IETF Logo Mail Archive

Re: [Idr] draft-hujun-idr-bgp-ipsec

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Fri, 08 March 2019 21:32 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5662112716C for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 13:32:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bsC_quvKf_1s for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 13:31:57 -0800 (PST)
Received: from FRA01-PR2-obe.outbound.protection.outlook.com (mail-eopbgr120099.outbound.protection.outlook.com [40.107.12.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6011200D7 for <idr@ietf.org>; Fri, 8 Mar 2019 13:31:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rc/Onw0kTgcQbU/z/k/28JGgIDrTFNCsHFQZdu0SnAA=; b=MigPDoEWvB05m+JEzQthIQKY7Yp1Me4IpS3z1ie6YNe5ikO6hJL7Ff0QFPaIKDSmaGCOiyCY8oFoi+ynKwZNFPSctFbgvdohuD20ayg19UL5cbn4gE6Q8hgq+d5pbglW96pdLsSXnaEkoplIyrZdibH88L9dHaYAm9ygZ4qJCVM=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB5754.eurprd07.prod.outlook.com (20.177.210.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.15; Fri, 8 Mar 2019 21:31:54 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1686.016; Fri, 8 Mar 2019 21:31:54 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf. org" <idr@ietf.org>
Thread-Topic: draft-hujun-idr-bgp-ipsec
Thread-Index: AQHU1fBkv1yiyD9z+USgDZ8cdYsTSaYCPEug
Date: Fri, 08 Mar 2019 21:31:54 +0000
Message-ID: <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com>
In-Reply-To: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 754001a6-cb14-41a9-d7fb-08d6a40d7c5d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:PR1PR07MB5754;
x-ms-traffictypediagnostic: PR1PR07MB5754:
x-microsoft-exchange-diagnostics: 1;PR1PR07MB5754;23:MK4+tBaE1LoesyC7PFCtLgYTZlK5tGZ0K40eyZW2aae4QvlDe/LLzdCioKq+X8Fp+0l0NBzQbD0zpR76HpZDp9ceVnE2sbWSloL8SFyf91MHHggHdYJsbg7IbCBQIZc4OLbqQjoIdoUMNxM1C0sdPHGDNX2ZVZ5GUSy49LA6CUeT52bpGsIk5lYhb4Vrt1mfNjS4bFy3dyczwxOUvS32r3+/AHoGo9r9jfCZ8/gErLGIL45fi6VOT1kiC6CuqxXu/LsGfYyKiu945obB/06lAllodZOH8zZj6whlkmbppDnYnGJM9evDpdaFe7+XMSYhsAhH9BWWtS7CG6GnzWyZnXnBnurheXhby2oSNC/jDYwP9m4kWM1kGb4ZUoTrlgT7c+9YJt1DYQq2qZ4GwcYkfVz43OFhEQWL8w+tCi4A//K9En5GdbEhiwHcomcEneE/lDoHYnRfgskDLqObt8jY6TQKDs3ka9gVuQY8Edqo9ANi6oaUL12Fsu2m5c1Bkg42d3RUPKGB7ms6mjPeHr8mHTukwA+Vyyy8P1nCbgNJUs0gOQsIv9skeyMNKFDvcTbfFFy5mkVMhg81dtqzVMcqNv71hMcqhjKb5JTD3pMNl6Q+qZdUh2bJy5JjyaVkYW9lyMFuWUFIsnNvbYJusaFsYnp1WKZuqzG03af7D+vZQRmrGsqkvOrzHIm/McVP4tz/o05PprIsuKmU9Xcpjw5Tg5IhFr//sD8YnrLW/BpO98pwQYOTs9egfYCJKCPIdjoz9PlX1snmLvwXRAqf646MgXxY+637+KBaMdZoQ/z9BkVHVeIpc5nf/eFp8pGaXR+N33pVB4FONAen26KLLOlkhSpgMFC/UEVh3c/PhTt+bGtSZ+Y4bkr+c0zLopHdK1v3B3jkpAKb9zRO080fpkrfzSmB4IK9I22qEYR9vG94hr7tCDyY2s6og9PyiQCdXqD4ChlS/WUrmW6spZKyc49wyypNAJiIJlJqzOl8d5mebSSPfRsiWRA7JQSvpU3BSzGUPmCWjQf+1sbwWiFOPmjK57sCUhs+91xKGiKJ3EtU8zdzybQw21K/0PIH61VLEMSoJubmRZC2FBtm7oS7eiT5QCYf4sQ8E/FVUBCB5gvxjB/QvegUOxIC2IYy957UT7aHKqrTJR3oEb90GXSC8IaR51UpSXVwtnsxsrrZePKqY4TA/Tw/yR5xRLjI/NFnMmuHuiNWn1uHpfiDaVGLzj8BTfluZVEfKkCTsEAe7hhoHlEw5a/ffBHQ7cqeAauqN1nMciDT5Iz5tVnQgRMop6iIEAKqhAtmS5YzVs22/QVhg7c=
x-microsoft-antispam-prvs: <PR1PR07MB5754A15F0DDDE88AD181D0B4954D0@PR1PR07MB5754.eurprd07.prod.outlook.com>
x-forefront-prvs: 0970508454
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(346002)(376002)(396003)(199004)(189003)(106356001)(105586002)(486006)(97736004)(476003)(66574012)(2906002)(68736007)(446003)(86362001)(5660300002)(186003)(26005)(478600001)(74316002)(81156014)(256004)(9686003)(81166006)(7736002)(102836004)(76176011)(8676002)(790700001)(54896002)(71200400001)(55016002)(33656002)(6306002)(6116002)(71190400001)(11346002)(5024004)(8936002)(25786009)(3846002)(6436002)(7696005)(6246003)(14454004)(229853002)(6506007)(316002)(53546011)(52536013)(561944003)(99286004)(4326008)(6916009)(53936002)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB5754; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: E6ogzfCk585ty4fWqt7hSbgbca758KHMJkHFPSXXXxW9cb46R25O2Y3LpWPcXjGAfc85KdycCVCpduaC8yA0Y4+ZEhmfNuCLOC1I8EDPXJf+4DrDLwh8MQwij5bGjlLOH84C2gVO//a0Z2albQ1XWbShATxoDucUE+O4PfYYE/u+yL7CbyXZwim+SEvQ86eGGZO0wYQG6QpTGkOkFWv2z4IDHvg/Z9yXRohJFA5A7pj0a8N7IybyvyjRBgocs/8DsXVYOcSjYz4dG4g+XWy+u7Fafp08t4kDCbSsH+7x9AgOLD7GOIccLU4f2M9+bu9FoSSHiriKLzpJBNWacnni98oVNckCET5T1ptk0SDHm6h8WxmGnrNQtGfIcIiETrVO3HIjrjrL/yPZ38GS3tt2yEuw2zbaKzpFezLdV838W+E=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB5755FF20AC4C0309ED2B170D954D0PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 754001a6-cb14-41a9-d7fb-08d6a40d7c5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2019 21:31:54.6338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5754
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/6jUfkPD1wRGxRGZ-kqGmXK4cHJY>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 21:32:00 -0000

Thanks for reviewing the draft;
In your example (500 routers), R2 doesn’t necessary need to advertise 500 remote prefixes because if R2 doesn’t have 500 different types IPsec encapsulation requirements for the NLRI, what it could do it just include a single all-zero remote prefix, means traffic from any source destined to this NLRI should use this particular IPsec tunnel encapsulation config;  and I would expect using all-zero remote prefix would be the common use case;

From: Robert Raszuk <robert@raszuk.net>
Sent: Friday, March 8, 2019 12:49 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
Cc: idr@ietf. org <idr@ietf.org>
Subject: draft-hujun-idr-bgp-ipsec

Hi,

I have read your proposal and have one question.

The proposed encoding of additional sub-TLVs define local and remote prefixes as traffic selectors. Looks great in your example of two end points only. But introduction talks about scale so let's consider scale factor.

Assume you have 500 routers in the domain.

When you advertise subnet B or C from R2 now you need to include in mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet advertised you can only send it once in BGP. Then each ingress PE receiving this huge list would need now to store all 500 ingress ACLs (mappings to IPSec tunnels) where in fact perhaps realistically only one or two ingress traffic subnets may ever be traversing via given edge router.

And 500 is just following your example where ingress prefixes are directly attached to ingress router (subnet A to R1). There can be valid mapping cases where such sources are not directly attached.

This really does not look at all efficient and is prone to generate a lot of unnecessary state directly proportional to network size or expected incoming src prefix number.

If you really would like to use p2mp protocol for this configuration push I would recommend to leave the current Tunnel Encapsulation Attribute unchanged and simply propose to define a new SAFI with proper NLRI syntax that it is precisely efficient to the very application you describe.

Effectively what you are proposing is to carry in BGP src+dst based mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel encapsulation attribute.

In principle I agree that we do see more and more use cases for src+dst based IP lookups both for native forwarding and with some form of encapsulation but the proposed nested and not efficient encoding IMO requires to be modified to work well in the assumed large scale.

Thx a lot,
R.

v2.23.0 | Report a Bug | By Email