IETF Logo Mail Archive

Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Robert Raszuk <robert@raszuk.net> Mon, 09 July 2018 20:53 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F4E131059; Mon, 9 Jul 2018 13:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.39
X-Spam-Level:
X-Spam-Status: No, score=-1.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3G37UN5RXho; Mon, 9 Jul 2018 13:53:34 -0700 (PDT)
Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D1FF131057; Mon, 9 Jul 2018 13:53:34 -0700 (PDT)
Received: by mail-pf0-x22f.google.com with SMTP id c21-v6so9865358pfn.8; Mon, 09 Jul 2018 13:53:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=TIN2EV4VrmIngSrQfopSrqVCa6CgqykJzps6ZMw76ag=; b=m1y1dup1fkdrdQXhFKWbNkYv0boS4idVAj+2LeXWIb3RfQrnbpUuQJw7nLqdmN/fv/ qMZneI7i3UpfgN/pSENFcBlFmg++/7wpAO/xo4zo9Kq95mHpBHjoSs5Zm9QAiJSDYoT9 UJZnI+td2INKfdof07D4tyJXKiHMqqWL/WHYKwEPL4MfETVvgrEJMXz0I3++KcLAe5/l iid1TdDNlbouKm7+NLLv0IoCd/fz3uOapHJDQbIIiSvXGZxYeKuYS2Y03CLqmEISzfSk 7bgSqs+lyJuw6+2kwrKCTs5zzMz4Y1QZMMyzik2OCJxKQ9StJM568obLaIkAe8be/lJN wpQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=TIN2EV4VrmIngSrQfopSrqVCa6CgqykJzps6ZMw76ag=; b=LWlDvEXjZJ9kRS6yxPbecbQOlkNbSMhI2yLtaKWKr+w7I0hR9ova1SIoSJH054ANFx YtfMRQ7UF0LAUC2DrVskeqdY41Fo1lmKrMZ/dua1UJ/R6aSyHRwKh/asMuQXMVyg/ipE unLnwrVEq4NxwO1yo2uhuPV7HLxE/X+nrocChAB0afyRk/65VwEzgKkdBdPS0agM6Rcm CetAz98NDPH9c90Ne8OD48SCfM9oEX7SmlKphMqcypYmdmu1W5BWkhGZZlcaD0qa6UTE L3Z0WNRjExkGH9PKFaK1Sh3vmRzf5j6IDYGi5ikmqoUbaUD6+Ly6sd5F/lmWyGuG6ATk 6AkQ==
X-Gm-Message-State: APt69E1LqGK1/0mNJefAgRzvxi/CEKeVEVLyCbKh07gdMrOcTJxA2DOz yRSVQzrrBZ4ReXuWeETZOXfW78JhkP8I62TaVBc=
X-Google-Smtp-Source: AAOMgpecc73PK9i2CYgZ4jzHkPxG+u4VXufsd6nViA8+8XFp0K3DUpm8ReaFICpwXwG5HAJ95lBZ6drXSgkU3oDWczs=
X-Received: by 2002:a62:e0d5:: with SMTP id d82-v6mr22726322pfm.59.1531169613382; Mon, 09 Jul 2018 13:53:33 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:37e7:0:0:0:0 with HTTP; Mon, 9 Jul 2018 13:53:32 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0A8BEF@sjceml521-mbs.china.huawei.com>
References: <78D707C9-6DC2-459F-81E4-A53B46F1F019@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com> <DF0D0CFA-AFCA-44FF-ADD8-BE6EDC51AFEA@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BEF@sjceml521-mbs.china.huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 09 Jul 2018 22:53:32 +0200
X-Google-Sender-Auth: t1TsK37mK0OJkCsG4wzRW9BdiNw
Message-ID: <CA+b+ERmENsva=5ZT_4x8+NaokXCpBEN+LTU0xwhN_W4cvmOsqQ@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: Jeff Tantsura <jefftant.ietf@gmail.com>, Eric C Rosen <erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e588db0570973477"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/BF9It0gjwFQY8E-PsRiS6wxoQO0>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 20:53:38 -0000

Hi Linda,

I think Jeff is asking why not to use well known community to scope the
blast radius of the advertisement.

But personally I think this is pretty weak protection - if this would be
the only protection against IPSec credential's hijack. IMO this needs to be
protected a bit stronger such that even leak of the update will cause no
harm or VPN compromise.

Thx,
R.



On Mon, Jul 9, 2018 at 10:50 PM, Linda Dunbar <linda.dunbar@huawei.com>
wrote:

> Jeff,
>
>
>
> The answer to your question “Why would you want to build what you are
> trying to do into protocol?” is
>
> -        We want to use BGP to do more (i.e. use RR to distribute
> information injected from and by a controller). to eliminate dealing with
> the changes to NHRP/DSVPN.
>
>
>
> Can you elaborate the “the existing technology”?
>
>
>
> Linda
>
>
>
> *From:* Jeff Tantsura [mailto:jefftant.ietf@gmail.com]
> *Sent:* Monday, July 09, 2018 3:35 PM
>
> *To:* Linda Dunbar <linda.dunbar@huawei.com>; Eric C Rosen <
> erosen@juniper.net>; idr@ietf.org; draft-ietf-idr-tunnel-encaps@ietf.org
> *Subject:* Re: [Idr] Possible to set up priority for Tunnels established
> by draft-ietf-idr-tunnel-encaps-09 ?
>
>
>
> Linda,
>
>
>
> You meant to say – you’d use RR to distribute information injected from
> and by a controller?
>
> Reflector (as the name suggests) reflects the routes, it doesn’t
> originates them as part of the reflector functionality  (it for sure could
> as a BGP speaker if such functionality is collocated with RR)
>
>
>
> Please read my initial questions, it looks like what you are trying to
> achieve could be done with the existing technology.
>
> Thanks!
>
>
>
> Cheers,
>
> Jeff
>
>
>
> *From: *Linda Dunbar <linda.dunbar@huawei.com>
> *Date: *Monday, July 9, 2018 at 13:28
> *To: *Jeff Tantsura <jefftant.ietf@gmail.com>, Eric C Rosen <
> erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, "
> draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@
> ietf.org>
> *Subject: *RE: [Idr] Possible to set up priority for Tunnels established
> by draft-ietf-idr-tunnel-encaps-09 ?
>
>
>
> Jeff,
>
>
>
> We would like to use RR as controller to distribute more detailed tunnel
> information, such as IPsec configuration & keys because in managed large
> scale Overlay deployment (SD-WAN), it doesn’t scale to allow all CPEs to
> negotiate IPsec keys.
>
>
>
> Linda
>
>
>
> *From:* Jeff Tantsura [mailto:jefftant.ietf@gmail.com
> <jefftant.ietf@gmail.com>]
> *Sent:* Monday, July 09, 2018 3:25 PM
> *To:* Linda Dunbar <linda.dunbar@huawei.com>; Eric C Rosen <
> erosen@juniper.net>; idr@ietf.org; draft-ietf-idr-tunnel-encaps@ietf.org
> *Subject:* Re: [Idr] Possible to set up priority for Tunnels established
> by draft-ietf-idr-tunnel-encaps-09 ?
>
>
>
> Hi Linda,
>
>
>
> Why would you want to build what you are trying to do into protocol?
>
> #1 local policy
>
> #2  NO_ADVERTISE does that exactly
>
>
>
> Cheers,
>
> Jeff
>
>
>
> *From: *Idr <idr-bounces@ietf.org> on behalf of Linda Dunbar <
> linda.dunbar@huawei.com>
> *Date: *Monday, July 9, 2018 at 13:14
> *To: *Eric C Rosen <erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, "
> draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@
> ietf.org>
> *Subject: *[Idr] Possible to set up priority for Tunnels established by
> draft-ietf-idr-tunnel-encaps-09 ?
>
>
>
> Eric,
>
>
>
> draft-ietf-idr-tunnel-encaps-09 discussed ways to resolve conflicts of
> multiple UPDATE messages with Tunnel Encap attributes.
>
>
>
> Is it possible to have following capability?
>
> -        Have a bit indicating a specific UPDATE is from authoritative
> source, therefore overwrite all other Tunnel Attributes for the Prefix X to
> avoid recursive next hop issues and tunnel selection at the receiving
> Router?
>
> -        Have a bit indicating that a specific UPDATE only contain Tunnel
> attributes for the receiving Router, therefore can’t be forwarded?
>
>
>
> You said that SAFI 7 is deprecated because no one seemed interested in
> using it. We are very interested in using it because
>
> -        it can be easily distinguished from normal  BGP UPDATE
>
> -         The receiving router doesn’t have to “Filter” the tunnel
> attributes before forwarding to others.
>
> -        Can even be used for passing reconfigured IPsec keys to two ends
> of a tunnel.
>
>
>
> Therefore we think SAFI 7 should be reserved.
>
>
>
> Thanks, Linda Dunbar
>
>
>
> *From:* Eric C Rosen [mailto:erosen@juniper.net <erosen@juniper.net>]
> *Sent:* Tuesday, July 03, 2018 12:21 PM
> *To:* Linda Dunbar <linda.dunbar@huawei.com>; idr@ietf.org;
> draft-ietf-idr-tunnel-encaps@ietf.org
> *Subject:* Re: What are side effect for having Encap SAFI? can
> draft-ietf-idr-tunnel-encaps-09 preserve trigger tunnel creation before
> VPN is established?
>
>
>
> On 7/2/2018 6:31 PM, Linda Dunbar wrote:
>
> Eric, IDR group,
>
>
>
> It is indicated that RFC5512 is to be replaced by
> draft-ietf-idr-tunnel-encaps. But draft-ietf-idr-tunnel-encaps-09 stated
> that it deprecates the
>
> Encapsulation SAFI.
>
>
>
> We find the Encapsulation SAFI is quite useful for CPE based EVPN.  For
> example, a Controller (say RR) can send an update with Encapsulation SAFI
> to two end points to trigger a tunnel establishment between them.
>
> What are side effect for having Encap SAFI? Can we preserve it in
> draft-ietf-idr-tunnel-encaps?
>
>
>
> Thanks, Linda Dunbar
>
>
>
>
> SAFI 7 was deprecated because no one seemed interested in using it, it
> creates additional operational issues, there is no real need for it, and it
> was discouraging folks from actually using the Tunnel Encapsulation
> attribute.  This is discussed briefly in section 1.2 of the draft.
>
> You can get a similar effect by using the technique described in section 7
> of the draft.
>
> If PE1 is the egress point of a tunnel, have PE1 originate an UPDATE whose
> NLRI is PE1's loopback address.  Put the Tunnel Encapsulation attribute
> (with PE1 as remote endpoint) on this UPDATE.  (The next hop field of this
> UPDATE doesn't really matter, as long as it is resolvable.)  When PE1
> originates VPN routes, it sets the next hop to be its loopback address.
> Per section 7, this will result in packets being sent to PE1 though the
> specified tunnel.
>
>
>
> _______________________________________________ Idr mailing list
> Idr@ietf.org https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

v2.23.0 | Report a Bug | By Email