IETF Logo Mail Archive

Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Wed, 06 March 2019 21:40 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1FD130DD6 for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 13:40:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uuj9qLklaV1w for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 13:40:04 -0800 (PST)
Received: from FRA01-PR2-obe.outbound.protection.outlook.com (mail-eopbgr120139.outbound.protection.outlook.com [40.107.12.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6BA612EB11 for <idr@ietf.org>; Wed, 6 Mar 2019 13:40:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cAE6YMq3q489WBz0tecyBhRe5SkJ7NlCB4+ZdZ3br3g=; b=OfQvHjmOM1/+WxFDBKFGdEdSZhsEr+0zgqYbktnECr3HhUC6yIC3ZaRx/Oc9qjch43IABAPkRCOBJNnA6z89pR9FFkQq2RUbZ21EdJb46PjXDdLBiZ4E71Zozr3dyJd0JdZ58+EIykVy8L9nnCNaPZ4ucSbBd2SqDej9GQ+R/yg=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB5754.eurprd07.prod.outlook.com (20.177.210.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.15; Wed, 6 Mar 2019 21:40:01 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1686.016; Wed, 6 Mar 2019 21:40:00 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, "idr@ietf.org" <idr@ietf.org>
CC: "shares@ndzh.com" <shares@ndzh.com>
Thread-Topic: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Thread-Index: AdTUNMBwOFNYhyoITy27A3Y11MvQyAAERJvgAACvJbAAAD7JoAAEcPTQAAJxntA=
Date: Wed, 06 Mar 2019 21:40:00 +0000
Message-ID: <PR1PR07MB5755915A7284A6B4B14880A895730@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com> <PR1PR07MB575531B1ACC8CA53CA053A1295730@PR1PR07MB5755.eurprd07.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B2E9F51@sjceml521-mbs.china.huawei.com> <PR1PR07MB5755AF40CC27242AC0E220C095730@PR1PR07MB5755.eurprd07.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B2EA048@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B2EA048@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0051ce73-f26d-407f-b1dd-08d6a27c495b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:PR1PR07MB5754;
x-ms-traffictypediagnostic: PR1PR07MB5754:
x-ms-exchange-purlcount: 6
x-microsoft-exchange-diagnostics: 1; PR1PR07MB5754; 23:HwbvwnyQBe5dpd6r8WNL2m2IBREkJdBaW5eDmQEg/YWrnbpTxMBl0qOINT7BO5cZrotJfmyHts5u3XjslGwr+cqpIPiAjxsxfBLCRILOFQDxzBbrOcXeoKP8Wwt8WlqRZpUVmxd/LfqpC1g3qLWsSbJrqHJ1qCZw1Y/+OCl9UnkB+4ufDR/B+dqfSTVTA5Vf+1zVi3KZGyPtn5LPZJEiUBNmYArNvdIl6Bjbmi0cuqPtTeasSTLOB2siQV119H5vYf/FisKGsvWuEVpdz1N7pjWMLbhObme0sDeftZH9QAek5AldlApdxwqDU8b3RBCJJ/X9qQk+LZb1X/mq+t5fO1bznmOJx/Rro74xQHAGHF3Cah73g5mFMVQuif9ip5i6xxuyJvryFjkbiYhsaXexupt2cGaIJzq+0NvHTwnTm6MlyZb4a6GYRyhA4cry49WefgjiNOlXyAFKUvd/eBii4D2fo70ZVfDHYRVCFIhUuh6t4XO52bVThce9uXxfdIWlnA1ge6jh5knncVfUm2WTxarykWsaRvP8fKAagpsUuE7xzmakv/ZfhQLhhVgfHwvYstCpaXR/SjvQfE1cZ/YD5OssOvNpTepNvw52sScKct7EbjWph8/xY9oRMqO/1gJFW2+L9u0XnU4qZXEsSPskN5p3yOER+xdHQ0Fx7RmdQhy50b5eBf6oeJ5d+Sa7UiNoebZwSPzHZQU4eK8sQiWU/s7d8TS8XPd7ZtRHM+5aHQT8r7npV3CzNtuM0PAk0tx78Two8giPIwc0xH8LhFKYdg3+h2I6c8HwZ7Ml+6g+NOQ2flHVyZTAtyGflqrTt7qG/5vvXwmnwiMUqoNPf2Qm2Vcf01tbXY77iEG1QlkazkPSxZgx/lGs+AmmhsEnb+7vd5Lb5aXumTDbwQkaNiPLJqFBrp6Saf5fOdxNlPKkiZpymjLbQIHdDXe6LJbcov/4jOTbxJUC/+B/ObF/6TJ1SxratyEJl4aa2wpE8f6gFd6HPQzL44y6o9ga4nlGAFzDdhg3g3OPLy4VL4BuNoV+j8r+gRSv9LtKratXe8bUIC21HfvmQp6/IYSENJjR9Ovx3guzpgZ/RqUawkw/pjCUtjCTjgjNKVETY3ZNZQRtbOuW8tzSz2+smL0p86mSG/ym2v225OMvKnXfXRoRXvWeamKPSAGWiFWREapqIMnH009zl5Kf1eNV63Ol17bdMZgTfGuF9UTFGF+AEGsUC4ZRNh6ZyWRGK8xR0aBHlvqWTGHOvVi4BvvFBLuKYVbizaMy0xpvD1GJBNDhdcak38+THQjjQM87TlDPumzzocQLF8UcDF5MIW3/ib6fBofiPusqkrI8ZvnUydZSmUhneU0rsMOjj/qDcA/HIc7X6U5HFNM=
x-microsoft-antispam-prvs: <PR1PR07MB5754860FD583700DEC96646995730@PR1PR07MB5754.eurprd07.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(346002)(366004)(39860400002)(136003)(199004)(189003)(106356001)(97736004)(486006)(105586002)(966005)(68736007)(66574012)(446003)(2906002)(86362001)(26005)(478600001)(5660300002)(186003)(74316002)(476003)(53936002)(76176011)(81156014)(229853002)(7736002)(81166006)(102836004)(33656002)(8676002)(9686003)(790700001)(256004)(3846002)(55016002)(236005)(54896002)(93886005)(14444005)(6116002)(71200400001)(606006)(11346002)(7696005)(8936002)(71190400001)(6436002)(6246003)(6306002)(66066001)(2501003)(52536013)(53546011)(14454004)(6506007)(25786009)(316002)(99286004)(110136005)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB5754; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: TGhOiRffS0gMzhdnJKLqDSK4mOBwg5rvK1lIvgTOFJEjROIiba0JTx4mz9dl0kao99yS6Ac/WsduzOGzNde26ApB1DegYCWhwN5kMmuSPafSIA5N/BhFGTW6lNmrx09bXG60ecNCPfP8Q7IYkG5KpuDRT4n3wETHnIVAmjz8h99L0sYpvth1qS02azRzegfD+8vjAi9nkCX6YqYVORTHU4iD9ZXa5O4JoxrkdPDlOFDaRZFsiDwY6pu4WvPpRrjKcGMe2pcyswDG9EaPJ1WWzQ5lSSevLdufJKCh5l0onCCpKmc0JfLmOSluXdX2gkEDh9HzDdfOYQaXDReKsZ+KHADELP4ruL+qFUWjZjD41RR1u93cXf7Mf6f3p76866oBRjTJMp2TphdyI8yShJutLC1FlpntRTHm21upz6gfTSc=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB5755915A7284A6B4B14880A895730PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0051ce73-f26d-407f-b1dd-08d6a27c495b
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 21:40:00.8833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5754
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Io07ayMy9yTgLnKypjxbG6awstk>
Subject: Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 21:40:07 -0000

Yes, your understanding is basically correct

From: Linda Dunbar <linda.dunbar@huawei.com>
Sent: Wednesday, March 6, 2019 12:46 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>; idr@ietf.org
Cc: shares@ndzh.com
Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Jun,

Reading through your draft makes me realize that you are not using BGP to propagate IKEv2, correct? i.e. IPsec's IKEv2 still uses traditional plain IKEv2 between two points.

Your draft is suggesting using TUNNEL-ENCAP to advertise a route can be sent through an IPsec SA, in the same way PE advertise VXLAN tunnel for a route to remote nodes? Correct?

If my understanding is correct, yes indeed your draft is addressing a different problem space as draft-dunbar-idr-sdwan-port-safi.

Thanks,
Linda

From: Hu, Jun (Nokia - US/Mountain View) [mailto:jun.hu@nokia.com]
Sent: Wednesday, March 06, 2019 12:32 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; idr@ietf.org<mailto:idr@ietf.org>
Cc: shares@ndzh.com<mailto:shares@ndzh.com>
Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Yes, I am aware of them, but as I said, my draft really is not try to be SDN/controller approach:

  *   I am not comfortable with the idea of having a central controller to deeply involved in key management; I believe key management should be peer to peer directly (e.g. using protocol like IKEv2)
  *   I also believe there is use case where people doesn't want to or can not move to a SDN type network, and my draft provides a solution for that

From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Sent: Wednesday, March 6, 2019 10:20 AM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org>
Cc: shares@ndzh.com<mailto:shares@ndzh.com>
Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Jun,

For managing large number of IPsec, there are already work in Security Area (which has gone through violent discussion for last year):

https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
https://datatracker.ietf.org/doc/draft-carrel-ipsecme-controller-ike/

Linda

From: Hu, Jun (Nokia - US/Mountain View) [mailto:jun.hu@nokia.com]
Sent: Wednesday, March 06, 2019 12:09 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; idr@ietf.org<mailto:idr@ietf.org>
Cc: shares@ndzh.com<mailto:shares@ndzh.com>
Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Sure, we could have discussion, and I have requested a slot to present my draft in idr session
Although I want to make it clear is that my draft doesn't intend to be a SDWAN solution for IPsec, and the intension is to address problem of pre-provision and managing large number of mesh IPsec tunnels, while keep changes limited:

  *   no change on how IPsec is implemented (e.g. still uses IKEv2 to create SA)
  *   only introduces extensions based on another existing idr draft (ietf-idr-tunnel-encaps)

From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Sent: Wednesday, March 6, 2019 7:55 AM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org>
Cc: shares@ndzh.com<mailto:shares@ndzh.com>
Subject: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Jun and IDR group,

We also submitted a draft for using BGP to propagate SDWAN WAN ports properties (including IPsec properties). Hope we can discuss more in IETF 104 to find a common ground.

https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/

Abstract
The document specifies a new BGP NLRI and SAFI for advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SD-WAN edge need to propagate those WAN ports properties to its SDWAN controller, which propagates to the authorized peers and manage the IPsec SAs among those peers for encrypting traffic via the untrusted networks.
BGP Route Reflectors (RR) are proposed as points of combination for this information in order to allow scaling of the SDWAN.


Linda Dunbar


From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Hu, Jun (Nokia - US/Mountain View)
Sent: Tuesday, March 05, 2019 9:42 PM
To: idr@ietf.org<mailto:idr@ietf.org>
Cc: shares@ndzh.com<mailto:shares@ndzh.com>
Subject: [Idr] draft-hujun-idr-bgp-ipsec-00

Hi,
I submitted following draft:

URL:            https://www.ietf.org/internet-drafts/draft-hujun-idr-bgp-ipsec-00.txt

Htmlized:       https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00


This document defines a method of using BGP to signal IPsec tunnel configuration along with NLRI, it uses and extends tunnel encapsulation attribute as specified in [I-D.ietf-idr-tunnel-encaps<https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00#ref-I-D.ietf-idr-tunnel-encaps>] for IPsec tunnel.

Review and comments are greatly appreciated!

Thanks
---------
Hu Jun, ION Nokia

v2.23.0 | Report a Bug | By Email