Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
Robert Raszuk <robert@raszuk.net> Mon, 09 July 2018 21:09 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69AEB13109B; Mon, 9 Jul 2018 14:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LlxmBWOzuO4; Mon, 9 Jul 2018 14:09:02 -0700 (PDT)
Received: from mail-pl0-x22e.google.com (mail-pl0-x22e.google.com [IPv6:2607:f8b0:400e:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89B5B1310C5; Mon, 9 Jul 2018 14:09:02 -0700 (PDT)
Received: by mail-pl0-x22e.google.com with SMTP id k1-v6so6584616plt.2; Mon, 09 Jul 2018 14:09:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rH+BVDxyA3G4HOujHVWIlWW28EU1VAAHkeJzVWPhoXE=; b=R6FKTYmoiXs3naavoel4adDpjP5LMPub62H9JL3a5+yR4NvFHiLy+LnYSy6TKbPbFu vMTTJ6AIUvtQruDuKKYqgyEdPAfB+vg51ibPVDAPdSEZq7pnakIGjlz9NC0cbRfoMf6o gwAABSNDYBSY9FjhIIVH8HAPBjbafQEefBiAtHHFtupqCsgEh2aks273rRivzXKlWkFG +sKPFHGVphFjkWs4h34uZKvQ44TCiFND+zOpQmWBago280stjkalAd3XGQk9XeRbdlg1 /SIf9WmpG/fhQ9wLLerUFlanbMHSWRBh4Dv8F+ts941iWLXjjgow5AYkf3G9KdJmQaIx GEyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rH+BVDxyA3G4HOujHVWIlWW28EU1VAAHkeJzVWPhoXE=; b=H9wV2hj4QuMGfoc+3gHwMH6Nu13VMmh32qPKTM1mSUwrW1dM1+miG49I06EtVeXGZk 77lv9Ef3k4M49bldjl/G7q4vEUQjgIEC0+fxdvnYprPufhrCwkvUwMsa8WnXOSsOk2fE 3p8FPFGr9yPNrZesGJK+2vAbzWMu4SrIGzPno9C8gF0X50G9w63hwwamtfCswoyHGJMy s11OMQh4UVqwZ+Ez3bst7pGv8x/WqcKOrKr5wVwyQ/MgTwezUze3wM4PKoIPUJYCGrxU ZEANFfdWt6dkkuLLBihthTOHRfJjBOfQTp7CAjmHK6vHoM48NxJy4N+rrkePBDYAX4Vq QT/g==
X-Gm-Message-State: APt69E0Gyftm1rheegEU+m5F8Fpi3ShjnsvsyqYEwDnWTFqlpkeplAo0 e24yAKOaFIrf/s9jx5tdvw8qSDSfsALZqNHuAeM=
X-Google-Smtp-Source: AAOMgpdevy1DyLRJZ87p23zRtspGpwByBmMtPGl7RElc/25dolEwXJaHcGnETq/8LzFYO2Nn+uAyXlEgpXGp84QjkEQ=
X-Received: by 2002:a17:902:b583:: with SMTP id a3-v6mr17929259pls.243.1531170541769; Mon, 09 Jul 2018 14:09:01 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:37e7:0:0:0:0 with HTTP; Mon, 9 Jul 2018 14:09:00 -0700 (PDT)
In-Reply-To: <E2217125-5BAB-4C85-9FF4-4A89B454214C@gmail.com>
References: <78D707C9-6DC2-459F-81E4-A53B46F1F019@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com> <DF0D0CFA-AFCA-44FF-ADD8-BE6EDC51AFEA@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BEF@sjceml521-mbs.china.huawei.com> <CA+b+ERmENsva=5ZT_4x8+NaokXCpBEN+LTU0xwhN_W4cvmOsqQ@mail.gmail.com> <E2217125-5BAB-4C85-9FF4-4A89B454214C@gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 09 Jul 2018 23:09:00 +0200
X-Google-Sender-Auth: 4tEfoOREJFP4UFiAPanFk1fjaEw
Message-ID: <CA+b+ER=4H5hEcG-sW78B1Q=n8k7gyj1xfhT9baNBkonVaN7+wQ@mail.gmail.com>
To: Jeff Tantsura <jefftant.ietf@gmail.com>
Cc: Linda Dunbar <linda.dunbar@huawei.com>, Eric C Rosen <erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003b97830570976ccc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/1i_Lp6NjTvq_QZ3uTGvuCp8AcJM>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:09:05 -0000
Hey Jeff, You know me saying lately that using BGP (aka KSP) is a bad idea if we use it to distribute p2p information. However here the information is really p2mp (provided common IPSec credentials are distributed to all CPEs) so it actually may make sense. Just started a side thread on this with a little idea how we could do that safely :) But if you have a suggestion to use some other protocol for it I am all ears ! Cheers, R On Mon, Jul 9, 2018 at 11:03 PM, Jeff Tantsura <jefftant.ietf@gmail.com> wrote: > Yes Robert, exactly and such I would question the use of BGP > (KitchenSinkProtocol) to do so in general > > > > Cheers, > > Jeff > > > > *From: *<rraszuk@gmail.com> on behalf of Robert Raszuk <robert@raszuk.net> > *Date: *Monday, July 9, 2018 at 13:53 > *To: *Linda Dunbar <linda.dunbar@huawei.com> > *Cc: *Jeff Tantsura <jefftant.ietf@gmail.com>, Eric C Rosen < > erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, " > draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ > ietf.org> > > *Subject: *Re: [Idr] Possible to set up priority for Tunnels established > by draft-ietf-idr-tunnel-encaps-09 ? > > > > Hi Linda, > > > > I think Jeff is asking why not to use well known community to scope the > blast radius of the advertisement. > > > > But personally I think this is pretty weak protection - if this would be > the only protection against IPSec credential's hijack. IMO this needs to be > protected a bit stronger such that even leak of the update will cause no > harm or VPN compromise. > > > > Thx, > R. > > > > > > > > On Mon, Jul 9, 2018 at 10:50 PM, Linda Dunbar <linda.dunbar@huawei.com> > wrote: > > Jeff, > > > > The answer to your question “Why would you want to build what you are > trying to do into protocol?” is > > - We want to use BGP to do more (i.e. use RR to distribute > information injected from and by a controller). to eliminate dealing with > the changes to NHRP/DSVPN. > > > > Can you elaborate the “the existing technology”? > > > > Linda > >
- Re: [Idr] Possible to set up priority for Tunnels… Eric C Rosen
- Re: [Idr] Possible to set up priority for Tunnels… Eric C Rosen
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Keyur Patel
- Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
- Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
- Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
- [Idr] Possible to set up priority for Tunnels est… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
- Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar