IETF Logo Mail Archive

[Idr] draft-ietf-idr-tunnel-encaps-10: Should add IPsec & IPsec-GRE as valid Tunnel Types

Linda Dunbar <linda.dunbar@huawei.com> Wed, 23 January 2019 23:05 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CE512950A; Wed, 23 Jan 2019 15:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWwjcnjBJOc1; Wed, 23 Jan 2019 15:05:11 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65383128B14; Wed, 23 Jan 2019 15:05:10 -0800 (PST)
Received: from lhreml704-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 97D9EC305385DF150058; Wed, 23 Jan 2019 23:05:07 +0000 (GMT)
Received: from SJCEML703-CHM.china.huawei.com (10.208.112.39) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 23 Jan 2019 23:05:06 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.120]) by SJCEML703-CHM.china.huawei.com ([169.254.5.115]) with mapi id 14.03.0415.000; Wed, 23 Jan 2019 15:05:01 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Eric C Rosen <erosen@juniper.net>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: draft-ietf-idr-tunnel-encaps-10: Should add IPsec & IPsec-GRE as valid Tunnel Types
Thread-Index: AdSzbBuzcjhVwpROSfCDuhLvfhHi4w==
Date: Wed, 23 Jan 2019 23:05:00 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B26AD14@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.117]
Content-Type: multipart/related; boundary="_005_4A95BA014132FF49AE685FAB4B9F17F66B26AD14sjceml521mbschi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/P-04Mi4BySfq0a2INSiiA2irEw4>
Subject: [Idr] draft-ietf-idr-tunnel-encaps-10: Should add IPsec & IPsec-GRE as valid Tunnel Types
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 23:05:13 -0000

Eric and authors of draft-ietf-idr-tunnel-encaps-10:

Section 3.2 listed VXLAN, VXLAN-GRE, NVGRE, L2TPV3, GRE, MPLS-in-GRE as Tunnel Types.

For some deployment scenarios, two nodes can also have ports facing Internet, which requires IPsec to encapsulate the traffic as shown in the following diagram (described in https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/ ):

[cid:image002.png@01D4B33D.C5AD6880]

Can your section 3.2 add IPsec & IPsec-GRE as valid Tunnel Types?
If you don't think IPsec Tunnel Types should be added, can you explain why?

If Yes, should the "Remote Endpoint Sub-TLV" use the remote Interface (port) addresses (i.e. B1, B2, etc)?  or should the "Remote Endpoint Sub-TLV" use the PE2's loopback address of 10.1.2.1?

On Page 25 (Section 5), you have a sentence stating:
"Note that some tunnel types may require the execution of an explicit tunnel setup protocol before they can be used for carrying data."

This is applicable to IPsec tunnel that requires explicit setup protocol, correct?


In RFC5512, the BGP speaker indicates the originating Interface address in the NLRI (section 3):
[cid:image006.jpg@01D4B33D.C5AD6880]


How does draft-ietf-idr-tunnel-encaps-10 indicate the Tunnel originating interface?

In the Figure above, there are at least 3 tunnels between PE1 <->PE2: T1 (via MPLS), T2 and T3 via IPsec over internet. For a Prefix X reachable via PE2, does PE1 send BGP Update for Prefix X with 3 different Tunnel Encap attributes to all its neighbors?  Say PE4?  Those Tunnel information is really between PE1<->P2, other nodes, e.g. PE4 really doesn't need to know, correct?


Thank you very much for the help.
Linda Dunbar

v2.23.0 | Report a Bug | By Email