IETF Logo Mail Archive

Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?

Gyan Mishra <hayabusagsm@gmail.com> Tue, 12 November 2019 23:39 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1CE12011D for <bess@ietfa.amsl.com>; Tue, 12 Nov 2019 15:39:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.296
X-Spam-Level:
X-Spam-Status: No, score=-1.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM3hm1zw1aWG for <bess@ietfa.amsl.com>; Tue, 12 Nov 2019 15:39:15 -0800 (PST)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85F7B120044 for <bess@ietf.org>; Tue, 12 Nov 2019 15:39:15 -0800 (PST)
Received: by mail-qk1-x72f.google.com with SMTP id q70so107832qke.12 for <bess@ietf.org>; Tue, 12 Nov 2019 15:39:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U0Ixz8jr4Zdook6nbKjWEZHLJysWysK0rgRTXUc2T8s=; b=P1LHk4WO/ICWEevWsqrgHSUkwRIZX2gtEWsq1mSWlhTRwz3CxW9ERn/EKdYL9ctGX3 IPtWln9+cMMC5hX4u0G9et5ZZye3TKo+ALsyxHi0CVQG5tOaeC7+ZnSD00kxPd9y8Fnm dOpBHh0oyuIFE8Pm/ERijTEsYM7qWm4FOPo9FcjXt462wvYXKkmeNo6l91+fiKQdwg/W QWmerQlfkWcI20ttyg6ERhK8OOb1MNKgrtqPMXn0Uaq0fk1P0yrqpLeHK0CzchBCYlnp Rq7IHxjZaXEEC484SH+IkbG2cEd5zG5lp+KDSrp6HbnnPtn7k1wzDLWeovr1INXe5u5L YlFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U0Ixz8jr4Zdook6nbKjWEZHLJysWysK0rgRTXUc2T8s=; b=dupkYAEKIuzNYijaI14kAohEgLeAvHeXcO2Q29nGvUfgvI30TpPno9jZa4zxdbtGjT Lz3E1HZwmFXgcHdjY4k1ah+0ohMM65gcPlSskb+yCf51P/3amOgq8v2q3gZUFazh3UvW USC6XI+kE2fWSWa+BzxdS+FtAd6eLPteZfm3gVvsRuywKDj8An4ISzZh8CsfmI2PnVg7 Sv0ManJKZhZP1tg7qvb2B88w7Je9V1x5nMrbLMTBZb7sH0KYmZkWTscsnloX61bk0zoK 95aPRjTA1hMRfkHi8X7vrMPp/M5HP8NAhD30b+teJBEs7HewYUTRIBl7MVnnvo7VuwcW 29Nw==
X-Gm-Message-State: APjAAAXkdIEtFBArq9E3VNPPinO9ZmTUUSGXI3ZrebtlqawbB+IuiS2W tXImooQbduQMvyKVqM/yezEibqF0
X-Google-Smtp-Source: APXvYqzTmaSZTFOmb//ic7Q39npCb26x9Qi/oQv1tSdS9LJFLjJ1HnBXH+DO/NZENLdXBDUh2WPlYA==
X-Received: by 2002:a37:434d:: with SMTP id q74mr29673qka.187.1573601953465; Tue, 12 Nov 2019 15:39:13 -0800 (PST)
Received: from ?IPv6:2600:1003:b019:d4a0:6483:f3b3:889d:6325? ([2600:1003:b019:d4a0:6483:f3b3:889d:6325]) by smtp.gmail.com with ESMTPSA id c19sm229687qtb.30.2019.11.12.15.39.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Nov 2019 15:39:12 -0800 (PST)
From: Gyan Mishra <hayabusagsm@gmail.com>
X-Google-Original-From: Gyan Mishra <hayabusaGSM@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-842F9458-29DF-4E4A-80A7-AD4275225ED3"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <BN8PR13MB262898DC4C28AB4FF0CC2B26A97E0@BN8PR13MB2628.namprd13.prod.outlook.com>
Date: Tue, 12 Nov 2019 18:39:10 -0500
Cc: Robert Raszuk <robert@raszuk.net>, "bess@ietf.org" <bess@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <9540FBFB-D161-4C94-BFEB-383D64AA1950@gmail.com>
References: <BN8PR13MB262842C35C9955B8B45FAF08A97F0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMFqQNt4g4g+x3K6fn9X0ruOirFGKcXMPcpAUxm7xvHFSw@mail.gmail.com> <BN8PR13MB262822A6F3231D44628ED474A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMHfjEsieECKHV9kTHKTYVMrK4dqecu3-SkzEU39HrzHFg@mail.gmail.com> <BN8PR13MB26284A0D4C3566BFDE147723A97E0@BN8PR13MB2628.namprd13.prod.outlook.com> <CAOj+MMEk9bM1UB114j3=zpZpaB+U5sEpe_SmjZr6RMBZZ=FgqQ@mail.gmail.com> <BN8PR13MB262898DC4C28AB4FF0CC2B26A97E0@BN8PR13MB2628.namprd13.prod.outlook.com>
To: Linda Dunbar <ldunbar@futurewei.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/yhhkkKgJtwpZBkw7AfAwJYaBg9Q>
Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 23:39:18 -0000

Sorry to talk implementation on or off list but from a pure net-net vpn VTI tunnel mode perspective using DMVPN that scales pretty well to 100’s of user sites homing to a pair of mGRE DMVPN head ends which I have deployed.  I have not done any with over a 1000 on a pair but that’s a lot even for any mpls deployments I have worked with.  The IPSEC SA is all done with hardware encryption and so the scaling is very high for most all vendors the maximum number of IPSEC tunnels that can be hit.

I would say a similar analogy would be that most SP routers support 1M+ FIB entires per customer VRF on average per vendor which is way high and its rare that you have an L3 VPN that exceeds 1M routes.  These days the hardware far exceeds the possible use cases.

Gyan

Sent from my iPhone

> On Nov 5, 2019, at 6:50 PM, Linda Dunbar <ldunbar@futurewei.com> wrote:
> 
> Robert,
>  
> Without getting into any implementation, are there any terrible problems of allowing IPsec tunnel as transport segment and each edge node forward packets destined to other nodes, as done by VRF. What issues do you see? (other than it is not IPsec tunnel per client interface/group)?
>  
> <image002.png>
>  
> Thanks, Linda
>  
> From: Robert Raszuk <robert@raszuk.net> 
> Sent: Tuesday, November 05, 2019 5:21 PM
> To: Linda Dunbar <ldunbar@futurewei.com>
> Cc: bess@ietf.org
> Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
>  
> > it is tremendous amount of work.  
>  
> Well I am afraid this is entering implementation space and not subject to any further debate on or off the list. Only note that IPSec is not the only payload encryption option at your disposal for quality SDWANs.
>  
> On Tue, Nov 5, 2019 at 11:07 PM Linda Dunbar <ldunbar@futurewei.com> wrote:
> Robert,
>  
> It is not the FIB size, but the number of IPsec SA maintenance required at each edge node that makes it difficult to scale more than 100 nodes.
> Each IPsec SA requires periodical key refreshment. For one node maintaining X number of IPsec SA, it is tremendous amount of work.
>  
> Linda
>  
> From: Robert Raszuk <robert@raszuk.net> 
> Sent: Tuesday, November 05, 2019 3:15 PM
> To: Linda Dunbar <ldunbar@futurewei.com>
> Cc: bess@ietf.org
> Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
>  
> Linda,
>  
> The key message here is that in properly designed SDWAN your limit is capped by volume of data traffic required to be encrypted and supported by your platform. Number of overlay adjacencies does not matter. 
>  
> It does not matter since the size of your FIB has orders of magnitude more capacity then any single SDWAN number of endpoints. 
>  
> Best,
> R,
>  
> On Tue, Nov 5, 2019 at 9:20 PM Linda Dunbar <ldunbar@futurewei.com> wrote:
> Robert,
>  
> You said “It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of.”
>  
> How many nodes of this deployment?
>  
> As you described: just two nodes might need 18 IPsec tunnels. How about 100 node SDWAN network? 100*99 * 18?
>  
> “So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic”
>  
> Linda
>  
> From: Robert Raszuk <robert@raszuk.net> 
> Sent: Monday, November 04, 2019 6:54 PM
> To: Linda Dunbar <ldunbar@futurewei.com>
> Cc: bess@ietf.org
> Subject: Re: [bess] Any protocols suitable for Application Flow Based Segmentation in draft-bess-bgp-sdwan-usage-3?
>  
> Hi Linda,
>  
> > Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec 
> > Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.  
>  
> Please observe that any to any encapsulated paths setup in good SDWAN is day one requirement. And that is not only any src/dst to any src/dst. It is actually from any source interface over any available underlay to any available remote interface of the destination. 
>  
> Imagine if you have two end points each with three interfaces to the underlay. So number of overlay pipes to be created in corresponding SDWAN data planes is 9 in each direction just over those *two* end points. 18 if you consider bidirectional traffic. 
>  
> Good SDWAN can build such state and not only that .. it can also run in continued fashion SLA probes over all possible paths between given src and destination. When data is sent over selected per application path it is then encrypted. It can even do much more ... it can perform SDWAN-TE treating some endpoints as transits :).  
>  
> It has been deployed and is fully operating with no concern of scalability for number of years at least from one vendor I am aware of. So I question your observation and do believe that adding vrf based routing over well designed and correctly written SDWAN is of any scalability concern. As a matter of fact the implementation I am familiar with also has built in concept of VRFs too. 
>  
> No it is not trivial - but clearly possible. 
>  
> Best,
> Robert. 
>  
>  
> On Mon, Nov 4, 2019 at 11:39 PM Linda Dunbar <ldunbar@futurewei.com> wrote:
> In MEF SD-WAN Service Specification WG, there has been a lot of discussion on Application Flow Based Segmentation.
> Application Flow based Segmentation refers to separating traffic based on business and security needs, e.g. having different topology for different traffic types or users/apps.
> For example, retail business requires traffic from payment applications in all branches only go to the Payment Gateway in its HQ Data Centers, whereas other applications can be multi-point (in Cloud DC too).
> Segmentation is a feature that can be provided or enabled for a single SDWAN service (or domain). Each Segment can have its own policy and topology. 
> In the figure below, the traffic from the Payment application (Red Dotted line) is along the Tree topology, whereas other traffic can be multipoint to multi point topology as in VRF.
>  
> <image001.jpg>
>  
>  
> Segmentation is analogous to VLAN (in L2 network) and VRF (in L3 network). But unlike VRF where all the intermediate nodes can forward per VRF, in SDWAN Overlay, the multipoint to multipoint WAN is an overlay network. If using IPsec Point to Point tunnel, there would be N*(N-1) tunnels, which is too many to many.
>  
> Does anyone know an existing protocol that can handle the above scenario described in https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/
>  
>  
> Thank you very much.
>  
> Linda Dunbar
>  
>  
>  
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess

v2.23.0 | Report a Bug | By Email