Re: [Idr] [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00

Robert Raszuk <robert@raszuk.net> Sun, 04 November 2018 15:36 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF17124408 for <idr@ietfa.amsl.com>; Sun, 4 Nov 2018 07:36:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEhKFcEkXfbd for <idr@ietfa.amsl.com>; Sun, 4 Nov 2018 07:36:00 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F5B130DCF for <idr@ietf.org>; Sun, 4 Nov 2018 07:35:59 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id d135so10740770qkc.12 for <idr@ietf.org>; Sun, 04 Nov 2018 07:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3AOv5LsPdnIziUdz+aJfSGnFFxVM2Dbc9bC+QOT/T1s=; b=B1ibe/crrNpyMmwA8p4hAzzZwsw8Leoogwwha3ul5eqCcOjr1rZeFLS3gmGoUmOz9B PJFyUsGBjZvxFpflgZQZurnQTnRB7hSv54kUmdnlFDUfyvbbIuNB6y/Zl9AhE5QS3R2r pfOIPwblDkBZj/U1mBsKPuG1X/gKvI5ljh0M32EAHOWz1pNVuCy0j2rZ5g4qCsZgML21 J3fKZGUo+q7Mvk0GptGyZBlYWyPtYIMgPh7DuPUOUWoTX6Y6LquK0K9T4AS54H5W0QOd FnIlAGdj/8E3uhAHES8crRlP1q+fKq+eUf5QOute0UD8OY44XN1uvY4xLb4chfDkE1El rrrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3AOv5LsPdnIziUdz+aJfSGnFFxVM2Dbc9bC+QOT/T1s=; b=KX3EDvAO55aRi/jTypjcI22pX6MfTgOl7KqdhoXF74j98X2BskU/md+RlD5a1YVAuC UC9GietQqaMxNzNdDWC1R92A2hUS0p6PPkaGSsW/wLG55uiiKpU1Mm4S7NdRt8xozeUd HpN7KloCTPFrLqiQCEHoKu+uoVHGpCgGt6Wi/GXczMX9MiY7nhPHrnleOSTQ5LkFAgWL zTQ+uNW1P7jKfNDMzDTXMvafmTDdUDCYbhCH7tLkMkYtbuwC8z2NiP30jx6In4ODAxjF erS2m+W0cpcwIiGIYTho1zDmRXnXNMtgnyh90oLGeSbRsoKu+N4Uv57vtn66oilxhleP 6DYw==
X-Gm-Message-State: AGRZ1gLc+jzqX+UddS/0LtAJkfrX6I/UahPEaFZ3HR3tq5oyFz2hiI9B lrYMZqv4MLavOlBgvjVhSIwGriYmp7m2LDSZVd+umA==
X-Google-Smtp-Source: AJdET5ew2aJi3ozy69ltszb1tHZLIUxEncXx8roMxfG5nlNV4aoyT6ZpsuRfxFP7yul/5swhffSr+wvANqqPOGrgzCo=
X-Received: by 2002:a0c:e84f:: with SMTP id l15mr17760279qvo.124.1541345759047; Sun, 04 Nov 2018 07:35:59 -0800 (PST)
MIME-Version: 1.0
References: <4A95BA014132FF49AE685FAB4B9F17F66B17F9DE@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B17F9DE@sjceml521-mbs.china.huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Sun, 04 Nov 2018 16:35:47 +0100
Message-ID: <CAOj+MMF+0NA9xHFAt__GkbwYL6_wfJqKy2Wi-qo5+iNJ=drajw@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: idr@ietf.org, bess@ietf.org
Content-Type: multipart/alternative; boundary="00000000000071cea60579d886ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/VQMMV3n3j83rN3Je9QkBiiv8ryg>
Subject: Re: [Idr] [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 15:36:03 -0000

Hi Linda,

I have one comment to proposed encoding and one overall observation.

*Comment: *

Proposed "EncapsExt sub-TLV" defines as mandatory indication on NAT type.
Possible values are:  NAT Type.without NAT; 1:1 static NAT; Full Cone;
Restricted Cone; Port Restricted Cone; or Symmetric.

You very nicely listed all nat types except one: "unknown" :) Why - Let's
notice that in the other part of the text you state that information of the
NAT type may be obtained from STUN server "can inquire". So if use of STUN
server is optional then there is possibility that there is none and end
point would not know about the NAT type it is traversing.

*Observation: *

This seems to be yet one more time we see proposal of "let's ride on BGP as
we need to exchange endpoint discovery data point to point in a realiable
way". I see zero need in this proposal why BGP is required here as opposed
to any piece of code which can deliver data between two or more endpoints.

Seeing those proposals it puzzles me a lot why skype or hangout are not
using BGP ... after all video or voice call setup does require exchange of
endpoint data. Likewise another unknown mystery is why SMTP is not riding
on BGP too ?

Yes overall we are missing now pretty much every day a global distributed
system to exchange endpoint data in a dynamic way.

Before we proceed on this or any other similar BGP extension I would highly
appreciate some discussion on why below alternatives or other new similar
proposals can be used instead of BGP for the described applications.

1. LISP mapping plane
2. Products of IDentity Enabled Networks WG
3. DynamicDNS
4. Registry of Data on AWS
etc...

Thx,
Robert.


On Tue, Oct 30, 2018 at 5:19 PM Linda Dunbar <linda.dunbar@huawei.com>
wrote:

> IDR group, BESS group,
>
>
>
> https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/
> specifies a new BGP SAFI (=74) in order to advertise a SD-WAN edge node’s
> capabilities in establishing SD-WAN overlay tunnels with other SD-WAN nodes
> through third party untrusted networks.
>
>
>
> draft-sajassi-bess-secure-evpn-00 describes an EVPN solution for PE nodes
> to exchange key and policy to create private pair-wise IPsec Security
> Associations without IKEv2 point-to-point signaling or any other direct
> peer-to-peer session establishment messages.
>
>
>
> I think those two solutions are not conflicting with each other. Actually
> they are compliment to each other to some degree. For example,
>
> -        the Re-key mechanism described by
> draft-sajassi-bess-secure-evpn-00 can be utilized by
> draft-dunbar-idr-bgp-sdwan-overlay-ext
>
> -        The SD-WAN Overlay SAFI can be useful to simplify the process on
> RR to re-distribute the Tunnel End properties to authorized peers.
>
> -        When SD-WAN edge nodes use private address, or no IP address,
> NAT properties for the end points distribution described
> draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.
>
> -        The secure channel between SD-WAN edge nodes and RR described by
> draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary.
>
>
>
> Any thoughts?
>
>
>
> Thank you very much.
>
>
>
> Linda Dunbar
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>