IETF Logo Mail Archive

Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Ron Bonica <rbonica@juniper.net> Fri, 06 July 2018 18:24 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11576130EA5 for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 11:24:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVZ8ZlRDMFsc for <bess@ietfa.amsl.com>; Fri, 6 Jul 2018 11:24:46 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4E2A1274D0 for <bess@ietf.org>; Fri, 6 Jul 2018 11:24:45 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w66IOa1b008415; Fri, 6 Jul 2018 11:24:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=UrlfBRFONmCn0PBL/SQSCsd+P6JXuONfhdT3qd9khkE=; b=BRbWVrX+h4hsuxvV1Kel3d9UWPb9NgegBg6OWVkb3qomHVpHanSdSMo3P4KlKPJnsHpF R4GMBQULgFFKPoUywjhFy7chSxtS9MnN5+t7nfoBbYXUH2hgNFKrGyyLSADzjB4Rjn2H 7DeHj4NW1sJ+IpgBfOrn7x17XkFYgLhIWEcgK+PRDCP+WqfEQLpMJewl0BPQe10hmKmG ElmhpdAS1H8dGJH62iV+K4FXXMgNOZ3PbdWwZ9rMqNmx1GBDJ0iGACUDszA/v7CAVANM w7wS6XMz22sG2ZJYDQ0f3b0Tk1VIonVX6YfbDrYZ6Ed7EDu3DIHU7Oe+qtizpAQoeSqU mw==
Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp0247.outbound.protection.outlook.com [216.32.181.247]) by mx0b-00273201.pphosted.com with ESMTP id 2k2392h8h5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 06 Jul 2018 11:24:41 -0700
Received: from DM2PR05MB448.namprd05.prod.outlook.com (10.141.104.152) by DM2PR05MB365.namprd05.prod.outlook.com (10.141.98.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.952.9; Fri, 6 Jul 2018 18:24:37 +0000
Received: from DM2PR05MB448.namprd05.prod.outlook.com ([fe80::696f:a99c:c42:917f]) by DM2PR05MB448.namprd05.prod.outlook.com ([fe80::696f:a99c:c42:917f%15]) with mapi id 15.20.0930.016; Fri, 6 Jul 2018 18:24:36 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Linda Dunbar <linda.dunbar@huawei.com>, Eric Rosen <erosen@juniper.net>, "bess@ietf.org" <bess@ietf.org>
Thread-Topic: comments and suggestions to draft-rosen-bess-secure-l3vpn-01
Thread-Index: AdQUd6UGClvRk5FQRUGF9YyejctT/AA3qsZw
Date: Fri, 06 Jul 2018 18:24:36 +0000
Message-ID: <DM2PR05MB4485047CBE1ABF17FBE7083AE470@DM2PR05MB448.namprd05.prod.outlook.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B07E161@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B07E161@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR05MB365; 7:EzVeJ7F90dLLEKqC5XDfBtycIFPedWecRzQvgQ+esQKi0V+wI5o3q2ECtTb5pYFKkxWmjdfLGvDXSImOY+8oRFBBrXqH/2uWM7XCoxbVeO9P4eMY6vCqklm41gt+f/w13gRPcTnQcrgcWZyvYlo6+xrjFm4V4J+C9AfjbhFRj5SNtK29l3y+XK+5LXY89ZK8RzxGzBPFsgNeSKweZ04WjnqU6lP1JKmWONCzROkJ0vOoLpCI5B7L1HN1QqI3oBrU
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(39860400002)(136003)(346002)(366004)(376002)(396003)(189003)(199004)(66066001)(53936002)(14454004)(110136005)(1941001)(606006)(316002)(966005)(790700001)(5660300001)(6246003)(6116002)(3846002)(9326002)(7736002)(74316002)(33656002)(54896002)(6306002)(55016002)(236005)(9686003)(2906002)(99286004)(6436002)(229853002)(81166006)(81156014)(478600001)(8676002)(2900100001)(5250100002)(8936002)(105586002)(76176011)(26005)(486006)(25786009)(7696005)(86362001)(6506007)(102836004)(2501003)(53546011)(106356001)(97736004)(256004)(14444005)(186003)(476003)(446003)(68736007)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR05MB365; H:DM2PR05MB448.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-office365-filtering-correlation-id: 403b09f8-9aa5-4140-0538-08d5e36dbab5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DM2PR05MB365;
x-ms-traffictypediagnostic: DM2PR05MB365:
x-microsoft-antispam-prvs: <DM2PR05MB36513D1507543C700AC64F9AE470@DM2PR05MB365.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(10436049006162)(120809045254105)(50582790962513)(21748063052155)(138986009662008);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231254)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:DM2PR05MB365; BCL:0; PCL:0; RULEID:; SRVR:DM2PR05MB365;
x-forefront-prvs: 0725D9E8D0
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 5CVnow0EZ8cKAUCewZV1cGcdocLj7R12pS3jLNJnnDiFs2BMaiFJhOKz6+5YgM7q+9gMbD8wvFpK06lR+mpjQ7wli4LzTleu1SmqxTKQlaXKAB8pO13M2wt2M2In9MwHavwTzlKX+p2W7IvJzYXn42X36OVllDIqak5maXWrX9RpTy9D2vQP1Y5gf7uBl/PIdn5qjOLrFkO1hjhvc07deXDFQE3BUn0bmKh66nDye/lzj+BmlSzM8yXqBoYlJrefA48axu0UG9ErbZyHk5cSqzLN3azmx/4jodvDP/zR/EErIbH5wvcY8ayy82K09Oe/RKsAV41z0ALfqnINe21exNAahGBmuMP+vCkrcl1ngk4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR05MB4485047CBE1ABF17FBE7083AE470DM2PR05MB448namprd_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 403b09f8-9aa5-4140-0538-08d5e36dbab5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2018 18:24:36.5065 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR05MB365
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-06_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807060205
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/LvojG7stR1EhPIZen62oUYCCrKM>
Subject: Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 18:24:50 -0000

Hi Linda,

I'm not sure that I understand what you mean when you say, "aggregate CPE-based VPN routes with internet routes that interconnect the CPEs". Could you elaborate?

                                                            Ron


From: Linda Dunbar <linda.dunbar@huawei.com>
Sent: Thursday, July 5, 2018 11:53 AM
To: Eric Rosen <erosen@juniper.net>; Ron Bonica <rbonica@juniper.net>; bess@ietf.org
Subject: comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Eric and Ron,

We think that the method described in your draft is useful for CPE based EVPN, especially for SD-WAN between CPEs.
But, it misses some aspects to aggregate CPE-based VPN routes with internet routes that interconnect the CPEs.

Question to you: Would you like to expand your draft to cover the scenario of aggregating CPE-based VPN routes with internet routes that interconnect the CPEs?

If yes, we think the following areas are needed:


*      For RR communication with CPE, this draft only mentioned IPSEC. Are there any reasons that TLS/DTLS are not added?

*      The draft assumes that C-PE "register" with the RR. But it doesn't say how. Should "NHRP" (modified version) be considered?

*      It assumes that C-PE and RR are connected by IPsec tunnel. With zero touch provisioning, we need an automatic way to synchronize the IPSec SA between C-PE and RR. The draft assumes:

p A C-PE must also be provisioned with whatever additional information is needed in order to set up an IPsec SA with each of the red RRs

*      IPsec requires periodic refreshment of the keys. How to synchronize the refreshment among multiple nodes?

*      IPsec usually only send configuration parameters to two end points and let the two end points to negotiate the KEY. Now we assume that RR is responsible for creating the KEY for all end points. When one end point is confiscated, all other connections are impacted.

If you are open to expand your draft to cover SD-WAN, we can help providing the sections to address the bullets mentioned above.

We have a draft analyzing the technological gaps when using SD-WAN to interconnect workloads & apps hosted in various locations: https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=zU9RrstHx08_qwVE-_wbaPcJUwA0Cx7W9wg4K6cDAOs&s=1SH5CDBkEFKTyKPWRpPpy-dfxkl19-hrgXiR7nRkq50&e=>
Appreciate your comments and suggestions to our gap analysis.


Thanks, Linda Dunbar

v2.23.0 | Report a Bug | By Email