IETF Logo Mail Archive

Re: [Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community

Susan Hares <shares@ndzh.com> Wed, 28 February 2024 22:32 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A722C14F6B7; Wed, 28 Feb 2024 14:32:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.56
X-Spam-Level:
X-Spam-Status: No, score=-0.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiYZiWylGiy4; Wed, 28 Feb 2024 14:32:40 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2111.outbound.protection.outlook.com [40.107.94.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7983FC14F61A; Wed, 28 Feb 2024 14:32:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IJaZ58O5+qps7CN6pOsc966l2aAqk+h+j8H5C+bm0CRX/I/t3I4Gb15nIvglRX9Tknjcmy+/id6LKIpJZDSc35rOFqEh638wLHOJgi+xlXFOt8dQ6tzpVvkLtqyV+I/hBPQCvyssKfwl/WjKOu1vD+YwFUXzlR1kuS2rFDph5o8oWLbjmnPNZg8ZqS+3oX/bStHYZg3LVuJSFc+upiXkKGQR9+lZg+t894J3ijVnFx1KGD6LlKoTRdBZHJrLHdNvAgRYot+3tDIBsS2j7YDG2TyKyF0oIKYtKM4Rw5kWUFcbmMIu1H5Z4sfPQ9FFmT/JauCHsXUjsvV97JotJVqqxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jwtRccn3rAcJZelfE44BId+IfAQbxpGL9/SsTfi38m8=; b=PuAWJkellg1WRuI2gCkWQnxBSyv+++NrgQ2evVHQg+Rvqeu7qsLl6dVRAHFpMweQR1xq9c0+YtC3HtATMouNDVHb8rAEDR0UgGhDB6snsz5oehVqSJ3h1Iy8SNF9IHeiCCBqzMyR59ujxoyD3gVC2eDPiufx3ttOfqDVVHvCZk2kBo3XH/M6g3JdDice1A8R1LLVPM/6x+U/5VWnfw+OGOz9qjzTf4hLT28sx7+/EXiniemYeWNPVWGQr2nR0f0SCpvgYr8sSlnGVPmzsKw/ipSpLGpuJro6YAi3ver2auqikBOaupsTS6PqO7MLg6N5pzM5Nm1965lhGLCUY3GpMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.55.101) smtp.rcpttodomain=futurewei.com smtp.mailfrom=ndzh.com; dmarc=bestguesspass action=none header.from=ndzh.com; dkim=none (message not signed); arc=none (0)
Received: from MW4P223CA0029.NAMP223.PROD.OUTLOOK.COM (2603:10b6:303:80::34) by SA3PR08MB8875.namprd08.prod.outlook.com (2603:10b6:806:381::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Wed, 28 Feb 2024 22:32:37 +0000
Received: from MW2NAM12FT049.eop-nam12.prod.protection.outlook.com (2603:10b6:303:80:cafe::46) by MW4P223CA0029.outlook.office365.com (2603:10b6:303:80::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.28 via Frontend Transport; Wed, 28 Feb 2024 22:32:36 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.47.55.101) smtp.mailfrom=ndzh.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=ndzh.com;
Received-SPF: Pass (protection.outlook.com: domain of ndzh.com designates 104.47.55.101 as permitted sender) receiver=protection.outlook.com; client-ip=104.47.55.101; helo=NAM10-MW2-obe.outbound.protection.outlook.com; pr=C
Received: from obx-outbound.inkyphishfence.com (3.132.208.199) by MW2NAM12FT049.mail.protection.outlook.com (10.13.181.183) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7362.14 via Frontend Transport; Wed, 28 Feb 2024 22:32:36 +0000
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2101.outbound.protection.outlook.com [104.47.55.101]) by obx-inbound.inkyphishfence.com (Postfix) with ESMTPS id 19B71C360C; Wed, 28 Feb 2024 22:32:35 +0000 (UTC)
Received: from DM6PR08MB4857.namprd08.prod.outlook.com (2603:10b6:5:44::25) by PH0PR08MB6454.namprd08.prod.outlook.com (2603:10b6:510:31::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.39; Wed, 28 Feb 2024 22:32:30 +0000
Received: from DM6PR08MB4857.namprd08.prod.outlook.com ([fe80::1766:7272:5562:295e]) by DM6PR08MB4857.namprd08.prod.outlook.com ([fe80::1766:7272:5562:295e%6]) with mapi id 15.20.7316.039; Wed, 28 Feb 2024 22:32:30 +0000
From: Susan Hares <shares@ndzh.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, John Scudder <jgs@juniper.net>
CC: Robert Raszuk <robert@raszuk.net>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-sdwan-edge-discovery@ietf.org" <draft-ietf-idr-sdwan-edge-discovery@ietf.org>
Thread-Topic: Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community
Thread-Index: AQHaab1aJbLjWCwZYUyhASue85C1X7EewhRQgAAOvwCAAAHU0IAACaoAgAABooCAAABKEIAACsCAgAAc0sCAAVAI8A==
Date: Wed, 28 Feb 2024 22:32:30 +0000
Message-ID: <DM6PR08MB4857E2ECF975C9DC9B6156B4B3582@DM6PR08MB4857.namprd08.prod.outlook.com>
References: <7FDF55CE-3E6B-47EC-8504-C9884BD212A9@juniper.net> <CO1PR13MB4920A302CE1D5AE545CD243485592@CO1PR13MB4920.namprd13.prod.outlook.com> <3CC853C3-960C-4AE2-BB45-69E8F48356B9@juniper.net> <CO1PR13MB4920C89AD7FCF4245DF9444185592@CO1PR13MB4920.namprd13.prod.outlook.com> <CAOj+MMEpC5caAtKCLSc6MrHUX1Qa3gtPO919nYpk9jyTdYXuSA@mail.gmail.com> <1DB2D1F0-E0F9-41F6-B49A-0126D25BE2DD@juniper.net> <PH0PR13MB4922F82CF2D623474D4BD8A585582@PH0PR13MB4922.namprd13.prod.outlook.com> <A1DC1B7C-B767-48A9-9BEA-A5EFBE85E9C9@juniper.net> <CO1PR13MB4920A1105DE8C0461BA1614F85582@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB4920A1105DE8C0461BA1614F85582@CO1PR13MB4920.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: DM6PR08MB4857:EE_|PH0PR08MB6454:EE_|MW2NAM12FT049:EE_|SA3PR08MB8875:EE_
X-MS-Office365-Filtering-Correlation-Id: 5708f385-cc5c-48f8-9c92-08dc38ad2a20
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: SDlorhUKPOpdPSWth3B32ewgacDFr168XCa2SeNW9iSYdwfVlRzh4QMNq5sXB+3QAsjFyHR6ZpDSQQtyckoC+fHB+RnPGrCo03aLRE1tfzdg3bjQpZujtG/STGlrkxYQ4bkXkNp57HS55GBObQCGPkeZail42/G8q26m/iPnjY7cCoerwxCYMUJiHLRZ6VNJtZZZ7w0dhSbL6VZl27gJTPX9uWKd1daXu8l8BZ0OngHRnG0qHTCXSXJiAwvEMAAOsDPH9Es/Af54EdepletDsEct9mmLX0abLSPo0EjLyW32ECiSapStN4FQSicD1ixyyrAMSBTARhtayaBxlBMCfL9LKNtf2dmqXNwrFvEshmESCRjkaRX+hDajUGBqE2w7M946JL8EatlzC9ZA+3lortcYHqYK4DLfswWCM9xlGdAyqHQevkFExEn6uvNw/aw8EBtjZFcCOcIiACVQ1MSWYc60FhJB9UogvXJhUHT1T3Aq5L6GjA2Kb2FjH6/GMXQ2TPTLSAn+Zpax8ZrwrtDtK9sElx8P7EHF349z/frif/sbaK8ArTCt1p1k+aPHwYytyoTbI2UkzK1YabSXf+w0qynJs0+dG/2dOtVgBEuKK1zKJN1Ti1RZc9z0S82//AfamYBBwgaSTkKRmMguNG2IqUbCOa6HI1Ffn+jSL7M7wC7BRUdCKichghxqDtsbO1g0YVYOdGKSBySFzDz7xND3AaxQVZ0Sy+X2T+2xbNaw72s=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB4857.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
Content-Type: multipart/alternative; boundary="_000_DM6PR08MB4857E2ECF975C9DC9B6156B4B3582DM6PR08MB4857namp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR08MB6454
X-Inky-Outbound-Processed: True
X-EOPAttributedMessage: 0
X-MS-Exchange-SkipListedInternetSender: ip=[104.47.55.101]; domain=NAM10-MW2-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender: ip=[104.47.55.101]; domain=NAM10-MW2-obe.outbound.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MW2NAM12FT049.eop-nam12.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: a131b37e-176f-4758-40b3-08dc38ad269e
X-IPW-GroupMember: False
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qwuCSj+HhKv00dqvF9px6HO6OnzoKw13BnexUH39/yxf3zz9DcquEgf+LZlVNtCmZUtqpSWwfbLxiONL1tpFEEFlg1y6By0quJF+BMAdK+cjNgA5gPe7lp/6GIt80bvRo1/O8MSmz4DBTZ+zdI2U3pPVmugeMsTwnKn282Wto+WKEerQ0hEpa9OVu1ZiP4Mk1VJjrqJQgp13TXWl6+tKB8A1w6qB5tKoTFw1HLXJr1aN5xl0cpd7wUgaVfkFYXqsLRc0eej1xhVcMMQwJAzxSXJgMqL69f7/T31S/wJJ1MJ2Q9B33K+p1NvH4jas6I19Q+zZeka/Br7NO62dRpOX5c1unyn+QMwox0PqgXKw2bO/EnSfI5NyTiTorcUXZ89urjbZMqlg16hyn2P4nra+cu/BRbCuna9eH6zISLBkOX627MJ6ttKYGHLo4jLld4Cu+aqD9vtxpdLx4XtcnRAmXvtyFunQm0mwi7yImjKZRV4CdUOkUk6AfQCVUzcxNgOKiqimVQSKTxpwpemZ2FIw5ZOmZPhs6m335s2HSppD9U40ymSPn7ziT/L8IkZCZICC9oWtaooZ8UTgyUdavFU4uX5K0lAFUExeniIBQILmwuyUYi+nR9571TRsfMAXdy1L5+NQa5yuG8FpJ46ZHYBYduw3YnXJc1ZMCt00WbN9VhWgakQkkYI58Xbk60KIw0oYS6nN92Sbdx/wd7o0jONGEQuIIOQNpqdag68edhDjxOUZUxV5cdPkAGlK2FH8cephIbfU6pNflXNmzZmjtIa7O8wMkXS8VOm/VEy633AcXWtTx0DWtjGkp4UJg7Tg/e7EgH1253/jSYJlofE2uOl1sg==
X-Forefront-Antispam-Report: CIP:3.132.208.199; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:NAM10-MW2-obe.outbound.protection.outlook.com; PTR:mail-mw2nam10lp2101.outbound.protection.outlook.com; CAT:NONE; SFS:(13230031)(82310400014)(36860700004); DIR:OUT; SFP:1102;
X-OriginatorOrg: ndzh.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Feb 2024 22:32:36.5326 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5708f385-cc5c-48f8-9c92-08dc38ad2a20
X-MS-Exchange-CrossTenant-Id: d6c573f1-34ce-4e5a-8411-94cc752db3e5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d6c573f1-34ce-4e5a-8411-94cc752db3e5; Ip=[3.132.208.199]; Helo=[obx-outbound.inkyphishfence.com]
X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT049.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR08MB8875
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/HuiIXQlEkpzIZdVhU9YwS5TJJd4>
Subject: Re: [Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 22:32:44 -0000

Linda:

If the each client route, needs a specific encapsulation from the SDWAN-Hybrid tunnel then:


  1.  You cannot use Encapsulation extended communities –  You only have the egress endpoint.
  2.  You can use TEA (SD-WAN-Hybrid Tunnel) type – with Egress Endpoint + an identifier for which sub-tunnel (MPLS, IP-SEC (GRE), IP-SEC (VXLAN))
If each client route, only needs to signal the node to pick sub-tunnels based on something you pass in the underlay,  you can specify
         Client route + TEA (SD-WAN-Hybrid Tunnel) with Egress Endpoint.

The rules on Encapsulation Extended community are very tight in RFC9012.  Errors in deployment caused these reasons to be very tight.

Bottom line – it is good John caught this before going to the IESG.  We have time to adjust the text and talk to Arista.

Sue

From: Linda Dunbar <linda.dunbar@futurewei.com>
Sent: Tuesday, February 27, 2024 9:31 PM
To: John Scudder <jgs@juniper.net>
Cc: Robert Raszuk <robert@raszuk.net>; idr@ietf.org; draft-ietf-idr-sdwan-edge-discovery@ietf.org
Subject: RE: Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community

John, Here is the SD-WAN scenario why simple Nexthop cannot do the job: Suppose one SD-WAN edge has 3 client routes (#1, #2, #3) and multiple underlay paths (public unsecure paths & private secure pat
External (linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>)
  Report This Email<https://protection.inkyphishfence.com/report?id=bmV0b3JnMTA1ODY5MTIvc2hhcmVzQG5kemguY29tL2Y3YzJlZDIzYjU3ZDEyNjU4OGQyMDdlODFjMWEzMzczLzE3MDkwODc1MDMuNDU=#key=e6af876a0a75f2c1d2b4ab878f933050>  FAQ<https://www.godaddy.com/help/report-email-with-advanced-email-security-40813>  GoDaddy Advanced Email Security, Powered by INKY<https://www.inky.com/protection-by-inky>

John,
Here is the SD-WAN scenario why simple Nexthop cannot do the job:

Suppose one SD-WAN edge has 3 client routes (#1, #2, #3)  and multiple underlay paths (public unsecure paths & private secure paths) to other peer nodes:
1) The client route #1 needs to be forwarded by a private path (such as network service provider's MPLS path),
2) The  client route #2 (at the same nextHop) can be forwarded by IPsec SA or MPLS (i.e., the Hybrid tunnel described in the document)
3) The client route #3 can be forwarded by unsecure path (such as web browsing traffic)

When this SD-WAN edge advertises Client Route #1, it needs to indicate the necessary encapsulation type to be MPLS.
When this SD-WAN edge advertises the Client Route #2, it needs to indicate the encapsulation type to be SD-WAN-Hybrid.
When the SD-WAN edge advertises the Client Route #3, it only needs to indicate the NextHop.

Linda

-----Original Message-----
From: John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>>
Sent: Tuesday, February 27, 2024 6:37 PM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>; idr@ietf.org<mailto:idr@ietf.org>; draft-ietf-idr-sdwan-edge-discovery@ietf.org<mailto:draft-ietf-idr-sdwan-edge-discovery@ietf.org>
Subject: Re: Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community

Hi Linda,

> On Feb 27, 2024, at 7:12 PM, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:
>
> Our intent of using Encapsulation Extended Community is to indicate
> that Client routes need to be forwarded by a tunnel, but there is too much information about the  Tunnel attributes to be included in the Client route advertisement and those attributes are associated with the WAN ports (instead with Client Routes).
>
> We need to interpret the "barebones" as a hook to inform the peer nodes to use information carried in  the second UPDATE to establish the tunnel for the Client routes.

I don’t see why you need any indication beyond the next hop. It’s both necessary (so that the recipient can find the route that has the tunnel information) and sufficient (because once it finds that route, it will see it includes tunnel information). This is exactly what Section 8 explains.

> I don't understand why RFC9012 doesn't allow this. What harm does it cause?

If RFC 9012 was still in draft, and you had suggested the idea above as a change to the spec, we could have had this discussion. But it’s moot now — RFC 9012 is what it is, and what it is, very specifically and precisely does *not* allow a tunnel type that has mandatory sub-TLVs to be used as an Encapsulation Extended Community, and does *not* require any additional information beyond the next hop to “glue” a client route to an underlay route that has a tunnel attribute.

If you want to use RFC 9012, it is what it is. If you think (for some reason I don’t yet understand) that you need to have an extra “hook” beyond the next hop, you can specify some new thing to do that.

—John

v2.23.0 | Report a Bug | By Email