IETF Logo Mail Archive

Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Linda Dunbar <linda.dunbar@futurewei.com> Thu, 14 November 2019 11:47 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 971A21200A4 for <bess@ietfa.amsl.com>; Thu, 14 Nov 2019 03:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.037
X-Spam-Level: **
X-Spam-Status: No, score=2.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_NONE=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYTS64uk_gWN for <bess@ietfa.amsl.com>; Thu, 14 Nov 2019 03:47:43 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800129.outbound.protection.outlook.com [40.107.80.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF444120046 for <bess@ietf.org>; Thu, 14 Nov 2019 03:47:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YyX8mDpyykAV39GkUas7AGpVZs45TEE7fovaJgRHVWs19kcve6bJtRPqqsNCWrFP3wnyQzx2k5GYP0mSvyBVZ3vePL2wxPTlMgVkBqpMGOVNQjz3LCX5bq+C3rX0HVvBxMysZysvMaaCmGpHZ7+9zmunm68m4i9uamhO7/6iVZBKUwS8DEW/ru9biH0aQ5B1YGJeC62iY53EwNvcu79HlxnPOpsn7Q+olqez5mcg2R0FClaXzoizsfk2+daLYMs2ePfGVWDlp9AnWKA3aWxrKmxIYOa+HWrFTHF09vKoIj2AB+JL/GQja/o2eKcix8cRvTfzxGL/99kGQBR/kzk1tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vH8Z6s0r6o33N1wSLY4C3d42SEa6YypuOZYnfNc4P1g=; b=IL4LlJjmr4l2GrxV5foDrU8e/ohnzxZ7Uj1qyj3UAZBIogEoJd8aaADVkVhOnt/vtNI+HR51mtus1/H30Q7I+m0/e3LWQlhR0b9J2Y/YIdNu+sXzzW6xFI/HRIhA/YLsBr0//9evvYERGNxx5sBeRE4TFA1nXMgITC8QHF7tv72UENoBRwaJV3WA7EFTypG9MhZBIu/UlKv4p/+6Tl2cQ1iUUicyHnxGdNHnclrYXoohu9y7pMsAVXf6rQeiTrfx3BP9IrrcKFEXJu6s1NEZAnWemqEtZo0nkAyvKbtAkgJDPrNdiXrNWcseNN6II4sXhxfobdpfI7HOHvQ17s9tnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vH8Z6s0r6o33N1wSLY4C3d42SEa6YypuOZYnfNc4P1g=; b=ld1q2wvq3V46FZiZ+hTdczfJRlJOyKlcMKYPfo/t7iAw7KoJuwjOfnKW8GCvH+JXANWIPxcfq3k4jfi2Wj1s3rhMpPncqvoiudF25f8e6nuHQs3W4nZDhkKCq2T0PgUkFYAzDoEL5SLWhfNUwlgOvPMTFJSdGnqt1wBFcWb5TTA=
Received: from BN8PR13MB2628.namprd13.prod.outlook.com (20.178.219.10) by BN8PR13MB2820.namprd13.prod.outlook.com (20.178.221.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.8; Thu, 14 Nov 2019 11:47:38 +0000
Received: from BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::cdcb:582a:8e76:9c17]) by BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::cdcb:582a:8e76:9c17%3]) with mapi id 15.20.2451.023; Thu, 14 Nov 2019 11:47:37 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Gyan Mishra <hayabusagsm@gmail.com>
CC: Robert Raszuk <robert@raszuk.net>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
Thread-Index: AdWTYJxA+BN8rE5sRpa1mjWPE2RXqgAEt16AACid20AAAgsOAAABv9iAAAKo7IAAAMN/AAFf5NQAADrCpQA=
Date: Thu, 14 Nov 2019 11:47:36 +0000
Message-ID: <BN8PR13MB2628A83ED52E9A3CBA0D55CD85710@BN8PR13MB2628.namprd13.prod.outlook.com>
References: <BN8PR13MB262842C35C9955B8B45FAF08A97F0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMFqQNt4g4g+x3K6fn9X0ruOirFGKcXMPcpAUxm7xvHFSw@mail.gmail.com> <BN8PR13MB262822A6F3231D44628ED474A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMHfjEsieECKHV9kTHKTYVMrK4dqecu3-SkzEU39HrzHFg@mail.gmail.com> <BN8PR13MB26284A0D4C3566BFDE147723A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMEk9bM1UB114j3=zpZpaB+U5sEpe_SmjZr6RMBZZ=FgqQ@mail.gmail.com> <BN8PR13MB262898DC4C28AB4FF0CC2B26A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <9540FBFB-D161-4C94-BFEB-383D64AA1950@gmail.com>
In-Reply-To: <9540FBFB-D161-4C94-BFEB-383D64AA1950@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [150.129.58.210]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 68fc4b30-1ab7-4579-27ae-08d768f87253
x-ms-traffictypediagnostic: BN8PR13MB2820:
x-microsoft-antispam-prvs: <BN8PR13MB28203F32A5E6E3FD937863EC85710@BN8PR13MB2820.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02213C82F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39840400004)(366004)(376002)(346002)(136003)(396003)(199004)(189003)(11346002)(99286004)(33656002)(7736002)(733005)(71200400001)(71190400001)(1411001)(316002)(5660300002)(6436002)(74316002)(478600001)(52536014)(54906003)(25786009)(54896002)(86362001)(6306002)(55016002)(236005)(606006)(44832011)(66556008)(66446008)(6246003)(4326008)(66576008)(66476007)(64756008)(76116006)(66946007)(446003)(14444005)(256004)(966005)(476003)(14454004)(9686003)(76176011)(6506007)(8676002)(8936002)(3846002)(790700001)(6116002)(26005)(81156014)(81166006)(486006)(2906002)(102836004)(186003)(229853002)(7696005)(6916009)(53546011)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR13MB2820; H:BN8PR13MB2628.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SBTlu18/ozjR0OJXGKCh7u9ztG+Ppgv/lvs5NFo5z2kyU6o6ytmrr1UJ424WLaTfzDRtHVKpA8/+KdJZ3BcO6kuIS9z0eSjZA4i8+5P9XQWfXV8vzgbeEnaUeVJDIMfX8BSAIBpm7f+FftyuvdIuC0dylF15qYtu07Q9tZxa2N1IXlSp2CbH4C5pKfu0ESU570HwM8eytv05jgjeZhFA+QNHMiI40monQ2Tt6ZYDfXJnxUWzbiHE+BFmfL5YC7N+Eq3Z6n29VksvO2Mgw7TrRe8bBUzdOx/n3cBpUcReFWMxs4qs0THbKb1LJ3fG2dePENkqsiS3XswCTiNBHO6ehwhmuL7uwzNKB91+kATlBrhY1avehlyZJLwL8JG+A2Jb+Tq7WpyXK2+eoILFTGNT2vRe7TmRyE5p4H0d2Uk5vaYr7Hxc9lv1jmaFTa27HMe3
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_005_BN8PR13MB2628A83ED52E9A3CBA0D55CD85710BN8PR13MB2628namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 68fc4b30-1ab7-4579-27ae-08d768f87253
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2019 11:47:37.2536 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TN1GqXE3UsMPXwm68LZOY7czANvytFdhHHeowA28fyjW4NKhANDxKULOAQpJtfskH2P2rUH2AvielzCyV/oTAw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR13MB2820
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/oji-1yJTpTl2LvehinsULT5Hnwg>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 11:47:47 -0000

Gyan,

Thank you very much for providing the examples. Yes, DMVPN or DSVPN has been used for SD-WAN. We used them too for network less than 100 nodes.
For routers that already have BGP protocol stack, it is easier to leverage the BGP UPDATE to propagate the information.

draft-bess-bgp-sdwan-usage is an informational draft showing how BGP is used for some SDWAN Scenarios. The purpose of the draft is to show to the industry IETF’s protocols work well. (p.s. DMVPN or DSVPN is not IETF standard, they both use vendors extended version of NHRP). Hope to discuss with you more.

For example,

[cid:image001.png@01D59AE2.28397C00]
[cid:image002.png@01D59AE2.28397C00]

Looking for more comments,

Linda


From: Gyan Mishra <hayabusagsm@gmail.com>
Sent: Wednesday, November 13, 2019 7:39 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: Robert Raszuk <robert@raszuk.net>; bess@ietf.org
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?


Sorry to talk implementation on or off list but from a pure net-net vpn VTI tunnel mode perspective using DMVPN that scales pretty well to 100’s of user sites homing to a pair of mGRE DMVPN head ends which I have deployed.  I have not done any with over a 1000 on a pair but that’s a lot even for any mpls deployments I have worked with.  The IPSEC SA is all done with hardware encryption and so the scaling is very high for most all vendors the maximum number of IPSEC tunnels that can be hit.

I would say a similar analogy would be that most SP routers support 1M+ FIB entires per customer VRF on average per vendor which is way high and its rare that you have an L3 VPN that exceeds 1M routes.  These days the hardware far exceeds the possible use cases.

Gyan
Sent from my iPhone

On Nov 5, 2019, at 6:50 PM, Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
Robert,

Without getting into any implementation, are there any terrible problems of allowing IPsec tunnel as transport segment and each edge node forward packets destined to other nodes, as done by VRF. What issues do you see? (other than it is not IPsec tunnel per client interface/group)?

<image002.png>

Thanks, Linda

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Tuesday, November 05, 2019 5:21 PM
To: Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

> it is tremendous amount of work.

Well I am afraid this is entering implementation space and not subject to any further debate on or off the list. Only note that IPSec is not the only payload encryption option at your disposal for quality SDWANs.

On Tue, Nov 5, 2019 at 11:07 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
Robert,

It is not the FIB size, but the number of IPsec SA maintenance required at each edge node that makes it difficult to scale more than 100 nodes.
Each IPsec SA requires periodical key refreshment. For one node maintaining X number of IPsec SA, it is tremendous amount of work.

Linda

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Tuesday, November 05, 2019 3:15 PM
To: Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Linda,

The key message here is that in properly designed SDWAN your limit is capped by volume of data traffic required to be encrypted and supported by your platform. Number of overlay adjacencies does not matter.

It does not matter since the size of your FIB has orders of magnitude more capacity then any single SDWAN number of endpoints.

Best,
R,

On Tue, Nov 5, 2019 at 9:20 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
Robert,

You said “It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of.”

How many nodes of this deployment?

As you described: just two nodes might need 18 IPsec tunnels. How about 100 node SDWAN network? 100*99 * 18?

“So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic”

Linda

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Monday, November 04, 2019 6:54 PM
To: Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Hi Linda,

> Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec
> Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.

Please observe that any to any encapsulated paths setup in good SDWAN is day one requirement. And that is not only any src/dst to any src/dst. It is actually from any source interface over any available underlay to any available remote interface of the destination.

Imagine if you have two end points each with three interfaces to the underlay. So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic.

Good SDWAN can build such state and not only that .. it can also run in continued fashion SLA probes over all possible paths between given src and destination. When data is sent over selected per application path it is then encrypted. It can even do much more ... it can perform SDWAN-TE treating some endpoints as transits :).

It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of. So I question your observation and do believe that adding vrf based routing over well designed and correctly written SDWAN is of any scalability concern. As a matter of fact the implementation I am familiar with also has built in concept of VRFs too.

No it is not trivial - but clearly possible.

Best,
Robert.


On Mon, Nov 4, 2019 at 11:39 PM Linda Dunbar <ldunbar@futurewei.com<mailto:ldunbar@futurewei.com>> wrote:
In MEF SD-WAN Service Specification WG, there has been a lot of discussion on Application Flow Based Segmentation.
Application Flow based Segmentation refers to separating traffic based on business and security needs, e.g. having different topology for different traffic types or users/apps.
For example, retail business requires traffic from payment applications in all branches only go to the Payment Gateway in its HQ Data Centers, whereas other applications can be multi-point (in Cloud DC too).
Segmentation is a feature that can be provided or enabled for a single SDWAN service (or domain). Each Segment can have its own policy and topology.
In the figure below, the traffic from the Payment application (Red Dotted line) is along the Tree topology, whereas other traffic can be multipoint to multi point topology as in VRF.

<image001.jpg>


Segmentation is analogous to VLAN (in L2 network) and VRF (in L3 network). But unlike VRF where all the intermediate nodes can forward per VRF, in SDWAN Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.

Does anyone know an existing protocol that can handle the above scenario described in https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce6f240b5eb394c85e7d408d767c987a1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637091987588944891&sdata=M%2BhKQZ8H%2FNy09J20NUHBVZS3SpesHqljBvmyjKwYl1o%3D&reserved=0>


Thank you very much.

Linda Dunbar



_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fbess&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce6f240b5eb394c85e7d408d767c987a1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637091987588944891&sdata=WxuxnuPEFnLT8hunSPvBs7CtHdU17Y0vs0svAG%2Fe6S0%3D&reserved=0>
_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fbess&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce6f240b5eb394c85e7d408d767c987a1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637091987588954845&sdata=PSv7iiZCUHa2fufnVyKGcHYnXEfoCdOA2gOv%2Fs2t60k%3D&reserved=0>

v2.23.0 | Report a Bug | By Email