IETF Logo Mail Archive

Re: [Idr] draft-hujun-idr-bgp-ipsec

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Mon, 11 March 2019 18:09 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7C3130EA6 for <idr@ietfa.amsl.com>; Mon, 11 Mar 2019 11:09:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oqtnH1Cjkbc for <idr@ietfa.amsl.com>; Mon, 11 Mar 2019 11:09:36 -0700 (PDT)
Received: from FRA01-PR2-obe.outbound.protection.outlook.com (mail-eopbgr120111.outbound.protection.outlook.com [40.107.12.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3958124BF6 for <idr@ietf.org>; Mon, 11 Mar 2019 11:09:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mf/OnOgs1Ai6vyXmQab28QZmnMxZfVeLysYH+7nqpX8=; b=Z3M+PkAjkHvseRNlcmh4QAgUSskRZ03/bljdCiLHMDqqy+sffekRSZEv78Znw8neSu1w7ucjUUlMX0kPzodPklTGTYZwDmaBDy6yq1L02EScMe/24ZTi0J0lV+0fULj8siFmRXGaKdv+ZGqG1aodh0tjYIVx3UJ5KCU+kRbrc3I=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB4889.eurprd07.prod.outlook.com (20.177.211.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.12; Mon, 11 Mar 2019 18:09:32 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1709.011; Mon, 11 Mar 2019 18:09:32 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf. org" <idr@ietf.org>
Thread-Topic: draft-hujun-idr-bgp-ipsec
Thread-Index: AQHU1fBkv1yiyD9z+USgDZ8cdYsTSaYCPEuggAAThQCAAARe0IAACpIAgAB5eSCAAH5mAIAAoC1A
Date: Mon, 11 Mar 2019 18:09:32 +0000
Message-ID: <PR1PR07MB57556079D28F0B302AF4EB1B95480@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com> <PR1PR07MB57559863F4ABDF1C509B2EAE954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MME-wJVFZGVXXH9aVoPKy59TxGjLAGvB10S9P4sLtZoLwA@mail.gmail.com> <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMHpqdmLG7c5oj0KmELLhqrEmoKTKDTHPeGx9Gw13BQ1Gw@mail.gmail.com>
In-Reply-To: <CAOj+MMHpqdmLG7c5oj0KmELLhqrEmoKTKDTHPeGx9Gw13BQ1Gw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0635371f-b4ba-463f-34cb-08d6a64cb659
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:PR1PR07MB4889;
x-ms-traffictypediagnostic: PR1PR07MB4889:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <PR1PR07MB48894470493C5EEB63F17A4B95480@PR1PR07MB4889.eurprd07.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(366004)(39860400002)(136003)(396003)(51444003)(189003)(199004)(7736002)(6436002)(74316002)(186003)(8676002)(81156014)(81166006)(33656002)(561944003)(55016002)(9686003)(53936002)(5660300002)(6306002)(8936002)(52536013)(54896002)(6246003)(6506007)(476003)(316002)(14454004)(53946003)(53546011)(25786009)(11346002)(446003)(86362001)(102836004)(4326008)(5070765005)(26005)(486006)(236005)(478600001)(256004)(93886005)(14444005)(5024004)(68736007)(76176011)(2906002)(66574012)(229853002)(99286004)(106356001)(6116002)(3846002)(790700001)(105586002)(71190400001)(7696005)(71200400001)(66066001)(606006)(97736004)(6916009)(7756004)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB4889; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mCsG34VTbF2f+/f6ZQv/74DsSKMv6v0BHaSPgV+sVsTuAfWsp5CvwjlnjLgUrpah4qcUekxtC7kTDkebrJ5ZNxOEsUU3/h6lhiC9wGIxkufaT8ruTh+J9KMiBEiWpbdNxpWEWLkHotJQyNG43ZUsIO72kapEV1d/Sw85c3/eJGnxx8E1nYrWvxDChMhKWgstIct0KNYNNpgzo3qBCpldRJxsHydrMZ2cMnmw6AatkluwBJSL3/fEuANs56oGFjEENjrlhUDcjnNXqvug8fysSjaYm0XRS+03MHDeJFDncd4weKsbu5cOwrGlXs+dj4bPEflNQ6Sqvc3yu24AooT4T05bR6moRLrUnCdIoLhZ0fNq57a5c0jsCT26ZMwvFFbl3NZaQXWM0I3Q/dKkAKX7CMlDeM8zaeun+sS+EiNLEJw=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB57556079D28F0B302AF4EB1B95480PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0635371f-b4ba-463f-34cb-08d6a64cb659
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 18:09:32.5197 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB4889
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/3Lu02QS-l_3g47rt5Gy5RIo3hxc>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:09:40 -0000

Agree on changing " Tunnel Encapsulation Attribute for IPsec" to “IPsec TLV” to make it more clear;
But my draft is more than just src/dst prefix mapping to IPsec tunnel, it is to advertise the IPsec configs, the local/remote-prefix sub-TLV are the traffic selector of an IPsec CHILD SA, the color sub-TLV signal the a set of IPsec configurations (typically you only need a few different sets in a network) like transform alg, SA lifetime, DPD settings, PFS …; and optional public routing instance (where ESP/IKE packet is forwarded in)

and I assume the three BGP updates in your example is similar to what described in section 7 (Recursive Next Hop Resolution) of draft-ietf-idr-tunnel-encaps, and the only difference is the all three updates come from same router in your example?

If above understanding is true, I see following problems:

  *   Without remote prefix sub-TLV, there is no way to use different IPsec tunnel config for different source address prefix
  *   Without local prefix sub-TLV (and remote sub-TLV), there is no way to aggregate traffic into a small number of IPsec CHILD SA, or in other words sharing CHILD SA; because local/remote prefix are essentially the traffic selector of the CHILD SA, you could for example using ANY/ANY as local/remote prefix sub-TLV, which could cause traffic between a given pair of router sharing a single CHILD SA; this will greatly decrease the number of CHILD SA needed
  *   It needs additional updates (lo0)

Maybe it is easier to have a f2f discussion during the IETF meeting

From: Robert Raszuk <robert@raszuk.net>
Sent: Saturday, March 9, 2019 6:06 AM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
Cc: idr@ietf. org <idr@ietf.org>
Subject: Re: draft-hujun-idr-bgp-ipsec

Hi,

I see what the intention was, but the current draft does not reflect it well.

You should change all occurrences of: " Tunnel Encapsulation Attribute for IPsec" or "IPsec tunnel encapsulation attribute"
to "IPsec TLV" as there is no such thing like "IPSec tunnel encapsulation attribute" in [I-D.ietf-idr-tunnel-encaps].

But this proposal really defines mapping to IPSec tunnel (based on source & destination prefix and optionally its context) and not really how the IPSec tunnel would be established or what such encapsulation parameters would be.

Context via a list of RTs and remote address prefixes are already indirectly supported today as color of tunnel would match color of extended communities attached to a dst routes so remote addresses for mapping packets within a specific context would be easily achieved today. IMO use of color reference should be preffered solution instead of re-defining a different way to accomplished the same here verbatim.

Mapping based on src prefix perhaps indeed is missing - but I will leave it to WG in general what is the plan to handle src+dst mapping in [I-D.ietf-idr-tunnel-encaps].

In your specific example to achieve the required mapping the encoding would be following:

BGP UPDATE 1 - NLRI lo0
Tunnel Encapsulation Attribute:
      IPsec TLV-1
              - Remote Endpoint 1 sub-tlv
              - color A sub-tlv
       IPsec TLV-2
              - Remote Endpoint 2 sub-tlv
              - color B sub-tlv

BGP UPDATE 2 - NLRI Prefix A
Encapsulation Extended Community
         Color A

BGP UPDATE 3 - NLRI Prefix B
Encapsulation Extended Community
         Color B

Thx,
R.







Thx,
R.


On Sat, Mar 9, 2019 at 7:49 AM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote:
Maybe the text in my draft needs to be more clear, but my draft is referencing  [I-D.ietf-idr-tunnel-encaps] ; Yes, according to section 1.4 of [I-D.ietf-idr-tunnel-encaps], IPsec tunnel is out of its scope, that’s why my draft says it extends [I-D.ietf-idr-tunnel-encaps] to support IPsec tunnel;

So when I say “the BGP update of NLRI prefix C need to include a Tunnel Encap attr, which include two IPsec TLVs…”, it means the BGP update include a Tunnel Encap attr as specified in section-2 of [I-D.ietf-idr-tunnel-encaps], and this Tunnel Encap attr include two TLVs:

  *   TLV-1: Tunnel Type is 4 (I propose to reuse 4 for IPsec tunnel), TLV-1 contains following sub-TLV:

     *   Remote Endpoint (as specified in section 3.1 of [I-D.ietf-idr-tunnel-encaps]) : local IPsec tunnel endpoint address of advertising router
     *   remote-prefix : pA
     *   color (as specified in 3.4.2 of [I-D.ietf-idr-tunnel-encaps], but has new semantics for IPsec): A

  *   TLV-2: Tunnel Type is 4 , TLV-2 contains following sub-TLV:

     *   Remote Endpoint: local IPsec tunnel endpoint address of advertising router
     *   remote-prefix: pB
     *   color: B

hope this make things clearer

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Friday, March 8, 2019 3:19 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>>
Subject: Re: draft-hujun-idr-bgp-ipsec

Hi,

I think that the references are a bit wrong. And the confusion may be not even your own fault,
but IETF process related.

I was looking for type 4 tunnel type in your normative reference but there is none.


[I-D.ietf-idr-tunnel-encaps]

              Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel

              Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-11<https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11>

              (work in progress), February 2019.



The reference your text may be referring to is perhaps RFC5566 instead

since this is where type 4 for IPSec in Tunnel mode was defined. Different document.



Unfortunately 5566 relied on 5512 which is obsoleted now. And we never

concluded how any references to 5566 should be now handled.



1.4<https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11#section-1.4>.  Impact on RFC 5566<https://tools.ietf.org/html/rfc5566>





   [RFC5566] uses the mechanisms defined in [RFC5512<https://tools.ietf.org/html/rfc5512>].  While this

   document obsoletes [RFC5512<https://tools.ietf.org/html/rfc5512>], it does not address the issue of how to

   use the mechanisms of [RFC5566<https://tools.ietf.org/html/rfc5566>] without also using the Encapsulation

   SAFI.  Those issues are considered to be outside the scope of this

   document.



And [I-D.ietf-idr-tunnel-encaps] does not define anything for IPSec.



So bottom line based on the current definition of Tunnel Encapsulation

Attribute I am not sure where and how you want to provide the defined

herein extensions.



Therefor it is now hard to comment on encoding specifics of provided examples

for two IPSec tunnel signalling options till normative references are sorted out.



Thx,

RR.



On Fri, Mar 8, 2019 at 11:48 PM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote:
I agree that making remote prefix sub-TLV optional and absence of it means ANY is a better idea, will update the draft and example in it;

To address use case in your email, the BGP update of NLRI prefix C need to include a Tunnel Encap attr, which include two IPsec TLVs:

  *   IPsec TLV-1: include remote-prefix sub-TLV pA and color sub TLV A
  *   IPsec TLV-2: include remote-prefix sub-TLV pB and color sub TLV B



From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Friday, March 8, 2019 2:26 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>>
Subject: Re: draft-hujun-idr-bgp-ipsec


Ok that was not very clear from the draft. While your explanation is good - there may be folks who will try to include all remote prefixes as this sub-TLV is mandatory. I guess if instead of all zero's you make it also optional the room for bad encoding becomes smaller.

But let's assume that you have two different IPSec encapsulation requirements A & B for the same local prefix C and two different remote prefixes pA & pB.

How would you encode it in the single update msg ?

Thx,
R.

On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote:
Thanks for reviewing the draft;
In your example (500 routers), R2 doesn’t necessary need to advertise 500 remote prefixes because if R2 doesn’t have 500 different types IPsec encapsulation requirements for the NLRI, what it could do it just include a single all-zero remote prefix, means traffic from any source destined to this NLRI should use this particular IPsec tunnel encapsulation config;  and I would expect using all-zero remote prefix would be the common use case;

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Friday, March 8, 2019 12:49 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>>
Subject: draft-hujun-idr-bgp-ipsec

Hi,

I have read your proposal and have one question.

The proposed encoding of additional sub-TLVs define local and remote prefixes as traffic selectors. Looks great in your example of two end points only. But introduction talks about scale so let's consider scale factor.

Assume you have 500 routers in the domain.

When you advertise subnet B or C from R2 now you need to include in mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet advertised you can only send it once in BGP. Then each ingress PE receiving this huge list would need now to store all 500 ingress ACLs (mappings to IPSec tunnels) where in fact perhaps realistically only one or two ingress traffic subnets may ever be traversing via given edge router.

And 500 is just following your example where ingress prefixes are directly attached to ingress router (subnet A to R1). There can be valid mapping cases where such sources are not directly attached.

This really does not look at all efficient and is prone to generate a lot of unnecessary state directly proportional to network size or expected incoming src prefix number.

If you really would like to use p2mp protocol for this configuration push I would recommend to leave the current Tunnel Encapsulation Attribute unchanged and simply propose to define a new SAFI with proper NLRI syntax that it is precisely efficient to the very application you describe.

Effectively what you are proposing is to carry in BGP src+dst based mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel encapsulation attribute.

In principle I agree that we do see more and more use cases for src+dst based IP lookups both for native forwarding and with some form of encapsulation but the proposed nested and not efficient encoding IMO requires to be modified to work well in the assumed large scale.

Thx a lot,
R.

v2.23.0 | Report a Bug | By Email