[Idr] draft-dunbar-idr-sdwan-port-safi: One SDWAN Port property advertisement per BGP UPDATE or multiple Ports property packed in one BGP UPDATE ?
Linda Dunbar <email@example.com> Thu, 24 October 2019 14:58 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BDC120829 for <firstname.lastname@example.org>; Thu, 24 Oct 2019 07:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([220.127.116.11]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FtCmF2zU31ul for <email@example.com>; Thu, 24 Oct 2019 07:58:40 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800093.outbound.protection.outlook.com [18.104.22.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCC891208CC for <firstname.lastname@example.org>; Thu, 24 Oct 2019 07:58:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oD+T8VrENRg1h+RaTqo6fENUPBUZqNZjXG6nk0W1wbXLhT8HkXuS8LYvM9Knbg1ITPpfgL7tYTzTd0mY2zkhzJuxzwT2r54khDlHXF8A/sa0kiMMk55LMVjaGIP+MBnsAwoEpcePZeW01DPJKi2hi/Q1wgfeBJReKxx0+cl2l1GGwshmE0vyBgl2vFCH9a2DnbknPAlS0cZ0zml+IYA5ca/F3VhtKsrytUal9ht8bwRnBo6qYk7LP0WjnK0JCkLSrrR1s75isu1kRjJLD72U9Z4HxWQBSOQPr6PIecFg2CjFnry1ciJYRhxiuJqMIYaXegXgwWKeYRjW0mhdlOJ1AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M0oKI9Q6uyuh07d62m9o/f6gOE8r44u0k9rAEnEm8P4=; b=UYcEHunPQW5MNmfOK6cjnD+4Duc0UjO6CP9eAkT6hyk2nugP/bGZ3OxALOC5HW2qxyuItQfjtPop7MgRF3P8UErGWDUWP73zEEubH6JoP+/5KdZqtVFKkJl2Yr9/1XM1kZgseCXFAxYVMHvbv7HZ5PasUiNf49mQoUCQS5LeJK0SB05FpAoSL4TZ0U42LznYkpEt5VdzxhEbmaO3hmcUiI4s0K/JI1tZm8ds/WfDLKuHo/sHL3OKzCAWAvk09nRDTwc1+/muq0A8Df3d4jy+dBvCKrB4jJQGyy19IC27zXzfFNZjn1VGSxvA6ru+8Nq+RGZgwbECfHvRHz8WILlX2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M0oKI9Q6uyuh07d62m9o/f6gOE8r44u0k9rAEnEm8P4=; b=Vf9EkDhNuSZQpA7weMtIgjeXCnhA7yNLpYqR/vq0Tg5srwOhYDOyTjJIOqp+7vY5EBqpi6FdC9QVXrPw54nVCbqCbhhhxll2Trj+RHjBgTMs8Md0oJx8LXGlHTsPV/Y/YACYxMndb+I2q/C/yKAiejGxszAt5BUUPEtJOZlxKhQ=
Received: from BN8PR13MB2628.namprd13.prod.outlook.com (22.214.171.124) by BN8PR13MB2801.namprd13.prod.outlook.com (126.96.36.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.14; Thu, 24 Oct 2019 14:58:34 +0000
Received: from BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::9f3:c754:7ac8:b3dd]) by BN8PR13MB2628.namprd13.prod.outlook.com ([fe80::9f3:c754:7ac8:b3dd%7]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 14:58:33 +0000
From: Linda Dunbar <email@example.com>
To: "Wanghaibo (Rainsword)" <firstname.lastname@example.org>, Robert Raszuk <email@example.com>, "firstname.lastname@example.org" <email@example.com>
Thread-Topic: draft-dunbar-idr-sdwan-port-safi: One SDWAN Port property advertisement per BGP UPDATE or multiple Ports property packed in one BGP UPDATE ?
Date: Thu, 24 Oct 2019 14:58:33 +0000
authentication-results: spf=none (sender IP is ) firstname.lastname@example.org;
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(136003)(376002)(396003)(346002)(39850400004)(54164003)(199004)(51914003)(189003)(7110500001)(236005)(71190400001)(2501003)(15650500001)(733005)(561944003)(76116006)(86362001)(54896002)(33656002)(55016002)(2906002)(66476007)(14444005)(64756008)(66556008)(81166006)(81156014)(5024004)(6436002)(71200400001)(66946007)(6306002)(8936002)(5070765005)(66576008)(74316002)(256004)(66446008)(8676002)(9686003)(861006)(66066001)(3846002)(790700001)(6116002)(7736002)(966005)(7696005)(99936001)(30864003)(26005)(52536014)(606006)(478600001)(316002)(5660300002)(476003)(110136005)(99286004)(53546011)(66574012)(25786009)(14454004)(44832011)(486006)(102836004)(6506007)(2420400007)(186003)(290074003)(559001)(569006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR13MB2801; H:BN8PR13MB2628.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
Content-Type: multipart/related; boundary="_007_BN8PR13MB26289204EBF40B847406B55F856A0BN8PR13MB2628namp_"; type="multipart/alternative"
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 14:58:33.7001 (UTC)
Subject: [Idr] draft-dunbar-idr-sdwan-port-safi: One SDWAN Port property advertisement per BGP UPDATE or multiple Ports property packed in one BGP UPDATE ?
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 14:58:45 -0000
Haibo, Thank you very much for pointing out the issue of packing multiple WAN Port properties into one BGP UPDATE. Alternatively, we can take the same approach by draft-ietf-idr-segment-routing-te-policy-07 where only one SR Policy is carried by one BGP UPDATE. The Advantage is making it easier for advertising WAN property changes, such as ISP service agreement changes or decommissioned for the WAN port. The disadvantage is Multiple UPDATE if the SDWAN edge node has multiple ports. Do people have any preference? Thanks, Linda From: Wanghaibo (Rainsword) <email@example.com> Sent: Thursday, October 24, 2019 1:11 AM To: Linda Dunbar <firstname.lastname@example.org>om>; Robert Raszuk <email@example.com>om>; firstname.lastname@example.org Subject: RE: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives) Hi Linda, I think in this method, the routes update will be more complex. If we use like this, when A1’s port is down, how to do withdraw? Advertise a new route with type A2 & A3 ? Also, when A1’s information is update, we must advertise a route with all A1, A2 and A3. Regards, Haibo From: Idr [mailto:email@example.com] On Behalf Of Linda Dunbar Sent: Thursday, October 24, 2019 4:52 AM To: Linda Dunbar <firstname.lastname@example.org<mailto:email@example.com>>; Robert Raszuk <firstname.lastname@example.org<mailto:email@example.com>>; firstname.lastname@example.org<mailto:email@example.com> Subject: Re: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives) Thanks to everyone’s feedback and discussion. We will re-organize the draft to explain multiple options of encodings. The description of the options can also help people (future people) to better understand how the MP-NLRI Path Attribute and Tunnel Path Attribute are used together. Before the detailed encoding discussion, let’s first look the needed information to be advertised by SDWAN Edge: As described in the [SDWAN-BGP-USAGE], the key characteristics of Hybrid SDWAN includes: * CPE have its WAN ports connected to different ISPs/NSPs, some of which are untrusted network, others are trusted. For a packet destined towards a Destination, if forwarded out of a WAN port connected to public network, encrypted might be needed, if forwarded out of a WAN port connected to private network, the packet can be forwarded natively without encryption. * A SDWAN node (shorten as SDW in the figure) can only communicate with its authorized peers, not to everyone. To minimize configuration on SDWAN edge nodes, it is the RR (SDWAN controller) that controls the distribution of SDWAN BGP UPDATE. Therefore, the SDWAN BGP UPDATE messages are only between SDWAN edge and its RR. * The network between SDWAN edge and their RR are over untrusted network. Centralized------------------------------------------- Controller (RR) | | | | +---+ | | Peer Group 1 |RR | Peer Group 2 | | +======+====+=+ +======+====+=====+ | | / / | +---+ | \ \ | | / / | | | \ | | +-+-+ +-+--+ +-+-+ +-+-+ +-+-+ +-+-+ | | |SDW| | SDW|--|SDW| |SDW| |SDW| |SDW| | ---| 1 | | 2 | | 3 | |4 | | 5 | | 6 |----| +---+ +----+ +---+ +---+ +---+ +---+ Tenant 1 Tenant 2 Figure 1: SDWAN WAN Port Properties Advertisement via RR Using Figure 1 as illustration, a SDWAN node needs to propagate the following properties to its RR: * Node information, including Node ID and Site ID, * WAN Port information, under each Port, need to have more detailed description of the port, such as * the types of the Wide Area Network, if it is a private MPLS L3/L2 VPN, Public Internet, LTE, etc. * Service provider identifier for the network facing the WAN port * If facing untrusted network, IPsec information about the IPsec tunnels terminated at the port * If the port is assigned with the private IP address, its NAT properties * Attached client routes, which is same as in VPN or EVPN. * Node Level IPsec information, if the SDWAN node needs to establish Node Level IPsec tunnel, regardless which WAN ports the packets are sent/received. RR is responsible for propagate the received SDWAN UPDATE to a group of authorized peers via encrypted channels. For example, the RR propagates the UPDATE received from SDW-1 to SDW-2 & SDW-3. Using MP-NLRI and Tunnel Path attributes, a SDWAN node with 3 WAN Ports (A1 connected to Internet, A2 & A3 connected to MPLS) can send out the following UPDATE to advertise its 3 WAN ports A1/A2/A3 properties: Border Gateway Protocol – UPDATE Message Path Attribute - MP_REACH_NLRI /* no including detailed routes in NLRI field if the routes are not attached */ Address family identifier (AFI) Subsequent address family identifier (SAFI) Next hop network address /* for the SDWAN-A loopback address */ ** need to add an extra field to indicate Site-ID of this SD-WAN node ** Path Attribute – Tunnel-Encap (Type Code=23) /*for A1*/ Tunnel-Type = Untrusted-Internet /* need IANA assignment */ Remote endpoint subTLV /* for A1 address or A1 port ID*/ Encoding of A1’s properties in subTLVs /* see later section for detailed encoding */ Ipsec properties for Ipsec tunnel terminated at A1 NAT properties if A1 has private address /* for A2 */ Tunnel-Type = MPLS-VPN Remote endpoint subTLV /* for A2 address */ /* for A3 */ Tunnel-Type = MPLS-VPN Remote endpoint subTLV /* for A3 address */ The SDWAN-A loopback address might be internal to the peer group and not routable in the WAN. What do people think? If no objection, I will add the text to the draft. Thanks, Linda From: Idr <firstname.lastname@example.org<mailto:email@example.com>> On Behalf Of Linda Dunbar Sent: Tuesday, August 13, 2019 3:01 PM To: Robert Raszuk <firstname.lastname@example.org<mailto:email@example.com>> Cc: firstname.lastname@example.org<mailto:email@example.com> Subject: Re: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives) Robert Yes, it is “Overlay BGP”. Thank you very much for suggesting the name. I will incorporate it into the draft. Linda From: Robert Raszuk <firstname.lastname@example.org<mailto:email@example.com>> Sent: Tuesday, August 13, 2019 2:06 PM To: Linda Dunbar <firstname.lastname@example.org<mailto:email@example.com>> Cc: firstname.lastname@example.org<mailto:email@example.com> Subject: Re: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives) Hi Linda, > note: the BGP for SDWAN Edges is running at different layers than the BGP for underlay networks, i.e. not “FLAT” BGP So I was under impression that you are to discover the interested SDWAN peers with this extension - well apparently not if what you are defining is an overlay BGP. But then if you have to discover the peers dynamically in some other way prior to establishing said BGP sessions - why not to add this information as part of auto discovery mechanism ? Many thx, R. On Tue, Aug 13, 2019 at 8:07 PM Linda Dunbar <firstname.lastname@example.org<mailto:email@example.com>> wrote: Robert, Thanks for the quick feedback. It is interesting that you mentioned LISP, I had “LISP” listed as the 4th option in my first version of the analysis, then decided to remove it because the discussion is in IDR group. Legitimate question on WHY BGP? In addition to looking into your suggested “out of box thinking” that BGP carrying some short reference the actual information should be kept outside of it in one of the new global databases, here are some of the Compelling reasons of using BGP to distribute SDWAN edge properties among peers that might be spread across the globe: (note: the BGP for SDWAN Edges is running at different layers than the BGP for underlay networks, i.e. not “FLAT” BGP. They are among SDWAN edges, not for exposing to underlay provider as you stated EBGP. When the underlay network service providers use SDWAN to temporarily expand bandwidth in some segments, they have more reason to use BGP to minimize amount of learning & configuration of introducing new protocols in their environment) * BGP already widely deployed as sole protocol (see RFC 7938). Even if not for this purpose of propagating SDWAN WAN port properties, the BGP base protocol implementation is supported by virtually all switches/routers (virtual & physical). Even AWS VPC export the BGP routes. * Wide acceptance – minimal learning (which is very important requirement for operations) * Robust and simple implementation, * Reliable transport * Guaranteed in-order delivery * Incremental updates * No flooding and selective filtering * RR already has the capability to apply policies to communications among peers. Bottom line: It is much easier to add one function than adding a brand-new protocol stack. Alternative: extending LISP, NHRP, DSVPN/DMVPN * In addition to more proposal changes needed, NHRP/DSVPN/DMVPN don’t scale well. * More learning, more barrier to be deployed, just think how many decades of painful journey deploying IPv6. * Prior extension of BGP for non-client routes reachability: Flowspec, BGP LS, Segment routing policies, etc Linda From: Robert Raszuk <firstname.lastname@example.org<mailto:email@example.com>> Sent: Tuesday, August 13, 2019 3:16 AM To: Linda Dunbar <firstname.lastname@example.org<mailto:email@example.com>> Cc: firstname.lastname@example.org<mailto:email@example.com> Subject: Re: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives) Hi Linda, I must up front say that your efforts in this area are very useful ! Thank you for this work. But in the same time I need to ask why are we so much hostage of BGP and attempt to propagate all of this opaque information in BGP ? SDWANs by design are to span globe and out of the information you would inject into global BGP only tiny fraction (if even that much) would benefit - for rest of the users it will be unneeded data. My suggestion here is to think outside of the box and while BGP could carry some short reference the actual information should be kept outside of it in one of the new global databases. See today I operate a global SDWAN and it works just fine when my controller is distributed in AWS cloud. I would be actually afraid to advertise anything in my EBGP sessions to my providers and it may just attract attacks and hackers towards my sides without any real value to the sites I am interconnecting. So perhaps we should spend this energy on building secure NNI to the interface of such public database rather to keep loading more and more service info into flat BGP ? Many thx, R. PS. Natural question POPs up - what's wrong with using LISP mapping plane for it ? Sure some are allergic to LISP just like some were allergic to MPLS, but is this really a right reason not to explore full spectrum of options ? On Tue, Aug 13, 2019 at 12:48 AM Linda Dunbar <firstname.lastname@example.org<mailto:email@example.com>> wrote: IDR participants: Many thanks to the feedback from IETF105 discussion on draft-dunbar-idr-sdwan-port-safi, especially the hallway discussions with Ali Sajassi, John Drake, Keyur Patel and Sue Hares on other possible encoding options. I put together an analysis of multiple BGP UPDATE encoding options to achieve SDWAN WAN port properties propagation among SDWAN edges. Please see the slides in the IDR WIKI page: https://trac.ietf.org/trac/idr/attachment/wiki/WikiStart/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.ietf.org%2Ftrac%2Fidr%2Fattachment%2Fwiki%2FWikiStart%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ca7b9ea26ff544510462308d75848f8d5%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637074942762363098&sdata=dl0yy0Jw3T%2BjI9keT4JObS8EACnReZ4g4eqs2hjdNLM%3D&reserved=0> The Goal is for WAN Ports Property Propagation across SDWAN nodes in different domains [cid:image001.png@01D58A50.536BD410] The constraints are those SDWAN edges can be spread across different geographical locations, their connection to RR can be over untrusted networks, and they might not know the reachable addresses for the peers they need to communicate (therefore needing RR to propagate). There are many ways to skin the cat… different encoding for BGP Update Messages Option 1: Extending Tunnel-Encap with existing IP’s SAFI to achieve WAN port registration. [cid:image002.png@01D58A50.536BD410] * Pros: * no new SAFI introduced, the update messages can traverse existing routers * Cons: * Same IPv4/IPv6 SAFI NLRI carries the WAN port information that is very different from clients’ routes attached to the C-PEs. * The receivers (RR) has to do extra processing to differentiate the UPDATE messages from the attached routes UPDATE messages. Option 2: Tunnel-Encap with SDWAN NLRI for SDWAN WAN Ports Prosperities & Policies described by draft-dunbar-idr-sdwan-port-safi-02 [cid:image003.png@01D58A50.536BD410] * Pros: * Clean design and processing on the receivers (RRs). Simpler processing to differentiate the UPDATE messages from the attached routes UPDATE messages. * Cons: * New NLRI is introduced, the update messages can’t traverse existing routers * Since the the Tunnel UPDATE message with the new SDWAN NLRI/SAFI is strictly between SDWAN edge nodes and their respective RR(s) via a secure tunnel, the SDWAN UPDATE messages are not going to traverse existing routers. Therefore, it doesn’t cause any issues. Option 3: Using the new SAFI introduced for BGP labeled Colored Unicast described by draft-szarecki-idr-bgp-lcu-traffic-steering [cid:image004.png@01D58A50.536BD410] * Pros: * leverage the newly proposed NLRI for carrying Traffic Color across domains * Similar goal as SDWAN needing to propagating WAN port properties across domain/geolocations * Cons: * Need to attach the attributes which haven’t been specified by the draft yet. Need to ask merging the content from draft-dunbar-idr-sdwan-port-safi-02.. We are looking for feedback to those analysis and options. Thank you very much Linda Dunbar _______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fidr&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ca7b9ea26ff544510462308d75848f8d5%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637074942762373091&sdata=XMcMgcQzzdqk42A0eBbzhLOpCn%2BRpUavKGMeFPfilOE%3D&reserved=0>
- [Idr] draft-dunbar-idr-sdwan-port-safi: One SDWAN… Linda Dunbar