IETF Logo Mail Archive

[Idr] draft-hujun-idr-bgp-ipsec

Robert Raszuk <robert@raszuk.net> Fri, 08 March 2019 20:49 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9A01274A1 for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 12:49:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-eCjJlFoE7z for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 12:49:13 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BF3126DFA for <idr@ietf.org>; Fri, 8 Mar 2019 12:49:13 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id i14so675012qtp.6 for <idr@ietf.org>; Fri, 08 Mar 2019 12:49:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=jyxUtSfDD6CeqI5m/NQGirmQY5cUpZrfCZrpqyy7X2U=; b=N/Q/+ENYMbRbYjNds3ifboP0uqbeWczdRO4be2429+78S8yREZEIqaUtzUQjvlw5gs nZgeawNq57XBMI4vqsrq16w+WhgIIVxFx8GTDJnxz9S4nPS2IvJrYbW6zOXwWJqiFPxf ckP2xQwYtnBxKIKsls3TZaYVd4B0ui/ysJQSO74jyZsAUbvOzyEBezeezvIJBpCjqJ43 cWl/k9P5tbX6kqhiOHNsAdyl0gbzxuaoDgO7YHDecjZr+4G1IVO+NkAwDekZi6DRafte h73dpon2GUHyUcXc/jjqMTw315t14ykH9Jr33Fnh0gDiTnisOzawFUklncUR9RXiihcz ZmXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=jyxUtSfDD6CeqI5m/NQGirmQY5cUpZrfCZrpqyy7X2U=; b=Dw5AIpq/f2sREUwYNiEqrqJrhvTqjU8HzfZzjeNvy6mTPsHE9LGy1FSuUNG+Ta4Y68 24e2n4a/RTimlgQ38fngj8LoPznMC4ZD7pYnCMj7UwgkPIKpIVCnZnR6nXlPqMAbr9RG 0SYA/cZ20qHlIYXqeo6yG2RGLlQ/bLqNhx8HqfnMVfJKi4SysmvZWEjehsXTY0alEYzK s+x+U+Qy9n/riYahNhoMtVBzqnK5SyHQn50V+/qbNti7QpVhh1Fotz/v0efLWgXUiwRA dbThIMVBLPZX19wkfRUVhyLHxzzLXAgMcs2GvX+Kk2kMIqfCAN3FUls57LvR7THwCQND 87zw==
X-Gm-Message-State: APjAAAWVxAURMa/iJbrTneTtumcRDHa984T0mRTnqo4s3KJ+5IGFZxyM bHrXdJlQVncl4AJhenyyffMsZPFinlUFNH/bHDWvPA==
X-Google-Smtp-Source: APXvYqx183IaRjHxYXYfZGNAo+/GHpIOCPqc4OZ0clIsSkViBo5X3TquN2SeG3VNKslYaInCnehkM+zo/1WxPdhF52w=
X-Received: by 2002:ad4:51c6:: with SMTP id p6mr59900qvq.174.1552078152535; Fri, 08 Mar 2019 12:49:12 -0800 (PST)
MIME-Version: 1.0
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 08 Mar 2019 21:49:02 +0100
Message-ID: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com>
To: jun.hu@nokia.com
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f22c0e05839b5adf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/11LWBsNNljqrIkJT786qoueSr8s>
Subject: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 20:49:15 -0000

Hi,

I have read your proposal and have one question.

The proposed encoding of additional sub-TLVs define local and remote
prefixes as traffic selectors. Looks great in your example of two end
points only. But introduction talks about scale so let's consider scale
factor.

Assume you have 500 routers in the domain.

When you advertise subnet B or C from R2 now you need to include in
mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet
advertised you can only send it once in BGP. Then each ingress PE receiving
this huge list would need now to store all 500 ingress ACLs (mappings to
IPSec tunnels) where in fact perhaps realistically only one or two ingress
traffic subnets may ever be traversing via given edge router.

And 500 is just following your example where ingress prefixes are directly
attached to ingress router (subnet A to R1). There can be valid mapping
cases where such sources are not directly attached.

This really does not look at all efficient and is prone to generate a lot
of unnecessary state directly proportional to network size or expected
incoming src prefix number.

If you really would like to use p2mp protocol for this configuration push I
would recommend to leave the current Tunnel Encapsulation Attribute
unchanged and simply propose to define a new SAFI with proper NLRI syntax
that it is precisely efficient to the very application you describe.

Effectively what you are proposing is to carry in BGP src+dst based mapping
to IPSec tunnel deeply embedding this into sub-TLVs of tunnel encapsulation
attribute.

In principle I agree that we do see more and more use cases for src+dst
based IP lookups both for native forwarding and with some form of
encapsulation but the proposed nested and not efficient encoding IMO
requires to be modified to work well in the assumed large scale.

Thx a lot,
R.

v2.23.0 | Report a Bug | By Email