Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Wed, 06 March 2019 18:09 UTC
Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B516713104B for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 10:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkBt52tc1v1R for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 10:09:04 -0800 (PST)
Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-eopbgr90109.outbound.protection.outlook.com [40.107.9.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E87130FE5 for <idr@ietf.org>; Wed, 6 Mar 2019 10:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GhSr34XQp4CpJohMZUBnHRw/retUZlKKz8oIYGfDpMo=; b=d4ike0QErXhh1ElsjreTxby7ItS9ATBu9dLxQY8tdT+WE5d4YN++hm8nQEfc1jZfLpm+Rb9j8FrjNqLV/gIEkvIP8q0ZXK2YgkA91nmpAEr0GpM54yAzR08TYNCN/SOXFvWKizEr3hdpo5FJUJue+9mVC+gsuAIARmfoV3Ol/yA=
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com (20.177.210.161) by PR1PR07MB5867.eurprd07.prod.outlook.com (20.177.211.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.11; Wed, 6 Mar 2019 18:09:00 +0000
Received: from PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e]) by PR1PR07MB5755.eurprd07.prod.outlook.com ([fe80::293b:c200:5556:d61e%4]) with mapi id 15.20.1686.016; Wed, 6 Mar 2019 18:09:00 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, "idr@ietf.org" <idr@ietf.org>
CC: "shares@ndzh.com" <shares@ndzh.com>
Thread-Topic: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Thread-Index: AdTUNMBwOFNYhyoITy27A3Y11MvQyAAERJvg
Date: Wed, 06 Mar 2019 18:09:00 +0000
Message-ID: <PR1PR07MB575531B1ACC8CA53CA053A1295730@PR1PR07MB5755.eurprd07.prod.outlook.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.245.20.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b91fb54-3a29-4a1e-04da-08d6a25ecf2b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:PR1PR07MB5867;
x-ms-traffictypediagnostic: PR1PR07MB5867:
x-ms-exchange-purlcount: 4
x-microsoft-exchange-diagnostics: 1; PR1PR07MB5867; 23:+yygiwJg3OBxg6ad74OipwsL5TIEmsaenyA1Rzs/Yi5O9j+xhTKRFm9qBjQJr9JwokZkwWAupvkXdfeY7WO+ggxw0RbAptyKWVETcyBRJKI64hR7mW0wJasx7a5aJdMMMP2IhHhj0giBUjS0HRc/dtVd4tvBPajfbTD6Sf4T65W0FTGtBgK8FMuJkLy5jHsXAMElaA5lPVrH601BOU4aJkSI3giUJ72C47kD7dsS6Zs7HcLigDmvVIWl95EGM6rRBMD6pJv0jhcXLfGaM/ALZeFpC5dVzfSevVkR/c8MKmdgv54tAwuIaSZ4dThHBQYDZ53Rypu+t+UsdHhqIN8WapJhZo1esSMHDgHYrtMNF2SSWrNvLRLE5AFQimBdMaa1GT/qb72WlCfJYPXWQPEWKzU6LXAY9iOcUcZ/6i+0vq3sA1Uyk0w3hFhtGROcD1VoLaxkW8e8rWOjDdwtTn2bAPwhBzUDJVUqB+cGWnF/xYUVX3kN+YWDci2XUwBJGJ5xzHaTEZShcXUP8WztdJsOgCnqTXSq67lpXyxazZ2g9ioZj2N19nXP5wJd+4Y/7ERyzlZ92qItOukjsugzYBmV5Wt5B8MBhOobICWq9wruw9f8PHVFfL0Fu3esuSO8H8lz7+jJwfa5Be+8MWiJ+fndscXVtaa04UUUJDZU+2VWiv6/7prGVB+zYKSZziEogf5mlvCPogeIrIQEJJmUXnhigbdlI99pZxSiBAmB3FlN0j9MaZUvruATbH9RBvUGRlQ2i9M5IY+FOUXqA3TXnSh0P12i+rMfxfJan5KUw/k5nCGVSSnwi/etDSsepG6jcBmNg1xNkqG0TTzZWMHN5LV8FHuU25+KJFsljilpqawVQ2JxkkP2/ntb53BG/PMoFNVIK8+GXM1QD/tGMANZxleC2BTJ/VV2xTz13iLuaXT4LN5PBMpnWi1e1pzOMEbolsl2nI3IdTEYM6ntZrKdLOqmkAZiMzLses4OwpoZ5/NfJ/1J172kfhF4eijJ6Rmf7WPhTMNpmPlKn89R/QIYtfqtu3W/N5mV+dS+gwLAB5goWW2v/hThgz8rqA07b1MFoJGlAE6jBWpM3B8RgCneVb2KXM1VwsCX8f4CAcMmCm1fwD7Pdes5I8EDP46RjSbDoWio9T+GLgFR9ll1wMXDw3E2H2ifWrpvprsghnqLN4Qu9i/PV1Ov0lM4eJ0W9R3kA0L2fRY7HzPKQshVeOxeZbnUD9M1J+1EhDtuPgWGa3x08Q6ecvw1Pk3O4Oc6pRnfjOwmz6NUE6wK5BDhb8jntWVOuDyR9pZ/YNlVUBiOZH7Q7p8293pa7+OClagJbcxlt8qYMKPkjdlslSTUmP1XgR3fQvnsglL/7KBRKWot7V+FbbE=
x-microsoft-antispam-prvs: <PR1PR07MB586720677F0478B3C975ED6695730@PR1PR07MB5867.eurprd07.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(136003)(396003)(376002)(346002)(199004)(189003)(99286004)(71190400001)(3846002)(2501003)(55016002)(110136005)(71200400001)(33656002)(105586002)(966005)(256004)(54896002)(316002)(6306002)(790700001)(6346003)(229853002)(53546011)(478600001)(7696005)(236005)(102836004)(106356001)(4326008)(2906002)(14454004)(76176011)(9686003)(6436002)(25786009)(14444005)(26005)(476003)(11346002)(74316002)(66574012)(446003)(6246003)(6116002)(86362001)(606006)(66066001)(486006)(8676002)(81166006)(7736002)(6506007)(8936002)(5660300002)(97736004)(52536013)(53936002)(81156014)(68736007)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:PR1PR07MB5867; H:PR1PR07MB5755.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: SF0xX5FGlNeanSZF8/T30zrF7Cqo1E2SwVeTsGCr4fHG+C/RyOsf22rX7yMlGL1YmtkjehPAIUXb4anFoNAOMEIpSLIfVFkTgAJehTeNU6UODth9PscDeqGFu2gGX09zRpSy09BklLNaDmG1SDxc5z2HgmiXMH9vEjLP1je+j213skq0RJLR9l5BaJme5jaFWYL3jFA9i++9V0rmhBnri5isSIVw4b6CMZXJ87+3JsW06KID42HI3iydWKvgKVngs97iMTdziOzc0pb1R2QKXS3kSU15/LCY7ngdCzwQhhF2BmENq++M1szZM+Q8SG0ocXeTnLnLBKDxxQetm/vdNovW1+xjdrm1mIEgPpWuiBjdpZEZjZ6t99dpUwYnKT30TKzMCDEohzbGUA2s1KqVyZKvGDDRFwqhC+kcq79zddY=
Content-Type: multipart/alternative; boundary="_000_PR1PR07MB575531B1ACC8CA53CA053A1295730PR1PR07MB5755eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b91fb54-3a29-4a1e-04da-08d6a25ecf2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 18:09:00.4901 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5867
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/xMoj2esSZsYeo5fAXAas1tUXXcs>
Subject: Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 18:09:08 -0000
Sure, we could have discussion, and I have requested a slot to present my draft in idr session Although I want to make it clear is that my draft doesn't intend to be a SDWAN solution for IPsec, and the intension is to address problem of pre-provision and managing large number of mesh IPsec tunnels, while keep changes limited: * no change on how IPsec is implemented (e.g. still uses IKEv2 to create SA) * only introduces extensions based on another existing idr draft (ietf-idr-tunnel-encaps) From: Linda Dunbar <linda.dunbar@huawei.com> Sent: Wednesday, March 6, 2019 7:55 AM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>; idr@ietf.org Cc: shares@ndzh.com Subject: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Jun and IDR group, We also submitted a draft for using BGP to propagate SDWAN WAN ports properties (including IPsec properties). Hope we can discuss more in IETF 104 to find a common ground. https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/ Abstract The document specifies a new BGP NLRI and SAFI for advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SD-WAN edge need to propagate those WAN ports properties to its SDWAN controller, which propagates to the authorized peers and manage the IPsec SAs among those peers for encrypting traffic via the untrusted networks. BGP Route Reflectors (RR) are proposed as points of combination for this information in order to allow scaling of the SDWAN. Linda Dunbar From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Hu, Jun (Nokia - US/Mountain View) Sent: Tuesday, March 05, 2019 9:42 PM To: idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: [Idr] draft-hujun-idr-bgp-ipsec-00 Hi, I submitted following draft: URL: https://www.ietf.org/internet-drafts/draft-hujun-idr-bgp-ipsec-00.txt Htmlized: https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00 This document defines a method of using BGP to signal IPsec tunnel configuration along with NLRI, it uses and extends tunnel encapsulation attribute as specified in [I-D.ietf-idr-tunnel-encaps<https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00#ref-I-D.ietf-idr-tunnel-encaps>] for IPsec tunnel. Review and comments are greatly appreciated! Thanks --------- Hu Jun, ION Nokia
- [Idr] advertising properties of a SD-WAN edge nod… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)