Re: [Idr] draft-hujun-idr-bgp-ipsec
"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Fri, 08 March 2019 22:48 UTC
Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205C01277C9 for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 14:48:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfnYJrxZForV for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 14:48:23 -0800 (PST)
Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-eopbgr90109.outbound.protection.outlook.com [40.107.9.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9510312716C for <idr@ietf.org>; Fri, 8 Mar 2019 14:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PO+P9Us1mAHp/UTSGWMxLyx6j8iMNkfxWYuuKYe2qLQ=; b=F5Am+ddT5ReOTKkEt74umC/u4MyJa9jA1TU4pvFWzwWU0+O/yCtn/0CaKj0nBuCErkb7599KT5msopWr3/WkAX5hq76B9PHqf9REONbxQS10+7+rlq+dq0cTJn77hOf6qrLFdV/6lWDVls8sqvrwB6fUSDlG0Pvbi1RO8FV3KF0=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB5115.eurprd07.prod.outlook.com (20.177.209.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.14; Fri, 8 Mar 2019 22:48:20 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1686.016; Fri, 8 Mar 2019 22:48:20 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf. org" <idr@ietf.org>
Thread-Topic: draft-hujun-idr-bgp-ipsec
Thread-Index: AQHU1fBkv1yiyD9z+USgDZ8cdYsTSaYCPEuggAAThQCAAARe0A==
Date: Fri, 08 Mar 2019 22:48:19 +0000
Message-ID: <PR1PR07MB57559863F4ABDF1C509B2EAE954D0@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com>
In-Reply-To: <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4de8958c-4e4e-442d-75ad-08d6a4182966
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:PR1PR07MB5115;
x-ms-traffictypediagnostic: PR1PR07MB5115:
x-microsoft-exchange-diagnostics: 1;PR1PR07MB5115;23:YCi/92jlnjLoJHSt1z3NrDOjahFf05d4sgvyq1rKNBSz8zYe2FjdqPmFs3/pU0DBRy141h58xoDZat1PkFkDw6uG3fIMOYPAZys+03eP0+2QQp7avOux95/pWlBdOENWZPklXhiGGKI/32S3TItrT5hcTQbY9fsFcta8r/tZPtvpJdWa909K30ZJsYpf8mQ8WCEqlpFc69L/Jkb/PAhV6ozKs/Sk8aBcs4uE279bVMzLJkQ6DNiVkWU73MglTZxUXUx522Bjda5l2EuyhZappU5huZZIpIYwFXEVboh6hrF2piuKSte6Zqsbe2TFtnFkmZpmuA5zu4jIxsaMdFe8ZV4GpzDk4yt8nQUW/xXNW4yB986DlglI4VBhfJ7fP27Yp50rLJ96ZoZ7F1NKxy+HbVL72AnU1cGQVRsxljvJq/ufXT6dMYuYhcC0dOR8JVA3FtNTsvZ1nTWI3abxdGhwYHqp4Qis6LOmSHTCtvA6yrhdvYxtqynNswPYWEYCm0NF9szWYXL5msNn2QRWYdfFGsbRcuzJYsbKQiZDfT19yYK7RmB/1K9ctg86fD2nX4ye+srfrM6e0Pb4ge/MDXU0ZPuNtb4Ttp7yuUIFeIbBX/VhH4lT/3l/Bvul622L6ajuKYpBDHk27cJGgT7chnPjG8TIBJ0L45c+Zc3+dsE1hFoeS2QKvXNHBDJ+rI2FaM7urNN6PIAooJYrQiE4JxGbTlwtAQkTJ8jhX7hbCoty9yKKrFPWxwiHtFvBtYUXavOV/CPdeCakeVT59ut4QI6T6ieFge7RuznfC6DVWxTCF4S5MG7cGAjDjbZSVT7yjivx1ZwGYj2VstCJPJ30XRT7udjoZzDgS/JszGUQv3Ae0G2/242UMrHqCC5byq84Fz1jIb1XUQysBRTDXIn/rAO+8+wUYyELSsKnpUuneaEOogk9UMAdiH7dJVPkkjb+huAxWjVEIjW+jqiTXln/AnDjsQPQj/KRqTl7f0bJpGI0CGbEGbx+Y592BSd0ghIbkw73LVWI8fMQIfOI5PxxHNETZeCW7/i38Zg8Ch482+lXNwMkg/xPwzQ0BAqqNtiVV4WR3jE9oIldowwTfboaB+fpnP8ugqqjP70K+mwZ1V+Sy5Uy3Bo05wzjpPTbpaQ6zsG35hyKOgOimvy5uxM0p/hTZ3CnKLigMYhRrcshixg59ZiyXrJr+Ojd0W7Q9+3NBar1C3D8BkHhBkpSbZITSelOZUKAcL0bAbU+cmwo0yHOa5TJAWI2O1NyDwWLTZi7A/Cr+LTchgvlyZl80uTaViiPUeb+fhAqMeJDR8d/nmno3Ou9NWIWllESbzGz+18Za94EWBaL58H42Qd4jBw9hwtfzA==
x-microsoft-antispam-prvs: <PR1PR07MB51156DF4566C9214D7E28A7C954D0@PR1PR07MB5115.eurprd07.prod.outlook.com>
x-forefront-prvs: 0970508454
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(136003)(346002)(366004)(376002)(396003)(189003)(199004)(53936002)(71200400001)(71190400001)(7736002)(25786009)(74316002)(186003)(66066001)(6436002)(8936002)(26005)(52536013)(55016002)(9686003)(97736004)(478600001)(486006)(446003)(6306002)(6916009)(54896002)(11346002)(476003)(236005)(14454004)(68736007)(33656002)(561944003)(316002)(86362001)(6246003)(66574012)(6116002)(2906002)(790700001)(3846002)(99286004)(4326008)(5024004)(8676002)(256004)(14444005)(106356001)(7696005)(81166006)(5660300002)(53546011)(105586002)(102836004)(229853002)(76176011)(6506007)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB5115; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: lwXeDSFgIsaZWKNBP2uskmF95PvZYribU6R/iI61SF9yH00VM4XroWKaeXYSq7/eyVu98QPBivjnOxkteVjQCcQE6bg24MuKvFkAB3X930X15/ojq1k9EOXKsGnIvfKfYeUhC3QiFkI341tSBxV9F9elERuAFMP8V0LmgM//fLvaI3N874cLRRrGsDELFr9awgB+q3FnEWGebY8oT/MY6XsB88c8jFNPq9j0noqVM7fQEso+FIkLhObM76ZVw1Uu/hhnVHsI0FKBn+smXj2Uk+W8Z1sRAxR8UxiO4EpjWs16aUoA9YUV3B8g+TppcEc3yZFfsggxEAXtiugkQtCsvSyIE1TqeLKetDP/v4X7wKVNEtiYOEtYLWsqH4TUhz6fAoW4sAL1YI4HKhHpERZrCuG/JHo/WPS1LjqlcxAMw08=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB57559863F4ABDF1C509B2EAE954D0PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4de8958c-4e4e-442d-75ad-08d6a4182966
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2019 22:48:19.9224 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5115
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/2Y0CdT-hGdGExmRyH8G-IMKY1wU>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 22:48:26 -0000
I agree that making remote prefix sub-TLV optional and absence of it means ANY is a better idea, will update the draft and example in it; To address use case in your email, the BGP update of NLRI prefix C need to include a Tunnel Encap attr, which include two IPsec TLVs: * IPsec TLV-1: include remote-prefix sub-TLV pA and color sub TLV A * IPsec TLV-2: include remote-prefix sub-TLV pB and color sub TLV B From: Robert Raszuk <robert@raszuk.net> Sent: Friday, March 8, 2019 2:26 PM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> Cc: idr@ietf. org <idr@ietf.org> Subject: Re: draft-hujun-idr-bgp-ipsec Ok that was not very clear from the draft. While your explanation is good - there may be folks who will try to include all remote prefixes as this sub-TLV is mandatory. I guess if instead of all zero's you make it also optional the room for bad encoding becomes smaller. But let's assume that you have two different IPSec encapsulation requirements A & B for the same local prefix C and two different remote prefixes pA & pB. How would you encode it in the single update msg ? Thx, R. On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> wrote: Thanks for reviewing the draft; In your example (500 routers), R2 doesn’t necessary need to advertise 500 remote prefixes because if R2 doesn’t have 500 different types IPsec encapsulation requirements for the NLRI, what it could do it just include a single all-zero remote prefix, means traffic from any source destined to this NLRI should use this particular IPsec tunnel encapsulation config; and I would expect using all-zero remote prefix would be the common use case; From: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> Sent: Friday, March 8, 2019 12:49 PM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>> Cc: idr@ietf. org <idr@ietf.org<mailto:idr@ietf.org>> Subject: draft-hujun-idr-bgp-ipsec Hi, I have read your proposal and have one question. The proposed encoding of additional sub-TLVs define local and remote prefixes as traffic selectors. Looks great in your example of two end points only. But introduction talks about scale so let's consider scale factor. Assume you have 500 routers in the domain. When you advertise subnet B or C from R2 now you need to include in mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet advertised you can only send it once in BGP. Then each ingress PE receiving this huge list would need now to store all 500 ingress ACLs (mappings to IPSec tunnels) where in fact perhaps realistically only one or two ingress traffic subnets may ever be traversing via given edge router. And 500 is just following your example where ingress prefixes are directly attached to ingress router (subnet A to R1). There can be valid mapping cases where such sources are not directly attached. This really does not look at all efficient and is prone to generate a lot of unnecessary state directly proportional to network size or expected incoming src prefix number. If you really would like to use p2mp protocol for this configuration push I would recommend to leave the current Tunnel Encapsulation Attribute unchanged and simply propose to define a new SAFI with proper NLRI syntax that it is precisely efficient to the very application you describe. Effectively what you are proposing is to carry in BGP src+dst based mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel encapsulation attribute. In principle I agree that we do see more and more use cases for src+dst based IP lookups both for native forwarding and with some form of encapsulation but the proposed nested and not efficient encoding IMO requires to be modified to work well in the assumed large scale. Thx a lot, R.
- [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)