Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

Linda Dunbar <linda.dunbar@huawei.com> Mon, 05 November 2018 06:23 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 516BA12EB11; Sun, 4 Nov 2018 22:23:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvuVklt8MLgF; Sun, 4 Nov 2018 22:23:21 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A7CD12D4F1; Sun, 4 Nov 2018 22:23:21 -0800 (PST)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 1F1511145E807; Mon, 5 Nov 2018 06:23:16 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 5 Nov 2018 06:23:17 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.103]) by SJCEML702-CHM.china.huawei.com ([169.254.4.237]) with mapi id 14.03.0415.000; Sun, 4 Nov 2018 22:23:13 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf.org" <idr@ietf.org>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00
Thread-Index: AQHUdFQgIBfns3YXIUq4Lhb95FZuVqVAtJlQ
Date: Mon, 5 Nov 2018 06:23:12 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B182896@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B17F9DE@sjceml521-mbs.china.huawei.com> <CAOj+MMF+0NA9xHFAt__GkbwYL6_wfJqKy2Wi-qo5+iNJ=drajw@mail.gmail.com>
In-Reply-To: <CAOj+MMF+0NA9xHFAt__GkbwYL6_wfJqKy2Wi-qo5+iNJ=drajw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.126.170.67]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B182896sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/vYvcqUiZhGC-bnijwX4Q27OQvBY>
Subject: Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 06:23:24 -0000

Robert:

Thank you very much for the feedback.
Responses to your suggestions are inserted below:

I have one comment to proposed encoding and one overall observation. *Comment: * Proposed "EncapsExt sub-TLV" defines as mandatory indication on NAT type. Possible values are: NAT Type.without NAT; 1:1 static NAT; Full Cone; Restricted Cone; Port Restricted Cone; or Symmetric. You very nicely listed all nat types except one: "unknown" :) Why - Let's notice that in the other part of the text you state that information of the NAT type may be obtained from STUN server "can inquire". So if use of STUN server is optional then there is possibility that there is none and end point would not know about the NAT type it is traversing.
[Linda] thank you for the suggestion. We can add this option.

. *Observation: * This seems to be yet one more time we see proposal of "let's ride on BGP as we need to exchange endpoint discovery data point to point in a realiable way". I see zero need in this proposal why BGP is required here as opposed to any piece of code which can deliver data between two or more endpoints. Seeing those proposals it puzzles me a lot why skype or hangout are not using BGP ... after all video or voice call setup does require exchange of endpoint data.


[Linda] you’re absolutely right about those overlay applications completely by-passing IETF using their proprietary protocols for end points to propagate their properties. Yes, there are many ways to propagate end points properties. BGP is just one way. For us, BGP is an easier way because our product base already have BGP. Just like address scheme: If we can start with a clean slate, we can have much better address schemes than IPv4 (yet, it took >20 years for IPv6 development, still not wide deployment yet).
There are some key differences: Skype and CDN overlay companies don’t have any intension to interoperate, but networking needs interoperability.

 Likewise another unknown mystery is why SMTP is not riding on BGP too ? Yes overall we are missing now pretty much every day a global distributed system to exchange endpoint data in a dynamic way. Before we proceed on this or any other similar BGP extension I would highly appreciate some discussion on why below alternatives or other new similar proposals can be used instead of BGP for the described applications.


 1. LISP mapping plane
[Linda] we don’t want the baggage of implementing the associated LISP features. Adding a new BGP SAFI is 1% of implementation burden of adding a new protocol.
 2. Products of IDentity Enabled Networks WG
[Linda] SDWAN Tunnels needs more than Identity. It needs to distribute IPSEC SA attributes, it needs to advertise SD-WAN related information.   If using ID entity, more changes are needed than BGP SAFI
3. DynamicDNS
[Linda] yeh dynamic DNS can be modified to replace entire BGP as well. But it will require much more implementation work. Will take years to mature.
4. Registry of Data on AWS etc...
[Linda] sure if AWS is interested in participating to make the needed changes. More work is needed to make AWS Data registry to communicate our existing BGP?


Linda


From: Robert Raszuk [mailto:robert@raszuk.net]
Sent: Sunday, November 04, 2018 10:36 PM
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: idr@ietf.org; bess@ietf.org
Subject: Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

Hi Linda,

I have one comment to proposed encoding and one overall observation.

Comment:

Proposed "EncapsExt sub-TLV" defines as mandatory indication on NAT type. Possible values are:  NAT Type.without NAT; 1:1 static NAT; Full Cone; Restricted Cone; Port Restricted Cone; or Symmetric.

You very nicely listed all nat types except one: "unknown" :) Why - Let's notice that in the other part of the text you state that information of the NAT type may be obtained from STUN server "can inquire". So if use of STUN server is optional then there is possibility that there is none and end point would not know about the NAT type it is traversing.

Observation:

This seems to be yet one more time we see proposal of "let's ride on BGP as we need to exchange endpoint discovery data point to point in a realiable way". I see zero need in this proposal why BGP is required here as opposed to any piece of code which can deliver data between two or more endpoints.

Seeing those proposals it puzzles me a lot why skype or hangout are not using BGP ... after all video or voice call setup does require exchange of endpoint data. Likewise another unknown mystery is why SMTP is not riding on BGP too ?

Yes overall we are missing now pretty much every day a global distributed system to exchange endpoint data in a dynamic way.

Before we proceed on this or any other similar BGP extension I would highly appreciate some discussion on why below alternatives or other new similar proposals can be used instead of BGP for the described applications.

1. LISP mapping plane
2. Products of IDentity Enabled Networks WG
3. DynamicDNS
4. Registry of Data on AWS
etc...

Thx,
Robert.


On Tue, Oct 30, 2018 at 5:19 PM Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> wrote:
IDR group, BESS group,

https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/ specifies a new BGP SAFI (=74) in order to advertise a SD-WAN edge node’s capabilities in establishing SD-WAN overlay tunnels with other SD-WAN nodes through third party untrusted networks.

draft-sajassi-bess-secure-evpn-00 describes an EVPN solution for PE nodes to exchange key and policy to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages.

I think those two solutions are not conflicting with each other. Actually they are compliment to each other to some degree. For example,

-        the Re-key mechanism described by draft-sajassi-bess-secure-evpn-00 can be utilized by draft-dunbar-idr-bgp-sdwan-overlay-ext

-        The SD-WAN Overlay SAFI can be useful to simplify the process on RR to re-distribute the Tunnel End properties to authorized peers.

-        When SD-WAN edge nodes use private address, or no IP address, NAT properties for the end points distribution described draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.

-        The secure channel between SD-WAN edge nodes and RR described by draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.

Any thoughts?

Thank you very much.

Linda Dunbar
_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess