IETF Logo Mail Archive

Re: [Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community

Robert Raszuk <robert@raszuk.net> Wed, 28 February 2024 22:22 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC7EC14F61E for <idr@ietfa.amsl.com>; Wed, 28 Feb 2024 14:22:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcTGUpyfiL65 for <idr@ietfa.amsl.com>; Wed, 28 Feb 2024 14:22:01 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972FEC14F604 for <idr@ietf.org>; Wed, 28 Feb 2024 14:22:01 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2d24a727f78so2920171fa.0 for <idr@ietf.org>; Wed, 28 Feb 2024 14:22:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1709158920; x=1709763720; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ovzVDDQMnXZV/WZJ+QSB+WeQVJ0lWMMa9+DRWxukDoo=; b=YdmyF9AC9D3XuWuBD1EF+tAdBWFOhfwlTdEL0xIm/2DnSVmPe6ycVQQBZTlT8TfZwO FvJTGy26oE+4vW5iQPv/6owxnjIPz0tfxkLBfj8JFu3Bcv07OIOAgDYoKMWQJ081Yg5j oi1d2X0y7+/UkuPfeHtfN54889Cbwr350p33oF+BLjEufhg/agLtn7W0FYMMD6hlwfT0 6xO/PXAMT3PqYzcT64xtzeYZVsUJzJQR6VUPBhrGktMNsAediDYeIjzl6u0bgxCp5nED CpW903WF5VOyXEJxbdva1Mpm1HGJpd2etgVj6FNxNRAndR3Tp0q7KpMXqtJUAlf24p6d kvfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709158920; x=1709763720; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ovzVDDQMnXZV/WZJ+QSB+WeQVJ0lWMMa9+DRWxukDoo=; b=LXSuRYXSV1RBIk8eD62PWiRiDkk/KPr0yxBgkyOcN5AyKSq+jXpkLRsSytwsbXrbe2 63ize2sxyiKL3+DqHYmOdmbT80OBXenG3EzUtJx66NayMILo+LPpDMS8Su3/0/P9phci 9biU5qaiQwB3iMqKs5c54ivcwQzf/k0Zko9gcuJY3XxnSmOjS7BKzwTy8owYo7D8gUSr P9cNZoIzLaqSeuGz9eqroTkNxMfgUlleqoAzG14IkUGXnMkWlSD534IW3myozhR8S8UZ Ub6VmracLsIlihAMJ+28yamcXYva/1H/be8O+jis017PkyQGUVRREOBqh2aKqombNQXA U8kg==
X-Forwarded-Encrypted: i=1; AJvYcCU8NZo8NvZ02FjsUClzttPQkf9BUOAIOMu0yuFfJBori02h+pb9KBhiMaN2C5yHtn5JTQQX5AelTAQdsLM=
X-Gm-Message-State: AOJu0YxUwa9C6GIgbEGw8R5cZoggnxnJVZuraR1Y9RCLCcP7GcMxxQa9 lVmEjF7GIsATjD2OFfgkOTcpoPy92eKOEO1CpABKK06cVXz0kLkMMISOnz7qAgFHPYwSrnW8QQl IN7QfhRU6dGDP1BhvCSlejpuZtK/i/aLG3LglUA==
X-Google-Smtp-Source: AGHT+IEQEWP8pzhQY9cP6hoWD61v7l7lMZAsNqO0nJ8uLn8Nz1XJvFtnKoZlZmaFXKv9Onc8TL1EfCsF9qvlnaQ/Dic=
X-Received: by 2002:a05:651c:c3:b0:2d2:3c10:4b6c with SMTP id 3-20020a05651c00c300b002d23c104b6cmr107251ljr.24.1709158919185; Wed, 28 Feb 2024 14:21:59 -0800 (PST)
MIME-Version: 1.0
References: <7FDF55CE-3E6B-47EC-8504-C9884BD212A9@juniper.net> <CO1PR13MB4920A302CE1D5AE545CD243485592@CO1PR13MB4920.namprd13.prod.outlook.com> <3CC853C3-960C-4AE2-BB45-69E8F48356B9@juniper.net> <CO1PR13MB4920C89AD7FCF4245DF9444185592@CO1PR13MB4920.namprd13.prod.outlook.com> <ADCCB1FE-0D12-480D-B0E1-C57B85204D6F@juniper.net> <DM6PR08MB4857F900ACB8589E9BDCBB58B3582@DM6PR08MB4857.namprd08.prod.outlook.com>
In-Reply-To: <DM6PR08MB4857F900ACB8589E9BDCBB58B3582@DM6PR08MB4857.namprd08.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 28 Feb 2024 23:21:47 +0100
Message-ID: <CAOj+MMFN0JmA17qpnXf2Yhvqky1OtGUQJcT6c8tcv4Cqv4BAwg@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: John Scudder <jgs@juniper.net>, Linda Dunbar <linda.dunbar@futurewei.com>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-sdwan-edge-discovery@ietf.org" <draft-ietf-idr-sdwan-edge-discovery@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e3c58061278929f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Y-6NZcbhqa9GSKOmg7XXkjYjm14>
Subject: Re: [Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 22:22:05 -0000

Hi Sue,

Yes this was my first thought as well after reading John's note.

However, as John observed already we need to be sure that we can not use
the next hop itself. Either explicitly from MP-REACH or if ever needed to
cross domains - implicitly via Multi-Next-Hop new attribute.

Thx,
R.

On Wed, Feb 28, 2024 at 11:04 PM Susan Hares <shares@ndzh.com> wrote:

> John and Linda:
>
>
>
> Client routes use of the TEA just Tunnel Egress Endpoint.
>
> The tunnel endpoint identifies a tunnel of type  SD-WAN-Hybrid.
>
>
>
> The details of this internal tunnel are passed in the SD-WAN NLRI + TEA.
>
>
>
> If this usage is clearly specified for the Tunnel type =15,
>
> It does not seem to break the text of RFC9012.
>
>
>
> The draft-ietf-idr-sdwan-edge-discovery procedures need to differentiate
> the
>
> Processing for NLRI SAFI (1/128 or 2/128)  versus  SD-WAN SAFI.
>
> (IMO – the draft-ietf-idr-sdwan-edge-discovery needs to be adjust to make
> this clear. )
>
>
>
> Sue
>
>
>
>
>
> *From:* John Scudder <jgs@juniper.net>
> *Sent:* Tuesday, February 27, 2024 6:51 PM
> *To:* Linda Dunbar <linda.dunbar@futurewei.com>
> *Cc:* idr@ietf.org; draft-ietf-idr-sdwan-edge-discovery@ietf.org
> *Subject:* Re: Error in draft-ietf-idr-sdwan-edge-discovery use of
> Encapsulation Extended Community
>
>
>
>
>
> Hi Linda,
>
>
>
> That’s not how the Encapsulation Extended Community is defined. Please see
> RFC 9012 Section 4.1. As I wrote in my first note in this thread, it looks
> like what you should be specifying for client routes, is that they do NOT
> include an Encapsulation Extended Community, and that they DO recurse (via
> their next hop) to another route that carries the tunnel information (you
> call this “UPDATE 2”).
>
>
>
> If, after reading RFC 9012 Section 4.1 you still think Encapsulation
> Extended Community can be used in the way you’ve written, I’d be interested
> in knowing exactly why, because we tried to be clear in 9012 that an
> Encapsulation Extended Community is exactly and only an alias for a
> “barebones Tunnel TLV”, i.e. I Tunnel TLV that has no sub-TLVs other than
> Tunnel Egress Endpoint.
>
>
>
> —John
>
>
>
> > On Feb 27, 2024, at 6:35 PM, Linda Dunbar <linda.dunbar@futurewei.com>
> wrote:
>
> >
>
> >
>
> > John,  See the answers below:  -----Original Message-----
>
> > From: John Scudder <jgs@juniper.net>
>
> > Sent: Tuesday, February 27, 2024 5:10 PM
>
> > To: Linda Dunbar <linda.dunbar@futurewei.com>
>
> > Cc: idr@ietf.org; draft-ietf-idr-sdwan-edge-discovery@ietf.org
>
> > Subject: Re: Error in draft-ietf-idr-sdwan-edge-discovery use of
> Encapsulation Extended Community
>
> >  Hi Linda,
>
> >  What are the semantics of a Tunnel Encapsulation path attribute, with
> tunnel type = SD-WAN-Hybrid, and no sub-TLVs other than egress endpoint?
>
> >  [Linda] There ARE sub-TLVs under the Tunnel Encapsulation Path
> Attribute, which specifies the detailed attributes associated with the
> IPsec tunnel for the SD-WAN Edge’s WAN Ports. I am trying to say that there
> are NO sub-TLVs under the client routes UPDATE (which has Encapsulation
> Extended Community)
>
> >  draft-ietf-bess-bgp-sdwan-usage-20 describe how to use BGP,  stating
> There are two UPDATE2:
>
> > 1) UPDATE 1 is for Client Route UPDATE (which follows the traditional
> BGP-based client routes)
>
> > 2) UPDATE 2 for the Edges to advertise the WAN port information. In the
> UPDATE2, the Route prefix is the WAN port address.
>
> >  draft-ietf-idr-sdwan-edge-discovery-12 specifies the detailed BGP
> extension for UPDDATE2. The UPDATE 2 has Tunnel Encapsulation Path
> Attribute with a new NLRI for Underlay Tunnel Update and the sub-TLVs
> specified in the document.  Linda  —John
>
> >  > On Feb 27, 2024, at 6:03 PM, Linda Dunbar <linda.dunbar@futurewei.com>
> wrote:
>
> > > > > [External Email. Be cautious of content]
>
> > > > > John  The  Encapsulation Extended Community is only in the client
> routes BGP UPDATE, which is the BGP-based VPN/EVPN client routes UPDATE
> message. There are no sub-TLVs added. Section 6's first paragraph states
> the Client Route UPDATE follows the BGP-based VPN/EVPN client route UPDATE
> message..  The sub-TLVs discussed in the draft are under the Tunnel
> Encapsulation Path attribute in a separate UPDATE (U2 in the document)
> which DOES NOT have Encapsulation Extended Community for SD-WAN edges to
> advertise the information about their WAN ports. Please see below for the
> details.
>
> > >  p.s. Are you referring to version-20?   Linda
>
> > > -----Original Message-----
>
> > > From: John Scudder <jgs@juniper.net>
>
> > > Sent: Tuesday, February 27, 2024 2:42 PM
>
> > > To: draft-ietf-idr-sdwan-edge-discovery@ietf.org
>
> > > Cc: idr@ietf.org
>
> > > Subject: Error in draft-ietf-idr-sdwan-edge-discovery use of >
> Encapsulation Extended Community  Hi Authors, WG,  I just noticed >
> draft-ietf-idr-sdwan-edge-discovery-12 and was looking at its use of RFC
> 9012. There seems to be a fundamental misunderstanding of how the
> Encapsulation Extended Community can be used, and I thought you should be
> aware of it. TL;DR, you’re specifying the use of SD-WAN-Hybrid tunnel type
> in an Encapsulation Extended Community, but this isn’t allowed. Details
> follow.
>
> > >  [Linda] That is just an example for needing a different Tunnel Type >
> in the Encapsulation Extended Community
>
> > >  - RFC 9012, Section 4.1 tells us that the only permissible use of the
> Encapsulation Extended Community is when there are *no sub-TLVs*, other
> than the Address Family sub-TLV (item 3 in the list of conditions).
>
> > > [Linda] That is our understanding as well. This document doesn’t
> specify additional sub-TLVs to be added to the BGP UPDATE with the
> Encapsulation Extended Community.
>
> > >  - In draft-ietf-idr-sdwan-edge-discovery-12 Section 6.3 we see the
> definition of the IPsec-SA-ID Sub-TLV of the SD-WAN-Hybrid tunnel type.
> This seems pretty central to the purpose of the spec. So, the SD-WAN-Hybrid
> tunnel type does have sub-TLVs in addition to the Address Family, and
> therefore MUST NOT be used in an Encapsulation Extended Community.
>
> > > [Linda] All those sub-TLVs are NOT used with Encapsulation Extended
> Community. Those Sub-TLVs are under the Tunnel Encapsulation Path attribute
> in a separate UPDATE (U2 in the document) for SD-WAN edges to advertise the
> information about their WAN ports. There is no Encapsulation Extended
> Community included when an edge node advertises its WAN port information.
> Please see Section 5 for BGP Walk Through details.
>
> > >  - Also, in draft-ietf-idr-sdwan-edge-discovery-12 Section 5.1 we see
> that the client route update uses the Encapsulation Extended Community
> (emphasis added):
>
> > >  [Linda] The Client Route UPDATE can use the Extended Community to
> indicate that their associated tunnel information is advertised by separate
> UDPATE. The purpose is to reduce the size of the Clint Route UPDATE message
> size because the tunnel associated with IPsec has a lot of information to
> be exchanged. They don’t change at the same frequency as the Client Routes.
>
> > > ```
>
> > > 5.  Client Route UPDATE
>
> > >     The SD-WAN network's Client Route UPDATE message is the same as the
>
> > >    L3 VPN or EVPN client route UDPATE message.  The SD-WAN Client Route
>
> > >    UPDATE message uses the **Encapsulation Extended Community** and the
>
> > >    Color Extended Community to link with the SD-WAN Underlay UPDATE
>
> > >    Message.
>
> > > ```
>
> > >  - It’s clear from other parts of the spec that the tunnel type is
> SD-WAN-Hybrid, for example, this is both stated in Section 3.3, and then
> used in the example (same section).
>
> > > [Linda] The Client Route Update message is NOT using RFC9012. Here is
> to indicate that another type might be needed. As this is a BGP usage
> draft, with the intent to explain how to use BGP, with the justification to
> BGP extension later.  - But RFC 9012 §4.1 told us we can’t use a tunnel
> type with sub-TLVs as an Encapsulation Extended Community!
>
> > > [Linda] The Client Route Update message is NOT using RFC9012.
>
> > >  I think what you really must be trying to do is use the Tunnel
> Encapsulation attribute (only!) to carry the SD-WAN-Hybrid in the SD-WAN
> Underlay route, and then have the client routes making use of that tunnel
> recurse into the underlay route (including tunnel) as per RFC 9012 Section
> 8. Note that Section 8 does NOT require that the client route carry the
> Encapsulation Extended Community — the next hop address is both necessary
> and sufficient to effectuate the linkage to the underlay route.
>
> > > [Linda] You are correct. The Tunnel Encapsulation Attribute is used to
> carry the SD-WAN-Hybrid for SD-WAN edge nodes to advertise the WAN ports
> (i.e. the under route).
>
> > >    Thanks,
>
> > >  —John
>
>
>
>
>

v2.23.0 | Report a Bug | By Email