRuKw6aZoNn8xmN6UY3CEUVezdeVpZa7GhnKo2fqTuUJlxjtXKqGA3KJd63ZcQzZoEL4PpnyjY5gTYJ+BpMcU3XLsAjVF3mvTCCzuxcy3sAot5lazyFYyS2FFKHq7h09ndSQtuvVp/xpbj+u1b8TfegCWBckshiDT8IWAZX8nOE8axeaI1h6RAbikVxIps/6VBb4Jw22Gjqs2IfnCetLfDCmhLBtSvihr5tsgYXQep2jAUEqw9Ng3B8BcefToJ5WMKmY4PKu+DIAce1BYZ0ZV7AiDALe0FIf18ZXCK9jZkck21SyjnrhUbxZUL5VQ1mNZRTTweXcRf3ExahPcsjm0oO7OnbVbD17qFJ+U19cvZguMNhe62wnvrMQo4yg/teDwbY+QNTPyM3hXdZymy9fQCA9ZMe+098tU/PWpjFg1Zz8Iqq2qb90diTUPh7tXuEk/l1i5CVW7g2niPe6RfXCNoHS52GfOgYKJLHh7abNbGgDSvKLDXNqZPQ/ekciethFpQCqLBQEt1yhnPIv9xqIdbQ3jIC86Xf4dONMOAyFURsDe5AdMS51hU47wszXSci0yX1iG1V913dWdf5mahH32e1A0hfyWLQhiPEFSZFfxkKVJtY7jQORxy2jHrYoUjPJZEIHfCNYJswkEU+iC82sJKvDrIyYEun1GBeyxGrbIFIhKGuRz37EXNw7FmMPrxBzcCwbVc3/keF/VDmtpI2MQpK0rV8PzVHmIVHg6QGL9HPnXmI0+VIIqqYOCzFTve/Dc8ea2MYic4v9e1qBhh6Wr6k+N4WDBuFURBZ1+yKK8NXZnKRgAoIyL/G4C1jiAzzpyZLjMHpUtJjvJDWUhnNfp6Otf+uT0VrnIKuS1DAn5ZGkarpnmVOzvNiSCzBj4sZVBM1Uk9S1Ulpys/XOaHjLbjOZ7biqG/czARVm25yWPtX5xPiJW3UCyUSVA1oiEQYjb3VZ5jb5T/Muia4OxRo5A8uX6wrx7tht3Fx2NTcGr/+Yk8=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR11MB5770.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230035)(376009)(1800799019)(366011)(38070700013);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dVwRq7xgnL+DEMOvx2NSeJaxXAfutrgPFo8MseOcA5B4gDxuEwzCuM6ldQAwCowgihikPrWX2dXMYxqvAG4SJp3VtJOr13irHFiXvGPMhA+0RoDBtfKgZCrqu2AbIBz/enlqanTGkpTrn+ahCcEtSHBmgDzD2MGp7MphniOYXLgRCqYBKLpn47HicoaDvgyjl1XoaGHXjA+AhFJlyIDRwK0UXEHWkOtBLaLXunreBDfj/6FLen87eLCQvl9P+vPSjeiiU8pPnfE8HEFLwZScapWbSomzPVIkrbYzISmbermd3snx2fbDHxXWel7CYbB5Dqb6JOFUC1QBf8gFR+a5VsY14+JfLtFesxdO9I3Yng2Kj6CuNq+SwFsw9vHDV4JASNCaVkt8CjKUNFz6pOv9y9n4mu65y5bXtRfv4dVa0+KAUbwuV6liF9nDrRbbxW2Mf+Ap3qlMiY/XIdOFwKqpPBGwIJPjoMz0qVC22V+SqCDmxVf/T1NVnVXNS67aZ+MSlv5SD9YmgikvZlSUaO6Ier0Qz5GAeHMYMLwTdjL3PUcsavm4e0GP/+HTcSPvYaMOk9K3ZfStvk9GWysIzfwpUKE6oRuVYnr9Ezq4L0inmR2tcY+sS+erdGjwfFwlR1PpJ7l4s4NBJ5xdGqSzdlVONeh4Mi87DiSvSs8IE68sZyzR+6L6wSzTu0jPwWP1/En5DJNT5gbH6OaNL1+HMXZ+G6qiWajowtrXMM9ikAXh62yfRXz09//n8Uz9CTH2ZHTdv7kJu24O7rgJGgrnmzWJoN4fvUKMqiKZUA+0X+EdxPh79QyCKxSid2211D3VxzptsbvYaMh664YxRtXJujSUBuRw1oo5J/N3cLSrBoAeL+glEt3hpdSEMFi20vnARTkU3AvLC6w9HJJuKSkculKRIGvQx6hcTTm4p1MG3gUCKeWiSMrr3lOdmY9OFYsf8UPr1HCm9lOzpcLG3GQmXdewg0t7M1A39ZMzntvcBaccs2INIxHD5MyFG9wEu1Gf6ro//IQ9HUGQ0KdjOwr/pYhJKZZWv5isbR6QzLJA9a//kyokzMXVSNC4BKjstx/B+v8wLPj4abmzxmcM1KuIUjR5U5AokFsSu8bldptoKH4m27aaSs7Dii22TVoNs9tnEYzVEEQU2Ot41R9ieh9JVJoXtm1szZVU67p35+Wp0MEdMsKWgS5viOV8rB6WzL6JOLyooz+2PgrwctqFlbsXVKBjIwFh0HO8ddsh3z6uyLunDjCOdig2A9Ql4cAUv0CED3X/bQp5uIDTaMviIkEcfWPdFx+lwdrPqyD+UnSc1OJx7vSwJ5Pr4vv05S2AxpSTx3RZlkRL+duCMVLeK/F0C+r08Qs/i/QSqF8ZV+upWV3rBJvDBfKS2+xn0xb6Sxz71cNGEBWDrQVukGerc0v5MORiQoyqv76GxULRD64Fuwc8xtiu9kS8++y+M1muDXmzzFBZ2euHOTFL9eWUZoCcznmZzdAYZ+rg6yoDfWDhRqJm1BzHmAHPIFeNiNnzTBBxnJW5bgUhA4Nzo3cV7IQtblo2Xf5qLGgJOuxNAgiHebawyD765Sj5mjVw2K8zL+3PM9Kh767lSSKhp4HEb8pPOM1grP/J0XH9OxoAPPvjazMDrM7ydUfYKZKeC1obOU56eBpWvwDvaAWrt6h+LMM8mk8iuA==
Content-Type: multipart/alternative; boundary="_000_SJ0PR11MB57701B11640D357D21D4677DB0C12SJ0PR11MB5770namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR11MB5770.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6006fc65-592c-4b81-d6d1-08dc8bef61f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2024 21:25:43.6022 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xl+CPKrOewd1z6Kb/clLQ8pwSdurFdoOn1mC0ChSNLWHEQ56496v4MeNj0HnTwLg78ugwn8y6hAt3cs0uQzK7Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR11MB8315
X-Outbound-SMTP-Client: 72.163.7.169, rcdn-opgw-5.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Message-ID-Hash: GZR7HZSWI5FRQ3G5UHORWB3YPGYEINZT
X-Message-ID-Hash: GZR7HZSWI5FRQ3G5UHORWB3YPGYEINZT
X-MailFrom: sajassi@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-bess.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-secure-evpn@ietf.org" <draft-ietf-bess-secure-evpn@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [bess] Re: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/jTqQ9TylFREWu4GkGI6q30pqJZo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Owner: <mailto:bess-owner@ietf.org>
List-Post: <mailto:bess@ietf.org>
List-Subscribe: <mailto:bess-join@ietf.org>
List-Unsubscribe: <mailto:bess-leave@ietf.org>

Linda,

There are two scenarios to consider with SRv6 IPsec encapsulation:


  1.  VPN-ID/Service-ID is not part of the SRH
  2.  VPN-ID/Service-ID is part of the SRH


  1.  is already covered in the document and I don’t believe we need to do much except adding a sentence or two mentioning that IPv6 EH can be SRH.
  2.  Implies that VPN-ID/Service-ID is carried in the open and this compromises security aspects. So far, if you look at MACsec or IPsec, VPN-ID/Service-ID has always been encrypted with ESP; however, now you are talking about deviating from the prior practices. Because secure-evpn draft is a WG document, we cannot add (2) without WG consensus. So, it would be good to bring up this issue up in BESS and IPSECME and solicit input on this point ONLY.
Cheers,
Ali

From: Linda Dunbar <linda.dunbar@futurewei.com>
Date: Wednesday, June 12, 2024 at 10:39 AM
To: Ali Sajassi (sajassi) <sajassi@cisco.com>
Cc: bess@ietf.org <bess@ietf.org>, draft-ietf-bess-secure-evpn@ietf.org <draft-ietf-bess-secure-evpn@ietf.org>
Subject: RE: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
Ali,

Section 9 needs change to accommodate the standard ESP Transport for SRv6 packets with SIDs outside the ESP header. Your current Section 9.1 (Standard ESP Encapsulation) emphasizes on encrypting NVO packets only.

Suggest adding a new subsection 9.3 (Standard ESP Encapsulation for SRv6). Here is the suggested wording for 9.3.
---------------------
9.3. Standard ESP Transport Encryption for SRv6 Packets
In scenarios where traffic needs to be securely steered through an SRv6 domain, ESP transport encryption can be applied to SRv6 packets with SIDs outside the ESP header. This allows the packet to benefit from the security provided by ESP while leveraging the routing capabilities of SRv6.

Example of ESP Transport Encryption for SRv6 Packets:
Consider an SRv6 packet with three SIDs where the original transport layer packet (e.g., UDP) is encrypted by ESP. The SIDs remain outside the ESP header, allowing intermediate nodes to route the packet based on the SIDs.

Below is the detailed structure of such a packet:

+--------------------+
| IPv6 Base Header   |
| Version = 6        |
| Next Header = 43   | <- Indicates Routing Header (RH)
| Source Address     |
| Destination Address|
+--------------------+
| Routing Header     | <- Segment Routing Header (SRH)
| Next Header = 50   | <- Indicates ESP header after SRH
| +-----------------+
| | Segment Left = 3|
| | Last Entry      |
| | SID 1           |
| +-----------------+
| | Segment Left = 2|
| | SID 2           |
| +-----------------+
| | Segment Left = 1|
| | SID 3           |
| | Next Header = 17| <- Indicates UDP
| +-----------------+
+--------------------+
| ESP Header         |
| SPI                |
| Sequence Number    |
| Initialization Vec |
+--------------------+
| Encrypted Payload  |
| (Original IPv6 Hdr)|
| (UDP Header)       |
| (UDP Data)         |
+--------------------+
| ESP Trailer        |
| (Padding, Pad Len, |
|  Next Header = 17) | <- Original payload was UDP
+--------------------+
| ESP Authentication |
| (ICV, optional)    |
+--------------------+
---------------------

Alternatively, you can modify the wording of Section 9.1. to include SRv6 and NVO payload as below:

9.1. Standard ESP Encapsulation
When standard IP Encapsulating Security Payload (ESP) is used (without outer UDP header) for encryption of IP packets, including NVO packets as well as SRv6 packets with Segment Identifiers (SIDs) outside the ESP header, it is used in transport mode as depicted below.

(Give the SRv6 example above).

Thank you,

Linda

From: Ali Sajassi (sajassi) <sajassi@cisco.com>
Sent: Thursday, June 6, 2024 9:53 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: bess@ietf.org; draft-ietf-bess-secure-evpn@ietf.org
Subject: Re: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn

Hi Linda,

I don’t think we need to put too much explanation wrt SRv6 because with respect to IPsec, it is just a IPv6 encapsulation. So, let me expand on it with respect to your four points below:

  1.  Scenario description: The rational and the reasons for needing IPsec are basically the same whether it is for regular IPv6 or SRv6. So, such text is already covered in the draft.
  2.  Implementation Strategy: with respect to flow identification, policy configuration, etc. The draft already covers that and indicates different level of granularity (all the way at the flow level) for doing IPsec encap.
  3.  Security considerations and benefits: This is again applies to both IPv6+ VxLAN and SRv6. So, if we need to beef up some existing texts, we can do it.

So, I can add a sentence or two to sections 9.1 and 9.2 mentioning that IPv6 can carry an extension header including SRv6.

Cheers,
Ali

From: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Monday, May 6, 2024 at 12:40 PM
To: Ali Sajassi (sajassi) <sajassi@cisco.com<mailto:sajassi@cisco.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org> <bess@ietf.org<mailto:bess@ietf.org>>, draft-ietf-bess-secure-evpn@ietf.org<mailto:draft-ietf-bess-secure-evpn@ietf.org> <draft-ietf-bess-secure-evpn@ietf.org<mailto:draft-ietf-bess-secure-evpn@ietf.org>>
Subject: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
Ali,

I am writing to follow up on our discussion during the IETF 119 BESS WG session regarding the draft-wang-bess-secservice. As you may recall, you endorsed Option 1 as the preferable approach for using SECURE-EVPN mechanism to encrypt selective SRv6 Flows into the Secure EVPN framework.
Option 1: Merge with Secure EVPN, directly incorporating the section into the main body of the document.
Additionally, consider adding a description of the necessary encapsulation methods in Section 9 and extending the discussion of new tunnel types in Section 10 to accommodate this feature.

Proposed Integration: I suggest adding a new subsection, "Encrypting Selective SRv6 Flows," to Section 3 of the Secure EVPN draft. This addition would detail the use case and requirements for selectively applying IPsec encryption to SRv6 data flows within NSP-managed networks, addressing the need for heightened security measures for sensitive data.

The proposed content for the subsection "Encrypting Selective SRv6 Flows" would include:

Scenario Description: Highlighting environments where SRv6 is deployed and the types of data flows that require enhanced security measures.
Implementation Strategy: Outlining the steps for implementing IPsec encryption, including flow identification, policy configuration, and the encryption mechanism itself.
Security Considerations: Discussing the added complexity and necessary management adjustments to maintain performance and security.
Benefits: Explaining how this approach secures sensitive information and ensures compliance with various regulatory requirements.

Here is the wording proposal. You can modify them to fit the SECURE-EVPN style.

3.6 Encrypting Selective SRv6 Flows
While a Network Service Provider (NSP) managed SRv6 domain is often considered a trusted and secure domain as detailed in RFC 8754, RFC 8402, and RFC 8986, certain scenarios require an enhanced security model. Particularly in cases where data flows carry sensitive or confidential information, there is a compelling need for additional security measures. Encrypting selective SRv6 flows caters to this need by providing robust protection even within a network environment presumed to be secure.

Scenario Description
In environments where SRv6 is deployed, data flows might include transactions requiring confidentiality, integrity, and authenticity assurances that exceed standard network security measures. Examples include financial transactions, personal data transmissions subject to privacy regulations, or corporate communications involving sensitive strategic content. In such cases, selectively encrypting specific SRv6 flows ensures that even if network breaches occur, the encrypted data remains secure.

Implementation Strategy
The implementation of IPsec for encrypting selective SRv6 flows involves the following steps:
Flow Identification: Define criteria for selecting which SRv6 flows require encryption. This could be based on the type of data, the source/destination of the flows, or preconfigured security policies.
Policy Configuration: Configure security policies that dictate the parameters for encryption, such as the algorithms used, the keys to be employed, and the duration of key validity. These policies are applied specifically to the identified SRv6 flows that require encryption.
Encryption Mechanism: Utilize IPsec in transport mode to encrypt the payload of identified SRv6 packets. The SRH (Segment Routing Header) remains unencrypted to allow for the routing of the packet, while the payload is encrypted, ensuring the confidentiality and integrity of the data.

Security Considerations
Encrypting selective SRv6 flows introduces additional complexity into the network management. It requires careful coordination between network security policies and the dynamic requirements of SRv6 routing. Additionally, the overhead introduced by encryption needs to be evaluated to ensure that it does not impact the network performance adversely. Effective monitoring and management are crucial to detect and respond to security incidents in a timely manner.

Benefits
This approach enhances data security by protecting sensitive information from potential eavesdropping and tampering. It also provides compliance with various regulatory requirements for data protection, offering an added layer of security without encrypting all network traffic, which can be resource intensive.
________________________________
This addition will fit seamlessly into your existing document structure under Section 3, providing a detailed examination of how IPsec can be used to enhance the security of selective SRv6 flows in a network environment managed by NSPs.



I look forward to your feedback on this proposal and am eager to assist in any drafting or revisions needed to facilitate this integration. Once we align on the approach, I will provide detailed text for adding a subsection in section 9 to describe encapsulation and adding extension of new tunnel type in section 10.

Thank you for considering this enhancement. I believe it will make a substantial contribution to the deployment and effectiveness of SECURE-EVPN by addressing critical security needs in SRv6 networks.

Linda