Re: [Idr] Further discussions on draft-sajassi-bess-secure-evpn &draft-dunbar-idr-sdwan-port-safi address (second attempt)

Susan Hares <> Thu, 28 March 2019 08:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1DAA612025B for <>; Thu, 28 Mar 2019 01:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NS5kJJO492dD for <>; Thu, 28 Mar 2019 01:15:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0D7D12014C for <>; Thu, 28 Mar 2019 01:15:14 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=;
From: Susan Hares <>
Date: Thu, 28 Mar 2019 04:15:12 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_SW_22605_1553760911_mpa="
X-Mailer: SurgeWeb - Ajax Webmail Client
Archived-At: <>
Subject: Re: [Idr] Further discussions on draft-sajassi-bess-secure-evpn &draft-dunbar-idr-sdwan-port-safi address (second attempt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Mar 2019 08:15:17 -0000

[first attempt seem to bounce - resending. Sue]


Thank you for quick summary.   Just a bit of additional context, since 
the IDR meeting today may be full.

<WG chair hat off, individual contributor hat on>

One places the registration step provides better handling of the 
gateways between VPNs.
[secure vpn-1] [gateway] [secure-vpn2]

Your step b: this case your  step b: signaling and set-up of the IPsec 
tunnel between C-PE and RR controller" works fine in the continuous 
VPN cae:

client1- (VPN2 for 1 segment)--client2

As I understand your solution (which may still be flawed), in the case 
of the gateway between two VPNs you require a the gateway box(es) to 
implement a entire virtual VPN instances.

Rather than make the gateway box implement "virtual vpn within a box" 
mechanisms (proposed by other vpn mechanisms), this utilizes sending 
the BGP NLRI (AFI/SAFI) to the RR with bootstrap data to allow the RR 

(Diagram shows 1 RR, but it could be a group of RR+++).

     -------- RR---------
     |                         | BGP over TLS (due to security)

to set-up tunnels between R1 and R2 using BGP tunnel attribute.

The bootstrap is used on initial set-up and upon dynamic change .

Linda's context was to help people understand where the 
VPN-gateway-VPN structure fit within SD-WAN.  This approach is 
different approach than existing gateway solutions (see bess drafts) 
and draft-hujun-idr-bgp-ipsec (single admin-domain).

A delightful re-reading of draft-idr-tunnel-encaps-11 indicates that 
technology may be stable enough for WG LC, but the text needs an 
editor's pen.   For example, I cannot confirm nor deny whether how the 
conflict of the MAC Addresses of section 4.2 of the 
draft-idr-tunnel-encaps-11.txt speaks of is resolved (precedence) if 
it conflict fluctuations.  This section is important because it speaks 
of the interaction for the gateway case described in 
(draft-ietf-bess-evpn-inter-subnet-forwarding) gateway.  The phrase 
"takes precedence" points the implementer in the right directions, but 
"seems" to conflict the text in section 11 (Error handling).

Keyur is going to present on updates to the tunnel draft at IDR.  I 
look forward to his presentation.

> --- Original message ---
> Subject: Further discussions on draft-sajassi-bess-secure-evpn 
> &draft-dunbar-idr-sdwan-port-safi address
> From: Ali Sajassi (sajassi) <>
> To: Idr <>
> Cc: Linda Dunbar <>, Susan Hares 
> <>, John E Drake <>, Ayan Banerjee 
> (ayabaner) <>, David Carrel (carrel) 
> <>, Ali Sajassi (sajassi) <>
> Date: Thursday, 28/03/2019 3:01 AM
> Hi folks,
> At the mic, I made a comment that the use cases being presented here 
> at the IDR session, were discussed previously between Linda and myself 
> and how secure-evpn draft can accommodate these use cases. When I made 
> this comment I had the following steps in mind: a) initial 
> configuration, b) signaling and setup of IPsec tunnel between C-PE and 
> RR/controller for BGP session, c) signaling of IPsec SAs among C-PE 
> (for carrying user traffic) over this secured BGP session using my 
> draft, and d) mapping of user traffic/flows from C-PE ingress ports to 
> these IPsec tunnels based on policy.
> Yesterday we had further discussions, and Linda/Sue are introducing 
> one additional step “port registration” before step-C above using 
> her draft. I had the question on why this step cannot be done as part 
> of step (a) or maybe (c). From my perspective, I need to better 
> understand what this registration step is exactly doing and if it can 
> be done as part of (a) or (c). I think Linda and Sue will take a 
> closer look at tunnel-encap draft which is the foundation of my draft 
> to evaluate it for the registration step. Anyway, I promised to give a 
> short summary and this is as short as I can get ☺
> Cheers,
> Ali