Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Linda Dunbar <linda.dunbar@huawei.com> Wed, 06 March 2019 18:20 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518A013122D for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 10:20:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.189
X-Spam-Level:
X-Spam-Status: No, score=-4.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIeMTqsZxO-1 for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 10:20:23 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8CAA131227 for <idr@ietf.org>; Wed, 6 Mar 2019 10:20:22 -0800 (PST)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 128DE10E5B4F15A4AB7C for <idr@ietf.org>; Wed, 6 Mar 2019 18:20:20 +0000 (GMT)
Received: from SJCEML703-CHM.china.huawei.com (10.208.112.39) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 6 Mar 2019 18:20:19 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.29]) by SJCEML703-CHM.china.huawei.com ([169.254.5.129]) with mapi id 14.03.0415.000; Wed, 6 Mar 2019 10:20:15 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>, "idr@ietf.org" <idr@ietf.org>
CC: "shares@ndzh.com" <shares@ndzh.com>
Thread-Topic: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Thread-Index: AdTUNMBwOFNYhyoITy27A3Y11MvQyAAERJvgAACvJbA=
Date: Wed, 06 Mar 2019 18:20:15 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B2E9F51@sjceml521-mbs.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com> <PR1PR07MB575531B1ACC8CA53CA053A1295730@PR1PR07MB5755.eurprd07.prod.outlook.com>
In-Reply-To: <PR1PR07MB575531B1ACC8CA53CA053A1295730@PR1PR07MB5755.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.84]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B2E9F51sjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/PUMR4iqV_S2_gUdWin9YhsXB66s>
Subject: Re: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 18:20:26 -0000
Jun, For managing large number of IPsec, there are already work in Security Area (which has gone through violent discussion for last year): https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/ https://datatracker.ietf.org/doc/draft-carrel-ipsecme-controller-ike/ Linda From: Hu, Jun (Nokia - US/Mountain View) [mailto:jun.hu@nokia.com] Sent: Wednesday, March 06, 2019 12:09 PM To: Linda Dunbar <linda.dunbar@huawei.com>; idr@ietf.org Cc: shares@ndzh.com Subject: RE: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Sure, we could have discussion, and I have requested a slot to present my draft in idr session Although I want to make it clear is that my draft doesn't intend to be a SDWAN solution for IPsec, and the intension is to address problem of pre-provision and managing large number of mesh IPsec tunnels, while keep changes limited: * no change on how IPsec is implemented (e.g. still uses IKEv2 to create SA) * only introduces extensions based on another existing idr draft (ietf-idr-tunnel-encaps) From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Sent: Wednesday, March 6, 2019 7:55 AM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Jun and IDR group, We also submitted a draft for using BGP to propagate SDWAN WAN ports properties (including IPsec properties). Hope we can discuss more in IETF 104 to find a common ground. https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/ Abstract The document specifies a new BGP NLRI and SAFI for advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SD-WAN edge need to propagate those WAN ports properties to its SDWAN controller, which propagates to the authorized peers and manage the IPsec SAs among those peers for encrypting traffic via the untrusted networks. BGP Route Reflectors (RR) are proposed as points of combination for this information in order to allow scaling of the SDWAN. Linda Dunbar From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Hu, Jun (Nokia - US/Mountain View) Sent: Tuesday, March 05, 2019 9:42 PM To: idr@ietf.org<mailto:idr@ietf.org> Cc: shares@ndzh.com<mailto:shares@ndzh.com> Subject: [Idr] draft-hujun-idr-bgp-ipsec-00 Hi, I submitted following draft: URL: https://www.ietf.org/internet-drafts/draft-hujun-idr-bgp-ipsec-00.txt Htmlized: https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00 This document defines a method of using BGP to signal IPsec tunnel configuration along with NLRI, it uses and extends tunnel encapsulation attribute as specified in [I-D.ietf-idr-tunnel-encaps<https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00#ref-I-D.ietf-idr-tunnel-encaps>] for IPsec tunnel. Review and comments are greatly appreciated! Thanks --------- Hu Jun, ION Nokia
- [Idr] advertising properties of a SD-WAN edge nod… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] advertising properties of a SD-WAN edge… Linda Dunbar
- Re: [Idr] advertising properties of a SD-WAN edge… Hu, Jun (Nokia - US/Mountain View)