Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

"Ali Sajassi (sajassi)" <sajassi@cisco.com> Sun, 04 November 2018 15:11 UTC

Return-Path: <sajassi@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4C1130E13; Sun, 4 Nov 2018 07:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.969
X-Spam-Level:
X-Spam-Status: No, score=-14.969 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g22UTKL6jVGq; Sun, 4 Nov 2018 07:11:25 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6240E130DCF; Sun, 4 Nov 2018 07:11:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21394; q=dns/txt; s=iport; t=1541344285; x=1542553885; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=Y9SPTD1LWIEPyGX1zHl2E7bIohAI4XFyS2fdq3ddcvk=; b=LmBI6Gnu4ZndFVFwRbnotv4VLLgoZauIgTOJ3OxAYwWD4FJXOnPkRbho PKRwWN8iF0W1Mac6t7ZqwyaOX/ZCN0idrEi0ZN1Yj23fj/2GJxndxeLaD sxO9QD5pvjttvO0f2n8jZbCJcJ4GEGFCmUIB3W19HGVNZioqk+Mzjzj5y Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AFAACzC99b/5tdJa1jGgEBAQEBAgEBAQEHAgEBAQGBUQUBAQEBCwGBDUgvZn8oCoNsiBiMFYINkVmFVIF6CwEBJYRHAheDJyI0DQ0BAwEBAgEBAm0cDIU6AQEBBCNmAgEIEQMBAQEkBAMCAgIwFAkIAgQBEhuDBgGBHWQPpymBLoQ/QIUQBYt2F4IAgREnH4IeLoMbAgMBgXQJFoJOMYImAo5ehiqJVlQJAoZsgySGfxiBVYgihmmNCIoXAhEUgSYdOIFVcBVlAYJBglCIS4U9AW+NDYEfAQE
X-IronPort-AV: E=Sophos;i="5.54,464,1534809600"; d="scan'208,217";a="473725417"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Nov 2018 15:11:24 +0000
Received: from XCH-RTP-004.cisco.com (xch-rtp-004.cisco.com [64.101.220.144]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id wA4FBNLl026617 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 4 Nov 2018 15:11:24 GMT
Received: from xch-rtp-005.cisco.com (64.101.220.145) by XCH-RTP-004.cisco.com (64.101.220.144) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 4 Nov 2018 10:11:23 -0500
Received: from xch-rtp-005.cisco.com ([64.101.220.145]) by XCH-RTP-005.cisco.com ([64.101.220.145]) with mapi id 15.00.1395.000; Sun, 4 Nov 2018 10:11:23 -0500
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, "idr@ietf.org" <idr@ietf.org>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00
Thread-Index: AQHUcNcrmdLiJU5oSUqEW64fomgVyKU/uwOQ///STYA=
Date: Sun, 04 Nov 2018 15:11:23 +0000
Message-ID: <C0F00736-4C5E-4EE2-A3BE-B1FF8BAC3C63@cisco.com>
References: <F7356C79-E6D1-4910-9929-0F0270CF1FA8@cisco.com> <4A95BA014132FF49AE685FAB4B9F17F66B1825E9@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B1825E9@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.3.181015
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.123.216]
Content-Type: multipart/alternative; boundary="_000_C0F007364C5E4EE2A3BEB1FF8BAC3C63ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.144, xch-rtp-004.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/qJP3s19F-iltbOQBjO_SXjFn3YA>
Subject: Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 15:11:28 -0000

Linda,

You should read my draft again as it explains IPsec tunnels needed at different level of granularity and how this can be achieved with existing routes. The traffic does not get sent till the IPsec tunnel is established between a pair of endpoints and the draft specifies 6 different types of endpoints for different level of granularity – i.e., per PE, per tenant, per subnet, per IP, per MAC, and per AC.

Cheers,
Ali

From: Linda Dunbar <linda.dunbar@huawei.com>
Date: Sunday, November 4, 2018 at 7:00 AM
To: Cisco Employee <sajassi@cisco.com>, "idr@ietf.org" <idr@ietf.org>, "bess@ietf.org" <bess@ietf.org>
Subject: RE: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

Ali,

Your draft-sajassi-bess-secure-evpn-00 defines two new Tunnel Types along with its associated sub-TLVs for The Tunnel Encapsulation Attribute [TUNNEL-ENCAP].

[Tunnel-Encap] cannot be effectively used for SD-WAN overlay network because a SD-WAN Tunnel needs to be established before data arrival. There is no routes to be associated with the SD-WAN Tunnel.

How do you address those issues?

Linda

From: Ali Sajassi (sajassi) [mailto:sajassi@cisco.com]
Sent: Wednesday, October 31, 2018 12:04 PM
To: Linda Dunbar <linda.dunbar@huawei.com>; idr@ietf.org; bess@ietf.org
Subject: Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

Hi Linda,

I haven’t read your draft yet. I am traveling now but will plan to read your draft over next couple of days and respond to your questions.

Cheers,
Ali

From: BESS <bess-bounces@ietf.org<mailto:bess-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Date: Tuesday, October 30, 2018 at 9:19 AM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>, "bess@ietf.org<mailto:bess@ietf.org>" <bess@ietf.org<mailto:bess@ietf.org>>
Subject: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

IDR group, BESS group,

https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/ specifies a new BGP SAFI (=74) in order to advertise a SD-WAN edge node’s capabilities in establishing SD-WAN overlay tunnels with other SD-WAN nodes through third party untrusted networks.

draft-sajassi-bess-secure-evpn-00 describes an EVPN solution for PE nodes to exchange key and policy to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages.

I think those two solutions are not conflicting with each other. Actually they are compliment to each other to some degree. For example,

  *   the Re-key mechanism described by draft-sajassi-bess-secure-evpn-00 can be utilized by draft-dunbar-idr-bgp-sdwan-overlay-ext
  *   The SD-WAN Overlay SAFI can be useful to simplify the process on RR to re-distribute the Tunnel End properties to authorized peers.
  *   When SD-WAN edge nodes use private address, or no IP address, NAT properties for the end points distribution described draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.
  *   The secure channel between SD-WAN edge nodes and RR described by draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.

Any thoughts?

Thank you very much.

Linda Dunbar