Re: [Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Thu, 09 April 2020 00:13 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AF1E3A1A5B for <idr@ietfa.amsl.com>; Wed, 8 Apr 2020 17:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.967
X-Spam-Level:
X-Spam-Status: No, score=-1.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Eb6gIEk0LUa for <idr@ietfa.amsl.com>; Wed, 8 Apr 2020 17:13:03 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-bn3nam04on0708.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe4e::708]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 235CE3A1A58 for <idr@ietf.org>; Wed, 8 Apr 2020 17:13:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BEsZtemGCHT1/RIq4MV/9onKBi2j2rpL34lAsK3LITj8/vzcd0v1QsPX0R1RnP+4q4GuIyvVACqwcBZsLRsweWDnkUkpmGE9kbpYXw/RNYyW1qfHjijEqedNT3uYWR6B9j9Gs5A484jFZgHYfJhHcvsRkhVviO5MuJoXxR4RrO3x4ZNkqbJUCmYuxo0XvzbfHdLhtYrHjyzYXcd9VBuzPdMYJwWywtTA5b/lQtVWKW1FM6f/e4x/0zJ8d2nmHscYkG1qwHbDFfY6vksd8JeE43mHvVQQzhXrvcln8tulBtinkiEtzvzY+82RV6+W7dj5w03VWNigAfQ0rm135J+5eQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ejedCkt+NdHFos17QKNrq/EMvBI8adVJ0SifxaY+cAM=; b=m0uzQ1aKXH0jA9VI3bOdejKKHmBPHaVfEz/nliRY5DbAvKyDkVzRlPorwuRUcrVAoYuQRIlQ5Eh/qvV18cdK7FUiMQvu9MJi9EenzqTTSwZTU2EgTOdqIg/8SkbLhUprNy0Le8ycEIaFxUzIUi/UGoJKp5qdV8Vai3dK2pdhxKcHLTBZ7I7/ZXgXK5i/CEgxSxIZlapE9iNX2YhxJ+cIDIl9J/mRVZ/G0nyCSrOkr4+Wg90gNzwjSr8Gll+RHhBbvrgQ+4sTZ+DFY3RaGur+gFSn9mjkLIfRzEIXNvRfii47gGe/cEc3Evl3KEuVc032NgokaOkO/21EtKxTOs94mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ejedCkt+NdHFos17QKNrq/EMvBI8adVJ0SifxaY+cAM=; b=sw6bt6uBYa611OkncnynAyOYyna+IqFJaxzWqe91klp+PQFn9+BYcuNTa6JKa+xl/6qNxT1oh/RhIhUJzBm5qLs89yVdLhp44DKNpnq8/gZhVD61eqxVrARuHzQe7AsUMKlbcn/s3IO7xiYgXbF2tNlsInSsrK5gPsevO1BtrXE=
Received: from BY5PR08MB6312.namprd08.prod.outlook.com (2603:10b6:a03:1f0::19) by BY5PR08MB6183.namprd08.prod.outlook.com (2603:10b6:a03:1e5::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.21; Thu, 9 Apr 2020 00:13:00 +0000
Received: from BY5PR08MB6312.namprd08.prod.outlook.com ([fe80::a078:d4f7:d478:a679]) by BY5PR08MB6312.namprd08.prod.outlook.com ([fe80::a078:d4f7:d478:a679%7]) with mapi id 15.20.2878.021; Thu, 9 Apr 2020 00:13:00 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, Susan Hares <shares@ndzh.com>, 'IDR List' <idr@ietf.org>
Thread-Topic: [Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020
Thread-Index: AdYJ88Fzwt+5o6y3SbatjJfErRQpEwEDTVmw
Date: Thu, 9 Apr 2020 00:13:00 +0000
Message-ID: <BY5PR08MB6312D69C2994387B0F31109B95C10@BY5PR08MB6312.namprd08.prod.outlook.com>
References: <MWHPR1301MB2096467F12809CB1041B467E85C70@MWHPR1301MB2096.namprd13.prod.outlook.com>
In-Reply-To: <MWHPR1301MB2096467F12809CB1041B467E85C70@MWHPR1301MB2096.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 83e3457f-f64c-48f8-7f08-08d7dc1ac365
x-ms-traffictypediagnostic: BY5PR08MB6183:
x-microsoft-antispam-prvs: <BY5PR08MB61831099D9C09B7D9FFC4FB595C10@BY5PR08MB6183.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0368E78B5B
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR08MB6312.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(4636009)(366004)(376002)(39860400002)(136003)(396003)(346002)(966005)(7696005)(316002)(64756008)(5660300002)(9686003)(2906002)(8936002)(66446008)(55016002)(8676002)(6506007)(76116006)(33656002)(66556008)(52536014)(110136005)(81166007)(66476007)(66946007)(86362001)(26005)(478600001)(53546011)(66574012)(186003)(81156014)(71200400001); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fxaEYlxZhUIsSyBHQFbMTEYBkhxcq7Qws/lBxvaItBImbiEl/gm3X3pd1z6vZgT3DQ9xQReG1ERy+KjZqsoK1p2yZt3XXumgmCMvoHydfcKBC6qwTHeB4tprbuVyByaEeR04mS4fEjp6AqHNv9XGLRmPj7iNMXgHrdbQxxAc7MGqBmewr4bIKeuj3D2CACMym/2twjNPueXDfauTpAO00zepvJ2gTnFvNN0Z1lqk2K+B2sWElpP66FebHs7XOxSRL3FsXdV9HwF4Xz78wtuJp2eJJoCj1ocVIG7SXvobAEs1Aipn9A1DPqh5hivXJuab1LMeu2nypFDiz9sn0L4b1uc30Dr6LM4MZXp6zZEZ+YQBQmTxEGeMt5n75kxjnuV4RcV5tIpJkY2UkimRNizRPOqL970mzt9LPRLnkvx+o4gXKBc5hjAv3GBEQ/608qkjELRiq8q5pyT3fzPHkq08WPcS9YHTOUtjwabpcBfc91owAyI6ISAwQbpgNPNiUxJ3dnsGFEx/fxBZffoTof4hIQ==
x-ms-exchange-antispam-messagedata: SoHUsaAtjuulC19e+FoZMKivAkHVo1ZicEy3ZVsLGLaZ0SPvRA3vWuS4I+iGafv0cUyU0OXW2B/H7gooNV6GdpKBtLmTv17leplkFVMI5i4pP5pN5KCd4FmpKBuzTq8ko64bN4waNFXz44mjfnAOUA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR08MB6312D69C2994387B0F31109B95C10BY5PR08MB6312namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 83e3457f-f64c-48f8-7f08-08d7dc1ac365
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2020 00:13:00.0170 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9MBdUkQfc0cR3Fr33sR8OszvnLEof3URy69jjrWy6aRwQy1UlG0QtU+Hdm3zvOYdqNInfM5ifLYw9i9XW/r+FA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR08MB6183
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/z8x-bh_n2sjeG-41OWlXWUdo4jo>
Subject: Re: [Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 00:13:05 -0000

Sorry for replying late, Pls see my answer in line

From: Idr <idr-bounces@ietf.org> On Behalf Of Linda Dunbar
Sent: Friday, April 3, 2020 1:24 PM
To: Susan Hares <shares@ndzh.com>om>; 'IDR List' <idr@ietf.org>
Subject: [Idr] Question about draft-hujun-idr-bgp-ipsec-02 ( was RE: 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020

Jun,

Need a few clarify questions for your draft.


  1.  Does  draft-hujun-idr-bgp-ipsec-02 assume that IKEv2 still running between IPsec peers?
[Hu Jun] yes


  1.  Does receiving the IPsec BGP UPDATE triggers a node to start the  IKEv2 with the speaker without any configuration from the administer? If Node B can only establish IPsec IKEv2 with another node C, does it matter if the Node B receives or not receives the BGP update from the C?
[Hu Jun] it is up to the implementation, there are two options:

           *   create the tunnel upon receiving BGP update
           *   create tunnel only when router need to forward a packet to a destination that need to be reached via IPsec tunnel
either way works

  1.  How does the BGP UPDATE ease the IPsec configuration? Does  it ease the configuration on the BGP UPDATE speaker? Or does it ease the configuration of the receiver?
[Hu Jun] think of a simple case, where there are 3 routers: A , B and C, A has subnet S behind it that require IPsec protection, if B or C need to forward a packet to S, it must be over an IPsec tunnel; so traditionally, you would configure two tunnels on A: A->B and A->C, then you would also need to configure a tunnel B->A on B and a tunnel C->A on C, so in total, there are 4x tunnel configuration on 3 routers; but now with my draft, you just need to configure A to advertise a BGP update for S which include ipsec config, there is no per-tunnel configuration on A, B or C.

  1.  How to differentiate  Public Routing Instances?
If the payload packet within the IPsec tunnel are simple IP forwarding, is there still "Private Routing Instances"?
[Hu Jun] the concept of public and private routing instance is to separate trust network from un-trusted network; Typically, for security reason, you want to separate trusted network from un-trusted network by using different routing instance,  for example, internet is un-trusted network, while an enterprise intranet is trusted network, they are different routing instance;  then an payload packet from the intranet is encapsulated into an IPsec tunnel, the result ESP tunnel packet is forwarded via internet.
But public routing instance could same as private routing instance if you have good reason to do so, there is nothing in protocol level prevent that
On Page 3, the draft states that only "Local Tunnel Endpoint address, Public Routing Instance and CHILD SA traffic selector address range" are advertised by the BGP.
Is the Local Tunnel Endpoint address same as the LOOPBACK address of the node? Or can be a specific Ingress or egress port of the node sending out the BGP UPDATE?
[Hu Jun] this total up to the operator, both loopback or a physical interface address could be used, but typically a loopback address is prefer for stable reason

Thank you very much.

Linda Dunbar

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> On Behalf Of Susan Hares
Sent: Monday, March 30, 2020 7:07 AM
To: 'IDR List' <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] 2 Week WG adoption call draft-hujun-idr-bgp-ipsec-02.txt and draft-hujun-idr-bgp-ipsec-transport-mode-00 (3/30 to 4/13/2020

This begins a 2 week WG adoption call for  two drafts BGP provisioned IPSEC infrastructure

1) draft-hujun-idr-bgp-ipsec-02.txt:
BGP Provisioned IPSEC Tunnel Configuration

https://datatracker.ietf.org/doc/draft-hujun-idr-bgp-ipsec/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hujun-idr-bgp-ipsec%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb1e68b21c294ff7e40f08d7d4a2e5e4%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637211668440594288&sdata=HRHfVUUOy0a1ofnIzfTM4zsBqzZCGEhyMEopPdtEdyI%3D&reserved=0>

2) draft-hujun-idr-bgp-ipsec-transport-mode-00.txt:
BGP Provisioned IPsec Transport Mode Protected Tunnel Configuration

https://datatracker.ietf.org/doc/draft-hujun-idr-bgp-ipsec-transport-mode/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hujun-idr-bgp-ipsec-transport-mode%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb1e68b21c294ff7e40f08d7d4a2e5e4%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637211668440604245&sdata=XROXZN5YTy5GQEToYyAkFNHx71%2B%2FXnln1QJjMzeRQ6I%3D&reserved=0>

These drafts were presented at IETF 104 and IETF 105..
At IETF 105, there was a detailed discussion on the security issues.
After IETF 105, the author modified his draft to take care of the
Issues mentioned.

Discussion during the WG Adoption should examine:
1) Has this draft addressed the necessary security issues to
    be adopted as IDR WG draft?

2) Is this useful generic IPSEC functionality for networks?

   The EVPN related to IPSEC continues in BESS.
   This draft is considered here as a general feature.

3) Are there any deployments of this draft?


Stay safe and healthy... Sue