[Idr] 答复: Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives)

"Aijun Wang" <wangaijun@tsinghua.org.cn> Thu, 15 August 2019 08:08 UTC

Return-Path: <wangaijun@tsinghua.org.cn>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFA312006D for <idr@ietfa.amsl.com>; Thu, 15 Aug 2019 01:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmL5Kc1R8Sd1 for <idr@ietfa.amsl.com>; Thu, 15 Aug 2019 01:08:52 -0700 (PDT)
Received: from m176115.mail.qiye.163.com (m176115.mail.qiye.163.com [59.111.176.115]) by ietfa.amsl.com (Postfix) with ESMTP id B02B812002F for <idr@ietf.org>; Thu, 15 Aug 2019 01:08:49 -0700 (PDT)
Received: from WangajPC (unknown [219.142.69.77]) by m176115.mail.qiye.163.com (Hmail) with ESMTPA id 62D596620CB; Thu, 15 Aug 2019 16:08:40 +0800 (CST)
From: "Aijun Wang" <wangaijun@tsinghua.org.cn>
To: "'Linda Dunbar'" <linda.dunbar@futurewei.com>, <idr@ietf.org>
References: <MN2PR13MB35824E1E96BE08CDCBE8488585D30@MN2PR13MB3582.namprd13.prod.outlook.com> <00b901d551b2$40134190$c039c4b0$@org.cn> <MN2PR13MB358262348A51EB56CCF743BF85D20@MN2PR13MB3582.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB358262348A51EB56CCF743BF85D20@MN2PR13MB3582.namprd13.prod.outlook.com>
Date: Thu, 15 Aug 2019 16:08:41 +0800
Message-ID: <01bb01d55340$a6ea4140$f4bec3c0$@org.cn>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_01BC_01D55383.B50D8140"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdVRV+YQ5VdTuG26RVmF8buwngYjtQAS5wcgABt6YpAAS3AxoA==
Content-Language: zh-cn
X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVktVTUhPQkJCQ0pKTU9CSElIWVdZKF lBSkxLS0o3V1ktWUFJV1kJDhceCFlBWTU0KTY6NyQpLjc#WQY+
X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NRA6DDo5TjlCAT02DhIsFAIh OhkwFD5VSlVKTk1OQ05NTklMTEhIVTMWGhIXVQwaFRwaEhEOFTsPCBIVHBMOGlUUCRxVGBVFWVdZ EgtZQVlJSkJVSk9JVU1CVUxMWVdZCAFZQU9ITkNDSDcG
X-HM-Tid: 0a6c945259129373kuws62d596620cb
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/WQhkeYcTQnLiVqiPlrep6bqLNR0>
Subject: [Idr] =?utf-8?b?562U5aSNOiAgU29saWNpdCBmZWVkYmFjayB0byBCR1AgVVBE?= =?utf-8?q?ATE_encoding_options_for_SDWAN_WAN_port_properties_propagation_?= =?utf-8?q?among_SDWAN_edges_=28pros_=26_cons_to_draft-dunbar-idr-sdwan-po?= =?utf-8?q?rt-safi_and_alternatives=29?=
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 08:08:56 -0000

Hi, Linda:

 

Will the RR act as STUN/TURN server and the CE follow the ICE procedure?

 

If so, it will be appropriate to define new AFI/SAFI, but the related BGP extensions will be complex, and I do not know whether IDR is the appropriate group to accomplish such work?

 

If not, the RR doesn’t need to dig into the update BGP message. It just needs to relay it to other endpoint.  

And if not, how you make sure the CEs that located behind NAT can communicate with each other successfully? Only sending the port properties information isn’t enough.

 

 

Best Regards.

 

Aijun Wang

China Telecom

 

发件人: Linda Dunbar [mailto:linda.dunbar@futurewei.com] 
发送时间: 2019年8月14日 4:51
收件人: Aijun Wang; idr@ietf.org
主题: RE: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives)

 

Aijun, 

 

Answers to your questions are inserted below: 

 

From: Aijun Wang <wangaijun@tsinghua.org.cn>; 
Sent: Tuesday, August 13, 2019 3:37 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>;; idr@ietf.org
Subject: 答复: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives)

 

Hi, Linda:

 

Thanks for your analysis on this topic.

Would you like to make more clarifications for the following questions?

1.	What extra work will the RR do in Option 1? In my understanding, RR just send these updates to other ends. Only the other end needs to process these extended updates.

[Linda] RR will also receive the BGP UPDATE messages for the client routes attached to the SDWAN edge such as the regular IPv4/IPv6 SAFI/NLRI, EVPN SAFI/NLRI, etc.

 

If the WAN Port related information are advertised using the regular IPv4/IPv6 SAFI/NLRI, the RR must dig in deeper the received UPDATE to discover that the received UPDATE is actually for the edge WAN PORT properties (such as NAT properties). When a different address family identifier is used for SDWAN WAN properties propagation, the implementation on the receiver (i.e. RR) is clearer and less prone for route leaking or improper handling.  

That is why the BGP-LS, FlowSpec, Segment Routing Policies all have different SAFI/NLRI.  

 

 

 

2.	NAT transverse procedures for the communication between CPEs is complex, considering there are many different type NAT devices located within the network.  There is no easy way to detect the NAT type between them(It’s maybe easier to infer such information between CPE and RR). Then is it necessary to transfer the NAT related information in Option 2?

[Linda] What you said further proves that it is necessary for SDWAN edge node to advertise its NAT property (which is specified in the Extended Sub-TLV of draft-dunbar-idr-sdwan-port-safi).  A SDWAN edge node can inquire STUN (Session Traversal of UDP Through Network Address Translation RFC 3489) Server to get the NAT property, the public IP address and the Public Port number to pass to peers via RR.

 

3.	Is it more flexible to make the IPsec encapsulation information associated with other tunnel types that defined in https://datatracker.ietf.org/doc/draft-ietf-idr-tunnel-encaps/ <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-idr-tunnel-encaps%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce5a584462e164a9cdc7108d71fc967f0%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637012822256265775&sdata=Xb2UloigBCKdxLsPaSdWNzN9mATUzTy7qjLo7q4VFLw%3D&reserved=0> ?, which is under the existing AFI/SAFI.  If so, option 1 seems more acceptable?

[Linda] as explained in the answer to your #1, it is cleaner implementation to have a different address family identifier for advertising WAN port properties. Yes, we should still use the TUNNEL-encap to carry the extended IPsec information.  

 

Linda 

 

Best Regards.

 

Aijun Wang

China Telecom 

 

发件人: idr-bounces@ietf.org [mailto:idr-bounces@ietf.org] 代表 Linda Dunbar
发送时间: 2019年8月13日 6:19
收件人: idr@ietf.org
主题: [Idr] Solicit feedback to BGP UPDATE encoding options for SDWAN WAN port properties propagation among SDWAN edges (pros & cons to draft-dunbar-idr-sdwan-port-safi and alternatives)

 

IDR participants:

 

Many thanks to the feedback from IETF105 discussion on draft-dunbar-idr-sdwan-port-safi, especially the hallway discussions with Ali Sajassi, John Drake, Keyur Patel and Sue Hares on other possible encoding options. I put together an analysis of multiple BGP UPDATE encoding options to achieve SDWAN WAN port properties propagation among SDWAN edges. Please see the slides in the IDR WIKI page:  <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.ietf.org%2Ftrac%2Fidr%2Fattachment%2Fwiki%2FWikiStart%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce5a584462e164a9cdc7108d71fc967f0%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637012822256275769&sdata=%2BtMlJi7kO%2FT5TCvG%2BjrhswkJqrEkM64Lvn%2B0iAJEogY%3D&reserved=0> https://trac.ietf.org/trac/idr/attachment/wiki/WikiStart/

 

The Goal is for WAN Ports Property Propagation across SDWAN nodes in different domains
cid:image001.png@01D55131.F341A2B0

 

 

The constraints are those SDWAN edges can be spread across different geographical locations, their connection to RR can be over untrusted networks, and they might not know the reachable addresses for the peers they need to communicate (therefore needing RR to propagate). 

 

There are many ways to skin the cat… different encoding for BGP Update Messages

Option 1: Extending Tunnel-Encap with existing IP’s SAFI to achieve WAN port registration. 

cid:image002.png@01D55131.F341A2B0

 

*	Pros:

*	no new SAFI introduced, the update messages can traverse existing routers

*	Cons:

*	Same IPv4/IPv6 SAFI NLRI carries the WAN port information that is very different from clients’ routes attached to the C-PEs. 
*	The receivers (RR) has to do extra processing to differentiate the UPDATE messages  from the attached routes UPDATE messages. 

 

Option 2: Tunnel-Encap with SDWAN NLRI for SDWAN WAN Ports Prosperities & Policies described by draft-dunbar-idr-sdwan-port-safi-02

cid:image003.png@01D55131.F341A2B0

 

*	Pros:

*	Clean design and processing on the receivers (RRs). Simpler processing to differentiate the UPDATE messages  from the attached routes UPDATE messages. 

*	Cons:

*	New NLRI is introduced, the update messages can’t traverse existing routers

*	Since the the Tunnel UPDATE message with the new SDWAN NLRI/SAFI is strictly between SDWAN edge nodes and their respective RR(s) via a secure tunnel, the SDWAN UPDATE messages are not going to traverse existing routers. Therefore, it doesn’t cause any issues. 

 

Option 3: Using the new SAFI introduced for BGP labeled Colored Unicast  described by draft-szarecki-idr-bgp-lcu-traffic-steering

 

cid:image004.png@01D55131.F341A2B0

 

*	Pros:

*	leverage the newly proposed NLRI for carrying Traffic Color across domains
*	Similar goal as SDWAN needing to propagating WAN port properties across domain/geolocations 

*	Cons:

*	Need to attach the attributes which haven’t been specified by the draft yet. 

 

Need to ask merging the content from draft-dunbar-idr-sdwan-port-safi-02.. 

 

 

We are looking for feedback to those analysis and options. 

 

Thank you very much 

Linda Dunbar