IETF Logo Mail Archive

Re: [Idr] draft-hujun-idr-bgp-ipsec

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Sat, 09 March 2019 06:49 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C01124D68 for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 22:49:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLCEJ5dGqm_C for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 22:49:45 -0800 (PST)
Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-eopbgr90110.outbound.protection.outlook.com [40.107.9.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B108A124C04 for <idr@ietf.org>; Fri, 8 Mar 2019 22:49:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SSQeNhNVpV3sbCcScZlVs9ebTAq/pDrpA8UZvLi8bbc=; b=kjdRlv1iMPWyv6XmEAES3mdxQL2oIrnAYL0kqfUJdszzkEplg2cP2sWKcmlqEi8bx3tuk7vESA77156vYlPBJYXA2p2t69PNJkpP82iy+Sz6qBXSuriZCvD1dl0TbwEo0fakmSuMip71fCJ6J8XaDH3yoeNmP13m6frAZbXHYcg=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB5050.eurprd07.prod.outlook.com (20.177.210.208) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.8; Sat, 9 Mar 2019 06:49:41 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1686.016; Sat, 9 Mar 2019 06:49:41 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf. org" <idr@ietf.org>
Thread-Topic: draft-hujun-idr-bgp-ipsec
Thread-Index: AQHU1fBkv1yiyD9z+USgDZ8cdYsTSaYCPEuggAAThQCAAARe0IAACpIAgAB5eSA=
Date: Sat, 09 Mar 2019 06:49:41 +0000
Message-ID: <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com> <PR1PR07MB57559863F4ABDF1C509B2EAE954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MME-wJVFZGVXXH9aVoPKy59TxGjLAGvB10S9P4sLtZoLwA@mail.gmail.com>
In-Reply-To: <CAOj+MME-wJVFZGVXXH9aVoPKy59TxGjLAGvB10S9P4sLtZoLwA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2601:646:8500:5f0:6d61:5773:3290:75c4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b268d980-4ce0-4b32-d9ff-08d6a45b682f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:PR1PR07MB5050;
x-ms-traffictypediagnostic: PR1PR07MB5050:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <PR1PR07MB5050171B38BC90530704566E954E0@PR1PR07MB5050.eurprd07.prod.outlook.com>
x-forefront-prvs: 0971922F40
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(346002)(376002)(136003)(39860400002)(199004)(189003)(51444003)(97736004)(7696005)(6116002)(8936002)(4326008)(6246003)(102836004)(6306002)(55016002)(8676002)(229853002)(236005)(52536013)(53546011)(6346003)(6506007)(99286004)(74316002)(81156014)(54896002)(790700001)(9686003)(81166006)(606006)(6436002)(71200400001)(71190400001)(7736002)(76176011)(561944003)(5660300002)(53936002)(446003)(11346002)(93886005)(486006)(476003)(46003)(186003)(14444005)(5024004)(256004)(2906002)(5070765005)(105586002)(106356001)(25786009)(6916009)(316002)(478600001)(86362001)(14454004)(66574012)(33656002)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB5050; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 0up/RmpIkyPfM6RtI+HzHHlyAXaWwMQFZ6UlGoWLhoT9ZN4AImjcgkCkOEnv9MIBs4vHBpVrYl1fXv2m4qvUzKYjxNAQHTlHsvHhJr0FDFyPaBMsNhyPef7a3CHhssj4nCkhg5zzMjVoTrStbgYqUNCwWCzhi62lm2uD8vCvwcQQGsnECV9cpJPe4huOqNtxtnml8x+IA4n57wZ+TW7+q1+8Xc8m/uMcjXsP5fBEopwyOemxRIIy+LLDKWzs2x8YWGP3Wd77v+qPpFjxvbYZ7ilNNKsGF+aVn1ZxtiPmJgHO9wt8u6a+0MGWLKxI+ISXdWGl+aNzRQ8ytMqtpaO3Iz4bFR5AvIe9OXFTJ7K/TaFz3Fcyx4pXC9+PfpsT7qwmfxqm/ltWI2her40yaKSrtpvLZu34rEsgXzS2gpu1ifA=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB575593E68668F618C42AABBE954E0PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b268d980-4ce0-4b32-d9ff-08d6a45b682f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2019 06:49:41.5789 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5050
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/4FgtoLS6J5JMOidaeRK5pvMmgpI>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 06:49:50 -0000

Maybe the text in my draft needs to be more clear, but my draft is referencing  [I-D.ietf-idr-tunnel-encaps] ; Yes, according to section 1.4 of [I-D.ietf-idr-tunnel-encaps], IPsec tunnel is out of its scope, that’s why my draft says it extends [I-D.ietf-idr-tunnel-encaps] to support IPsec tunnel;

So when I say “the BGP update of NLRI prefix C need to include a Tunnel Encap attr, which include two IPsec TLVs…”, it means the BGP update include a Tunnel Encap attr as specified in section-2 of [I-D.ietf-idr-tunnel-encaps], and this Tunnel Encap attr include two TLVs:

  *   TLV-1: Tunnel Type is 4 (I propose to reuse 4 for IPsec tunnel), TLV-1 contains following sub-TLV:
     *   Remote Endpoint (as specified in section 3.1 of [I-D.ietf-idr-tunnel-encaps]) : local IPsec tunnel endpoint address of advertising router
     *   remote-prefix : pA
     *   color (as specified in 3.4.2 of [I-D.ietf-idr-tunnel-encaps], but has new semantics for IPsec): A
  *   TLV-2: Tunnel Type is 4 , TLV-2 contains following sub-TLV:
     *   Remote Endpoint: local IPsec tunnel endpoint address of advertising router
     *   remote-prefix: pB
     *   color: B

hope this make things clearer

From: Robert Raszuk <robert@raszuk.net>
Sent: Friday, March 8, 2019 3:19 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
Cc: idr@ietf. org <idr@ietf.org>
Subject: Re: draft-hujun-idr-bgp-ipsec

Hi,

I think that the references are a bit wrong. And the confusion may be not even your own fault,
but IETF process related.

I was looking for type 4 tunnel type in your normative reference but there is none.


[I-D.ietf-idr-tunnel-encaps]

              Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel

              Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-11<https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11>

              (work in progress), February 2019.



The reference your text may be referring to is perhaps RFC5566 instead

since this is where type 4 for IPSec in Tunnel mode was defined. Different document.



Unfortunately 5566 relied on 5512 which is obsoleted now. And we never

concluded how any references to 5566 should be now handled.



1.4<https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11#section-1.4>.  Impact on RFC 5566<https://tools.ietf.org/html/rfc5566>





   [RFC5566] uses the mechanisms defined in [RFC5512<https://tools.ietf.org/html/rfc5512>].  While this

   document obsoletes [RFC5512<https://tools.ietf.org/html/rfc5512>], it does not address the issue of how to

   use the mechanisms of [RFC5566<https://tools.ietf.org/html/rfc5566>] without also using the Encapsulation

   SAFI.  Those issues are considered to be outside the scope of this

   document.



And [I-D.ietf-idr-tunnel-encaps] does not define anything for IPSec.



So bottom line based on the current definition of Tunnel Encapsulation

Attribute I am not sure where and how you want to provide the defined

herein extensions.



Therefor it is now hard to comment on encoding specifics of provided examples

for two IPSec tunnel signalling options till normative references are sorted out.



Thx,

RR.



On Fri, Mar 8, 2019 at 11:48 PM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote:
I agree that making remote prefix sub-TLV optional and absence of it means ANY is a better idea, will update the draft and example in it;

To address use case in your email, the BGP update of NLRI prefix C need to include a Tunnel Encap attr, which include two IPsec TLVs:

  *   IPsec TLV-1: include remote-prefix sub-TLV pA and color sub TLV A
  *   IPsec TLV-2: include remote-prefix sub-TLV pB and color sub TLV B



From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Friday, March 8, 2019 2:26 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>>
Subject: Re: draft-hujun-idr-bgp-ipsec


Ok that was not very clear from the draft. While your explanation is good - there may be folks who will try to include all remote prefixes as this sub-TLV is mandatory. I guess if instead of all zero's you make it also optional the room for bad encoding becomes smaller.

But let's assume that you have two different IPSec encapsulation requirements A & B for the same local prefix C and two different remote prefixes pA & pB.

How would you encode it in the single update msg ?

Thx,
R.

On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote:
Thanks for reviewing the draft;
In your example (500 routers), R2 doesn’t necessary need to advertise 500 remote prefixes because if R2 doesn’t have 500 different types IPsec encapsulation requirements for the NLRI, what it could do it just include a single all-zero remote prefix, means traffic from any source destined to this NLRI should use this particular IPsec tunnel encapsulation config;  and I would expect using all-zero remote prefix would be the common use case;

From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Sent: Friday, March 8, 2019 12:49 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>>
Subject: draft-hujun-idr-bgp-ipsec

Hi,

I have read your proposal and have one question.

The proposed encoding of additional sub-TLVs define local and remote prefixes as traffic selectors. Looks great in your example of two end points only. But introduction talks about scale so let's consider scale factor.

Assume you have 500 routers in the domain.

When you advertise subnet B or C from R2 now you need to include in mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet advertised you can only send it once in BGP. Then each ingress PE receiving this huge list would need now to store all 500 ingress ACLs (mappings to IPSec tunnels) where in fact perhaps realistically only one or two ingress traffic subnets may ever be traversing via given edge router.

And 500 is just following your example where ingress prefixes are directly attached to ingress router (subnet A to R1). There can be valid mapping cases where such sources are not directly attached.

This really does not look at all efficient and is prone to generate a lot of unnecessary state directly proportional to network size or expected incoming src prefix number.

If you really would like to use p2mp protocol for this configuration push I would recommend to leave the current Tunnel Encapsulation Attribute unchanged and simply propose to define a new SAFI with proper NLRI syntax that it is precisely efficient to the very application you describe.

Effectively what you are proposing is to carry in BGP src+dst based mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel encapsulation attribute.

In principle I agree that we do see more and more use cases for src+dst based IP lookups both for native forwarding and with some form of encapsulation but the proposed nested and not efficient encoding IMO requires to be modified to work well in the assumed large scale.

Thx a lot,
R.

v2.23.0 | Report a Bug | By Email