[Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020

Linda Dunbar <linda.dunbar@futurewei.com> Fri, 03 April 2020 20:24 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B4083A0A07 for <idr@ietfa.amsl.com>; Fri, 3 Apr 2020 13:24:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrRKT-ZMbF3p for <idr@ietfa.amsl.com>; Fri, 3 Apr 2020 13:24:25 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2109.outbound.protection.outlook.com [40.107.94.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08203A0AA9 for <idr@ietf.org>; Fri, 3 Apr 2020 13:24:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OiSo1WEcrVPTergGRGhrUPgLs0b8QRkb+Kx2v4SX/LCereGp2wOHsoWDGHXBbmDD1/jQCI6Nh5bMqh3JcKeLiHpL955GORvFCXI4EgyRHi6vkP33RapRYTzOPC0eLifYhEMu9CXADXOjB6T+RKhFmqnpfVWIgM2LyBKFlu+UMhv4O4q+WnTuw8nTw0r3pS7otPCtC/qW4iuzGJgGQhdtu9yr1Fx+pu8qxtYyJmnHD8B6RdhwEwJks7GZQDa/buZHsC2WfTi+knimPHFyyq33E0U1bDJRT55nmsVzBBVuC10TFWHQjDtgeod0T+EFPLJZG+ssfFTEBVOpWiDtuFUCTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R9gsh3XrCYClUMw5vr5ZcBUDBYbsA0mhmHRN/iZcJpw=; b=TlPZd/gZi0YYNOidFpyFzF1QvRj0rhL4HFfWSuz5u9bY7EHOzV8zB07x2/4xfgZIej8Ik1fcPXruy+AnMRk9rDqKa8SBzjksJsWwW6sizuyrnB57vArMCCHzM9JnjFmq4aInaclzRtWT4hMSNfjR1SQR+D5gSO7ufFE0Fo9Q7NzFhpXyhW5HYzeC/fGhBdt9e8keK6bYkKkY/F7i7yCD4MRforUyY2tgk6GQOo8y1pMw986g0TPcLbdWEhKYwLIQBjrZ6aeVucIvhon6BwuB05+wCZnbEXa1mO/GKcjl8kB4LAKnuG1TpETDC34MuLYXc+wsjsLnhmELAixXnmYMEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R9gsh3XrCYClUMw5vr5ZcBUDBYbsA0mhmHRN/iZcJpw=; b=s3BgyOgYyQB7zQ/7I1idGlvZjkOGpcFgirGNjA3uqXgnI4cs9kDdcR/EaIlePraytYaYGMzzQ5zZOrMKslGK/RcvJIhdZmloz+qTKlMNJpzolafInCa1a83pFHa+OaIePorcBb9jRTY0/T5q/ol4s7yNrqsRnOwpvS/ACC7Isrk=
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com (2603:10b6:301:34::35) by MWHPR1301MB2110.namprd13.prod.outlook.com (2603:10b6:301:30::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.13; Fri, 3 Apr 2020 20:24:09 +0000
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::a934:b942:156f:d945]) by MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::a934:b942:156f:d945%3]) with mapi id 15.20.2878.014; Fri, 3 Apr 2020 20:24:09 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Susan Hares <shares@ndzh.com>, 'IDR List' <idr@ietf.org>
Thread-Topic: Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: [Idr] 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020
Thread-Index: AdYJ88Fzwt+5o6y3SbatjJfErRQpEw==
Date: Fri, 3 Apr 2020 20:24:09 +0000
Message-ID: <MWHPR1301MB2096467F12809CB1041B467E85C70@MWHPR1301MB2096.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [2605:6000:1526:d41e:f8f2:b132:58a2:62db]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c9505fc9-53f2-429f-3bce-08d7d80cf725
x-ms-traffictypediagnostic: MWHPR1301MB2110:
x-microsoft-antispam-prvs: <MWHPR1301MB21100F7E6D31BD51A9D4CAA585C70@MWHPR1301MB2110.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR1301MB2096.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(4636009)(39850400004)(376002)(346002)(366004)(136003)(396003)(8936002)(2906002)(66556008)(81166006)(52536014)(966005)(66946007)(186003)(86362001)(53546011)(81156014)(110136005)(5660300002)(316002)(7696005)(66446008)(76116006)(6506007)(71200400001)(8676002)(64756008)(44832011)(55016002)(478600001)(66476007)(33656002)(9686003); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: udjj4pF9Jzxp82sWgYbTo7Mv2wyr5klv1Vn83AN8GfAaYIOCYkaRIY06gBjormnu/YWgeBkXZTZ4M4jfcDD4fTAJnV0VrIkik7sVjsDv75KQ60TM4+WwqGpA2o95jsMRuVUvozrgqrmslO2r0dRlVwtrKoAsAxrG6RsD4bDDXKwg3DGGrGHq5XaZrYuiVnxYJ44Y06KIn3Hnzc15zw4WM38wqeLlT7nCUaXpE2qCzy6l2DvTJSre47yncKMbArKRJEiDBYhFhsHnbdKdbI3wpP7lkkXfA/tkSp+fF2N8EN1Ohjm7fC+hT0SBeV7M5jZLb/aDOMiAZQZUXwQ/7G6rLhIMIf31/+pCehFF2beU+MrJix+njVem2ZgxFFbowW/G1142QeE9l7SuM8S2E5cnL05BjOgNxQLnVikAK1BZngg/wO2apEHBJYFgESgkxf0Kixd0LcAfIiJ3vLfsCtGDIN3T3QqhmezEOzp/oon87TdhhXAEWQ1f3G+4rcTuuKeyCoR+G4o4rzol7Oul2QZ4aQ==
x-ms-exchange-antispam-messagedata: r3X+ayvcRstTguD45AVi6ohKCcJUquseiucecDx+Mwbl5U2rfy/sf98B/XbZ/lU3Er0IHhYdW2MeK9V7btpQnq4SQPFC91p37ANUGJF47e43yXtwAADpQ2/2vY3UgtcnPZIr7jGbcqeUBsHHUjZd+iz7X+XuoLcnqYIlFN/A0bKINNKBawEO1WitwL4rIPJrEDPJ7NXG8etMwR9elZKdoQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR1301MB2096467F12809CB1041B467E85C70MWHPR1301MB2096_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c9505fc9-53f2-429f-3bce-08d7d80cf725
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 20:24:09.2175 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 20ajajUyoACc0imQzb80/CqgHzDHvdkgcpTm/5tFK3VhYdMHEi1Tz7SRfDsqDOl8uxcAZ2eT3YVL8kxICE9Gwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1301MB2110
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/l3rmtlKq6ec_GYMGUIWr9pxouSs>
Subject: [Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 20:24:27 -0000

Jun,

Need a few clarify questions for your draft.


  1.  Does  draft-hujun-idr-bgp-ipsec-02 assume that IKEv2 still running between IPsec peers?


  1.  Does receiving the IPsec BGP UPDATE triggers a node to start the  IKEv2 with the speaker without any configuration from the administer? If Node B can only establish IPsec IKEv2 with another node C, does it matter if the Node B receives or not receives the BGP update from the C?
  2.  How does the BGP UPDATE ease the IPsec configuration? Does  it ease the configuration on the BGP UPDATE speaker? Or does it ease the configuration of the receiver?
  3.  How to differentiate  Public Routing Instances?
If the payload packet within the IPsec tunnel are simple IP forwarding, is there still "Private Routing Instances"?


  1.  On Page 3, the draft states that only "Local Tunnel Endpoint address, Public Routing Instance and CHILD SA traffic selector address range" are advertised by the BGP.
Is the Local Tunnel Endpoint address same as the LOOPBACK address of the node? Or can be a specific Ingress or egress port of the node sending out the BGP UPDATE?


Thank you very much.

Linda Dunbar

From: Idr <idr-bounces@ietf.org> On Behalf Of Susan Hares
Sent: Monday, March 30, 2020 7:07 AM
To: 'IDR List' <idr@ietf.org>
Subject: [Idr] 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020

This begins a 2 week WG adoption call for  two drafts BGP provisioned IPSEC infrastructure

1) draft-hujun-idr-bgp-ipsec-02.txt:
BGP Provisioned IPSEC Tunnel Configuration

https://datatracker.ietf.org/doc/draft-hujun-idr-bgp-ipsec/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hujun-idr-bgp-ipsec%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb1e68b21c294ff7e40f08d7d4a2e5e4%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637211668440594288&sdata=HRHfVUUOy0a1ofnIzfTM4zsBqzZCGEhyMEopPdtEdyI%3D&reserved=0>

2) draft-hujun-idr-bgp-ipsec-transport-mode-00.txt:
BGP Provisioned IPsec Transport Mode Protected Tunnel Configuration

https://datatracker.ietf.org/doc/draft-hujun-idr-bgp-ipsec-transport-mode/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hujun-idr-bgp-ipsec-transport-mode%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb1e68b21c294ff7e40f08d7d4a2e5e4%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637211668440604245&sdata=XROXZN5YTy5GQEToYyAkFNHx71%2B%2FXnln1QJjMzeRQ6I%3D&reserved=0>

These drafts were presented at IETF 104 and IETF 105.
At IETF 105, there was a detailed discussion on the security issues.
After IETF 105, the author modified his draft to take care of the
Issues mentioned.

Discussion during the WG Adoption should examine:
1) Has this draft addressed the necessary security issues to
    be adopted as IDR WG draft?

2) Is this useful generic IPSEC functionality for networks?

   The EVPN related to IPSEC continues in BESS.
   This draft is considered here as a general feature.

3) Are there any deployments of this draft?


Stay safe and healthy... Sue