Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Linda Dunbar <linda.dunbar@huawei.com> Wed, 06 March 2019 21:03 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA0F12DF71 for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 13:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.189
X-Spam-Level:
X-Spam-Status: No, score=-4.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16KcaC9PrTES for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 13:03:38 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) by ietfa.amsl.com (Postfix) with ESMTP id 17E9D1277D2 for <idr@ietf.org>; Wed, 6 Mar 2019 13:03:38 -0800 (PST)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 8E72DA11C8875D6FDA60 for <idr@ietf.org>; Wed, 6 Mar 2019 20:46:26 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 6 Mar 2019 20:46:25 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.29]) by SJCEML701-CHM.china.huawei.com ([169.254.3.135]) with mapi id 14.03.0415.000; Wed, 6 Mar 2019 12:46:22 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>, "idr@ietf.org" <idr@ietf.org>
CC: "shares@ndzh.com" <shares@ndzh.com>
Thread-Topic: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Thread-Index: AdTUNMBwOFNYhyoITy27A3Y11MvQyAAERJvgAACvJbAAAD7JoAAEcPTQ
Date: Wed, 06 Mar 2019 20:46:23 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B2EA048@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com> <PR1PR07MB575531B1ACC8CA53CA053A1295730@PR1PR07MB5755.eurprd07.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B2E9F51@sjceml521-mbs.china.huawei.com> <PR1PR07MB5755AF40CC27242AC0E220C095730@PR1PR07MB5755.eurprd07.prod.outlook.com>
In-Reply-To: <PR1PR07MB5755AF40CC27242AC0E220C095730@PR1PR07MB5755.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.84]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B2EA048sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/9ystNHc3Mhp_rOD9n8FSmd0Hhko>
Subject: Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 21:03:44 -0000
Jun, Reading through your draft makes me realize that you are not using BGP to propagate IKEv2, correct? i.e. IPsec's IKEv2 still uses traditional plain IKEv2 between two points. Your draft is suggesting using TUNNEL-ENCAP to advertise a route can be sent through an IPsec SA, in the same way PE advertise VXLAN tunnel for a route to remote nodes? Correct? If my understanding is correct, yes indeed your draft is addressing a different problem space as draft-dunbar-idr-sdwan-port-safi. Thanks, Linda From: Hu, Jun (Nokia - US/Mountain View) [mailto:jun.hu@nokia.com] Sent: Wednesday, March 06, 2019 12:32 PM To: Linda Dunbar <linda.dunbar@huawei.com>; idr@ietf.org Cc: shares@ndzh.com Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Yes, I am aware of them, but as I said, my draft really is not try to be SDN/controller approach: - I am not comfortable with the idea of having a central controller to deeply involved in key management; I believe key management should be peer to peer directly (e.g. using protocol like IKEv2) - I also believe there is use case where people doesn't want to or can not move to a SDN type network, and my draft provides a solution for that From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Sent: Wednesday, March 6, 2019 10:20 AM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Jun, For managing large number of IPsec, there are already work in Security Area (which has gone through violent discussion for last year): https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ https://datatracker.ietf.org/doc/draft-carrel-ipsecme-controller-ike/ Linda From: Hu, Jun (Nokia - US/Mountain View) [mailto:jun.hu@nokia.com] Sent: Wednesday, March 06, 2019 12:09 PM To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Sure, we could have discussion, and I have requested a slot to present my draft in idr session Although I want to make it clear is that my draft doesn't intend to be a SDWAN solution for IPsec, and the intension is to address problem of pre-provision and managing large number of mesh IPsec tunnels, while keep changes limited: * no change on how IPsec is implemented (e.g. still uses IKEv2 to create SA) * only introduces extensions based on another existing idr draft (ietf-idr-tunnel-encaps) From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Sent: Wednesday, March 6, 2019 7:55 AM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Jun and IDR group, We also submitted a draft for using BGP to propagate SDWAN WAN ports properties (including IPsec properties). Hope we can discuss more in IETF 104 to find a common ground. https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/ Abstract The document specifies a new BGP NLRI and SAFI for advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SD-WAN edge need to propagate those WAN ports properties to its SDWAN controller, which propagates to the authorized peers and manage the IPsec SAs among those peers for encrypting traffic via the untrusted networks. BGP Route Reflectors (RR) are proposed as points of combination for this information in order to allow scaling of the SDWAN. Linda Dunbar From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Hu, Jun (Nokia - US/Mountain View) Sent: Tuesday, March 05, 2019 9:42 PM To: idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: [Idr] draft-hujun-idr-bgp-ipsec-00 Hi, I submitted following draft: URL: https://www.ietf.org/internet-drafts/draft-hujun-idr-bgp-ipsec-00.txt Htmlized: https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00 This document defines a method of using BGP to signal IPsec tunnel configuration along with NLRI, it uses and extends tunnel encapsulation attribute as specified in [I-D.ietf-idr-tunnel-encaps<https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00#ref-I-D.ietf-idr-tunnel-encaps>] for IPsec tunnel. Review and comments are greatly appreciated! Thanks --------- Hu Jun, ION Nokia
- [Idr] advertising properties of a SD-WAN edge nod… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)