Re: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN?
"Ali Sajassi (sajassi)" <sajassi@cisco.com> Fri, 31 July 2020 02:42 UTC
Return-Path: <sajassi@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16FCA3A0816 for <bess@ietfa.amsl.com>; Thu, 30 Jul 2020 19:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YTXoxzmp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Rqplowlb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N82W96CfnGyg for <bess@ietfa.amsl.com>; Thu, 30 Jul 2020 19:42:47 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA9573A07FC for <bess@ietf.org>; Thu, 30 Jul 2020 19:42:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=57367; q=dns/txt; s=iport; t=1596163366; x=1597372966; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=+MhuzQQg3Ll4CPHyA5TFS+SpUD+Y/5gLziXBzZp0fwU=; b=YTXoxzmpI0nqkOtlPmdjVbTUMGx3ou3O7+97gS4+az3eF9flRWoqqIfO QvKzcmKPEIR/eai86KLa/2ALRKLhLQTl0pY8N8bh9oSme+3hMPkgB3Pwv ynLQkjHZLsnRwX01Cxaa2laBC2Fp0BEPYacJE2GzfYP15ttWuw1wmENlK M=;
IronPort-PHdr: 9a23:Wt1azRStF77sxVz4y6wjVSZeydpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBN+J7f5Wi6zdtKWzEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutYVHAoju56jtBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A9AwDvgyNf/5tdJa0WBUUbAQEBAQEBAQEFAQEBEgEBAQMDAQEBggoCgSEvUQdvWC8shDWDRgONKiWBApdgglMDVQsBAQEMAQElCAIEAQGETAIXghcCJDgTAgMBAQsBAQUBAQECAQYEbYVcDIVxAQEBBBIRHQEBKQ8PAgEGAg4DAwEBAR4DAQYDAgICMBQJCAEBBAESFAcHgwQBgX5NAy4BDokTizqQaAKBOYhhdoEygwEBAQWCSoJUGIIOAwaBOAGCboNfhRSBDh0aggCBEScMEIIYBy4+glwBAQIBgXwNCYJgM4ItjheBNhKBE4IAhl2DHYg5j2GBBQqCX4hbkSQDHoJ7iUuTLo1bhESKM5RsAgQCBAUCDgEBBYFqI4FXcBU7KgGCPglHFwINjh8MBRIUgzqFFIVCdAILKgIGAQcBAQMJfI8VXwEB
X-IronPort-AV: E=Sophos;i="5.75,416,1589241600"; d="scan'208,217";a="807527472"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Jul 2020 02:42:45 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 06V2gjiK027392 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 Jul 2020 02:42:45 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Jul 2020 21:42:44 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Jul 2020 21:42:43 -0500
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 30 Jul 2020 22:42:44 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JPDbiyMefyyOaHsuAO2XjkS9e4TKng3PBEzx5jMZwIQrytO6e69/3iV6Hikh9ZlCJ0iGXSsqoCY4r7zQxYR0IiFrn1jGkWN/XijwYD5LMK1ORIgBX7hbNe/Q3qsvByT99mbnMGW6ocKPOOazfZhSut4w6z/yrnF3rp6I4z6/YfUL75gbUowqrayYrdcBYqtFQsMfhM8QEoEhTpTeoikK2tVxENsYDyplgBSHf23BaYIe1+YLa3TO8ij3ufPUUip9g2e3kgV+lWi7IGT0IhGCn6cewg3JNb+Hp9/N7qWPhivNMW0Bl6JCKXDaiZwPxHyLlxSvILZOkxvMqJwAlcZsnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+MhuzQQg3Ll4CPHyA5TFS+SpUD+Y/5gLziXBzZp0fwU=; b=hV5+RoLbcvbSmLKhV60aI6U9+qDBeZg7do3l4Ei9c24id3xsqfj7ldiNRGBQ49DfnPbGRmgZzplVsar9AQ2IzTlCBag2w3pAlxF7gfU97jH17qlaGJCY/+c7Z6pUg3K/kJp/QRnkoQQ/0LtwD6APfT9xRkibRIwzjzq5tbjNg7MEn1QSjhao2AgAesVljYsyaRzZB6irQmpieWGWinzbyIXsDFZZzmBSoI2ioqSJC6PNjJX2SLtwFo8dLZokYsFyrpSdvHERhI5uIdUWITe3KCFCeRKmxO8URA10MvNXCKUnb1hyg3gm5IzfhykFrHqkCGsREBgwvuR4dOYrTIJAQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+MhuzQQg3Ll4CPHyA5TFS+SpUD+Y/5gLziXBzZp0fwU=; b=RqplowlbPR/NWAwd+HnjaACLi2kSTxvqtI0cRQQjtmrAz5FFH/KzUL4jlx1M8AnyeVTlZnBJZitrohH/qoXLkJzZJyQrA7LXLch+G/Zaav3Tdi00kpKLwIXbc77WYR/SiM5eayPUIBtwpqwdt+MI6I9VCqBHKERVjPU8lNLLmuA=
Received: from BY5PR11MB4260.namprd11.prod.outlook.com (2603:10b6:a03:1ba::30) by BYAPR11MB3607.namprd11.prod.outlook.com (2603:10b6:a03:b2::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.24; Fri, 31 Jul 2020 02:42:42 +0000
Received: from BY5PR11MB4260.namprd11.prod.outlook.com ([fe80::7d6c:d61b:95de:2f7c]) by BY5PR11MB4260.namprd11.prod.outlook.com ([fe80::7d6c:d61b:95de:2f7c%6]) with mapi id 15.20.3239.020; Fri, 31 Jul 2020 02:42:42 +0000
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Susan Hares <shares@ndzh.com>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN?
Thread-Index: AdZk2rZsNmKYZ2btTRmMGWEu4OmC0f//n7UAgACNiQCAA3CBgA==
Date: Fri, 31 Jul 2020 02:42:42 +0000
Message-ID: <89C933FC-8EB1-4754-9D48-8AA0B13089A8@cisco.com>
References: <01e501d664dc$9bc24070$d346c150$@ndzh.com> <D9A66B46-6B09-4F58-BBEF-65E8F926BF2F@cisco.com> <005d01d664f1$566f50c0$034df240$@ndzh.com>
In-Reply-To: <005d01d664f1$566f50c0$034df240$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.39.20071300
authentication-results: ndzh.com; dkim=none (message not signed) header.d=none;ndzh.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:648:8800:39a0:9d0b:a022:4ce1:4a14]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 690e453b-fa70-42bc-6d7f-08d834fb65fe
x-ms-traffictypediagnostic: BYAPR11MB3607:
x-microsoft-antispam-prvs: <BYAPR11MB36071DF8C6E749EE27DC6826B04E0@BYAPR11MB3607.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3826;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kNGUq2XnUR5tK+h1I7k2M1eAEEQRnzsG3o8LZyCOJNPLUyiUv8Qp0KvBXb9qgzt1BkzmOikYT7yDlB0mjoo8tkAPEg/KZwqCasDKRGVd+Aa97oLMIfXUhlXxkJuqwZbmGaP3rtDv55A2JVMBKapxcpCAW8KLimKZe4VL1PW92mqnhNg4IGnoESHl9nP8rGir+akQuSPEFa9jYTYDHQwoWsULOkjZtgHNgjfSfb4vYvUaCeo8SJgpnQnKHXqSjjVUpOl6fc6Vg6OU0Iskj+Hy0japJgoUmb0+RW87asGW1NzgKQD5/dREVp6/9Z9E9nkV7uy04I/dteptb0UUxvWnwGitf5vC5f5vmiIDwMwMDPP0ldRUHfAKWu2KV3ECjg+RBu1iZLEVzsI3Wny/bfVtpA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4260.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(376002)(366004)(136003)(396003)(8936002)(186003)(76116006)(53546011)(66946007)(36756003)(83380400001)(86362001)(478600001)(2616005)(6506007)(6512007)(966005)(166002)(5660300002)(64756008)(6486002)(66476007)(110136005)(2906002)(71200400001)(8676002)(33656002)(316002)(66446008)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: MZHT/QIGnVTf8odcxF7dmuGCF0oOLqw8l2Mumk17JEWqKl1lQoMiwq/G/Qq66QjVAovkbXpSFePs00Yrp+1i1tZFhrAD1YReY00rHzjlXloZH705i4tQ4jdpqJK6YUKP+//vEB7fEhfPhbLAROpIPKXXYc/K3qUWx++B3/QxuXVnkLvwwNCaQw6SZpTHgOh6RzZKv2tNhr/9OdONKxoettRlo6y3n2iAC0VmehsrSDd9EGW1Y1aJtZxleONj/m+wR8JzJWs3AW+rCjRgXf4fpsoIM2lIlzck4r+6Wds70OOjRmgdJEKYagsDtUENQiLHcV6z10do9O8tn5IO+MWbbPWuqFUCt9Kt5CFDcyIn23WhAdaWc6jSyOZy51W5WihybnwTOi7Gpks0iz6wrJij8+yODwvNlMaTkIJPTxPz8F7m3oqu8hvXYv3W2Onq7QCxAQG9XgLcOC3rhTEjEoDCKmyMgnTjKJeV9tjHv46IQq6DK0yOZolfO2OgrpVjwUSqd6a0uAzlFR9Lpuw7qIrlQ7OQNkKDHrrxh+Co7OU9qXkM2YdHrYDIzTkmli/8ZNve
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_89C933FC8EB147549D488AA0B13089A8ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4260.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 690e453b-fa70-42bc-6d7f-08d834fb65fe
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2020 02:42:42.4434 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hcEIAb2Yc/DOFAybGpsLCw5OdzJAFJxHeE14UPvu2lsM+nooZu1bhftxVVq43uDnr8Z0Dc4geedJZWcoYuNy9w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3607
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/oOQCLX1Ea0UcIMFmorZ00hAV-nI>
Subject: Re: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN?
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 02:42:51 -0000
Sue, From: Susan Hares <shares@ndzh.com> Date: Tuesday, July 28, 2020 at 8:11 AM To: Cisco Employee <sajassi@cisco.com>, "bess@ietf.org" <bess@ietf.org> Subject: RE: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN? Ali: Three major high points from the discussion: 1) tunnel-encap and RFC6512 lack a clearly defined interoperability statement If you are using RFC6512 PMSI tunnel attribute and Tunnel-encap attribute, this issue needs to be sorted out. AS> Secure-evpn draft doesn’t use RFC6512 PMSI tunnel attribute. It only uses Tunnel-encap. I was just providing an example wrt underlay tunnel type vs. overlay encap. 2) If your draft depends on draft-carrell-ipsecme-controller-ike-00.txt, then the review at IETF 105 by security experts had concerns which have not been resolved. (Also draft-carrell-ipsecme-controller-ike-01.txt has expired and there is not a replacement.) AS> Secure-evpn relies on rekeying from draft-carrell-ipsecme-controller-ike-00.txt. If there is a better proposal for rekeying, then I am all ears. We’ll take care of the expired status of that draft shortly. If your draft depends on general features of rekeying, nonces, security association databases, and security policy data bases, then I suggest revising the draft to point to existing features. AS> secure-evpn draft does reference to carrell controller-ike draft regarding those features (e.g., section 4.4 for rekeying, section, 4.5 for ipsec databases). 3) [IDR-Shepherd-hat on] A general solution for IPsec security association passing is wise AS> That’s what is described here – i.e., a general solution that applies to EVPN and other type of VPNs because it uses an attribute that can be passed with any NLRI. All of this points toward the creation of a general IPSEC functionality in BGP rather than EVPN specific work. If it is true, then we ought to create one solution in IDR for the 3 scenarios. AS> As I said before, the solution applies to EVPN as well as other VPN types. That’s why I have a section that explain how other VPN solution can be beneficiary of the same solution. BTW, because we are talking about signaling for BGP Enable Services, this draft and any other related drafts in this area belong to BESS. Of course, IDR will be involved as always. Cheers, Ali See my comments as Sue2>. I use the following abbreviations tunnel-encaps - draft-ietf-idr-tunnel-encaps-17.txt sajassi-s-evpn – draft-sajasssi-bess-secure-evpn-03.txt RFC6514 – PMSI Tunnel Attribute (PMSI) Cheerily, Sue From: Ali Sajassi (sajassi) [mailto:sajassi@cisco.com] Sent: Tuesday, July 28, 2020 9:45 AM To: Susan Hares; bess@ietf.org Subject: Re: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN? Sue, Please see my responses below marked with AS> From: BESS <bess-bounces@ietf.org> on behalf of Susan Hares <shares@ndzh.com> Date: Tuesday, July 28, 2020 at 5:43 AM To: "bess@ietf.org" <bess@ietf.org> Subject: [bess] Why are you specifying two new tunnel types for encapsulation for EVPN? Ali: From draft-sajassi-bess-secure-evpn: 6<https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-03#section-6> BGP Encoding This document defines two new Tunnel Types along with its associated sub-TLVs for The Tunnel Encapsulation Attribute [TUNNEL-ENCAP<https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-03#ref-TUNNEL-ENCAP>]. These tunnel types correspond to ESP-Transport and ESP-in-UDP-Transport as described in section 4<https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-03#section-4>. The following sub-TLVs apply to both tunnel types unless stated otherwise. 1. Why are you specifying 2 new tunnel types? What makes these special? What in the use of the tunnel encapsulation draft does not support for the inner and outer tunnel requires you to specify a ESP-Transport and ESP-in-UDP-Transport? AS> We need to differentiate between underlay tunnel and overlay encap. For example, in PMSI tunnel attribute, tunnel type can be PIM-SM or PIM-SSM; whereas, overlay encap can be VxLAN, NVGRE, GENVE, etc. So, similarly here, the underlay tunnel can be ESP-Transport or ESP-in-UDP-Transport and the overlay can be any of the overlay encap. If you think the existing tunnel-encap can address both underlay and overlay, please indicate how. Sue2> One of my main concerns is the interoperability between tunnel-encaps and extensions to RFC6514. AS>> No interop is needed as explained above. tunnel-encaps provides both outer encapsulation [see section 3.3] and inner encapsulation [see section 3.2]. The only overlay thing in sajassi-s-evpn which tunnel-encaps which cannot be supported is GENVE. Reviewers of tunnel-encaps have requested why GENVE was not included. IDR requires 2 implementation of the code. If sajassi-s-evpn has an implementation with GENVE, then tunnel-encaps should include it in the base tunnel-encaps draft. I do not see a PIM-SM or PIM-SSM tunnel type in the following IANA table: https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#tunnel-types’ I suspect you were meaning the tunnel type in PMSI tunnel attribute from RFC6514. Sajassi-s-evpn states in Section 6 This document defines two new Tunnel Types along with its associated sub-TLVs for The Tunnel Encapsulation Attribute [TUNNEL-ENCAP<https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-03#ref-TUNNEL-ENCAP>]. Is sajassi-s-evpn defining the tunnel types from tunnel-encaps or PMSI Tunnel types? Your IANA section does not specify a definition from: P-Multicast Service Interface Tunnel (PMSI Tunnel) Tunnel Types, but an extended community. https://www.iana.org/assignments/bgp-extended-communities/bgp-extended-communities.xhtml#evpn And in section 6. 1 When such encapsulation is used, for BGP signaling, the Tunnel Type of Tunnel Encapsulation TLV is set to ESP-Transport and the Tunnel Type of Encapsulation Extended Community is set to NVO encapsulation type (e.g., VxLAN, GENEVE, GPE, etc.). This implies that the customer packets are first encapsulated using NVO encapsulation type and then it is further encapsulated & encrypted using ESP-Transport mode. Which attribute are you setting the tunnel encapsulation type in? tunnel-encaps or PMSI tunnel attribute? What NVO encapsulation types are you specifying? What we lack is a clear definition of the interoperability between tunnel-encaps and RFC6514 in your draft. If you have another draft you are relying on to provide this interoperability between 2 BGP attributes, please let me know. 2. What IPSEC security information is unique to the EVPN solution that is not general? AS> They are general and not specific to EVPN. Sue2> Then we should have one draft that passes this information that works for all BGP cases. Then, this work belongs in IDR. Section 4 of draft-sajassi-bess-secure-evpn-03.txt describes the IPSEC DIM and security policies on in the following case: a) you need to send IPSEC information – via RR mesh b) you have policies that you want to use the [draft-carrell-ipsecme-controller-ike-00.txt] c) you want on demand re-keying d) “policy” – undefined on #a) there are multiple BGP IPsec proposal using the RR mesh AS> What is the question wrt this draft? Sue2> You answered the question above – nothing is special to sajassi-s-evpn due to IPsec Therefore, this work should take place in IDR. on #b) can you tell me what is unique about [draft-carrell-ipsecme-controller-ike-00.txt] AS> Again what is the specific question wrt this draft? What section/line of this draft is not clear? Sue2> What are the key features of [draft-carrell-ipsecme-controller-ike-00.txt] that sajassi-s-evpn depends on? I was trying to be polite – so let me be blunt. This draft has expired and it is not in the discussions for IPSECME. The Security folks had concerns about [draft-carrell-ipsecme-controller-ike-00.txt] asked you at 105. They asked why you are not using existing IPsec distribution techniques. The I2NSF WG has WG draft on SDN based IPsec Flow Protection (draft-ietf-i2nsf-sdn-ipsec-flow-protection-08.txt) and RFC8329 comments on interface to security functions. IMHO it does not seem to align with this 2 drafts, but I am not a security expert. You are specifying another draft which the security folks had serious concerns regarding and is not a WG Draft. It seems to specify the keying, the nonce mechanisms, the security policy data base, the security associations, and policy distribution. The draft reports to have looked at I2NSF and network controllers, but the IETF 105 review questioned both. So .. If your draft depends on draft-carrell-ipsecme-controller-ike-00.txt – I have grave concerns. What are the key elements you need from draft-carrell-ipsecme-controller-ike-00.txt? Can these be provided from existing IPSEC mechanisms. on #c) isn’t on-demand re-keying a desire to prevent DDOS that is a good feature for all IPsec? AS> Yes, re-keying is a requirement. Sue2> Good, then inserting this in BGP should be an IDR function. On #d) policy is normal for all IPsec AS> You can have min. set with no SA policy, you can have a single SA policy, or you can have a SA policy list. Sue2> We are aligned on the policy. Cheers, Ali Thank you, Sue
- [bess] Why are you specifying two new tunnel type… Susan Hares
- Re: [bess] Why are you specifying two new tunnel … Ali Sajassi (sajassi)
- Re: [bess] Why are you specifying two new tunnel … Susan Hares
- Re: [bess] Why are you specifying two new tunnel … Ali Sajassi (sajassi)