IETF Logo Mail Archive

Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Keyur Patel <keyur@arrcus.com> Mon, 09 July 2018 21:14 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE661274D0; Mon, 9 Jul 2018 14:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iJ1575Aq0Yr; Mon, 9 Jul 2018 14:14:40 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0060.outbound.protection.outlook.com [104.47.37.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59523130E67; Mon, 9 Jul 2018 14:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector1-arrcus-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=53MlFmMf9g4WYUs383LMMcguPN+NGdr8+kmjHDUUsD4=; b=Z4tU7U7yYnYzPng5/OBo7ajcA0woIlyuCBs2MBR/+jwCnVD0/y4fUijkNzOcUquhXQ8tNzuzfpaB9PtvzDDiNHqGT9JC3O197jVLXwQIntx4nHbtJEBm0UWOFFmxnFeeqRCC5vleQM5zoNP759ZKuLkTWLff5nDS07kY02vB2Kc=
Received: from BY2PR18MB0328.namprd18.prod.outlook.com (10.163.192.30) by BY2PR18MB0198.namprd18.prod.outlook.com (10.163.67.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.19; Mon, 9 Jul 2018 21:14:36 +0000
Received: from BY2PR18MB0328.namprd18.prod.outlook.com ([fe80::f9b2:86c8:6b94:3e67]) by BY2PR18MB0328.namprd18.prod.outlook.com ([fe80::f9b2:86c8:6b94:3e67%4]) with mapi id 15.20.0930.016; Mon, 9 Jul 2018 21:14:36 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Robert Raszuk <robert@raszuk.net>
CC: Linda Dunbar <linda.dunbar@huawei.com>, Jeff Tantsura <jefftant.ietf@gmail.com>, Eric C Rosen <erosen@juniper.net>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Thread-Topic: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
Thread-Index: AQHUF8Lgg98GKrWUM0K+AXHY1KGfxqSHVzSAgAAB3gCAAAQ7AIAAAPgAgAAF4uE=
Date: Mon, 09 Jul 2018 21:14:35 +0000
Message-ID: <3F4185C0-BD2F-46E0-AB6C-89F40B52AE80@arrcus.com>
References: <78D707C9-6DC2-459F-81E4-A53B46F1F019@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com> <DF0D0CFA-AFCA-44FF-ADD8-BE6EDC51AFEA@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BEF@sjceml521-mbs.china.huawei.com>, <CA+b+ERmENsva=5ZT_4x8+NaokXCpBEN+LTU0xwhN_W4cvmOsqQ@mail.gmail.com>
In-Reply-To: <CA+b+ERmENsva=5ZT_4x8+NaokXCpBEN+LTU0xwhN_W4cvmOsqQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-originating-ip: [201.202.103.134]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR18MB0198; 7:UTCzGYTHIKlyjz7Iq8MlNGbjpddw0VdXAkezb52rjglkz0gsKYy6mpqBA4MDi4YHeFl9EiB+TRZEuFfk9piIl2VikCKUmSQi9A0TRZzYBD1XhyJoLFzMm1v6T5zdlm9ZEnLUla/OX9YDkO9lDpryRZERB2q7jAdM93InqTjXRQN9Q8V2iwV23aAEbzUvPG9ZMKFtQeL/gbuhTnLntoi/RutqLQSmK99Toa9/ootBFDpbk5jzekBBHuy0TKu/nLNs
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bfd0ebd5-73d7-423f-c469-08d5e5e0f94e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(7021125)(8989117)(5600053)(711020)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990107)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(7193020); SRVR:BY2PR18MB0198;
x-ms-traffictypediagnostic: BY2PR18MB0198:
x-microsoft-antispam-prvs: <BY2PR18MB01981479164DA562C43D01D2C1440@BY2PR18MB0198.namprd18.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(50582790962513)(85827821059158)(138986009662008);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123560045)(20161123562045)(2016111802025)(20161123564045)(20161123558120)(6072148)(6043046)(201708071742011)(7699016); SRVR:BY2PR18MB0198; BCL:0; PCL:0; RULEID:; SRVR:BY2PR18MB0198;
x-forefront-prvs: 07283408BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39830400003)(136003)(366004)(376002)(346002)(21124004)(189003)(199004)(33656002)(68736007)(66066001)(102836004)(316002)(476003)(53546011)(478600001)(2900100001)(14454004)(606006)(966005)(36756003)(54896002)(446003)(186003)(486006)(6506007)(6246003)(6436002)(105586002)(11346002)(236005)(2616005)(6306002)(6512007)(53936002)(106356001)(5660300001)(6916009)(97736004)(83716003)(82746002)(14444005)(93886005)(25786009)(6486002)(4326008)(39060400002)(256004)(7736002)(5250100002)(99286004)(26005)(8676002)(81166006)(81156014)(8936002)(2906002)(3846002)(6116002)(76176011)(54906003)(86362001)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR18MB0198; H:BY2PR18MB0328.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: e6XPumNfjeSdylICh42VLhZG/RflcjbV4SMbBmzn8ctVlEyeyZCwIccO33hTvoxmG7SC1Pv/X9gz6dtjOTfv1ROceMgb9HGbflk5wFc6mCwb1rq1jZGHktOF2Ipo4Zm7Cw/n4aTT9xPj1F1o9ZC9AxGBZ6RGjHAfVR2RbUzBxW6X4mcrYXUdollK0bYNLPhOiEVTXopULCYT94wzBDzZlaQ+ZvRBQ7VOhTVHfzsgNMK4csZefG0ACQrlhP0j8QDeIpTZ1b0TJ+3i/3/lFbkERsy9K0XejRuqP1lSyMJs8flIGF6Z6TT8Bz08ImXNx1O8ZL47JmDpl91Znh7dBWVN3blKXRvUAZn7xjZhBdHfbZY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_3F4185C0BD2F46E0AB6C89F40B52AE80arrcuscom_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bfd0ebd5-73d7-423f-c469-08d5e5e0f94e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2018 21:14:35.9354 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR18MB0198
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Z9hYwLxdHPGwLd_CXTMHg4pNK5I>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:14:46 -0000

+1.  Exactly what Robert said.

Regards,
Keyur

On Jul 9, 2018, at 2:53 PM, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Hi Linda,

I think Jeff is asking why not to use well known community to scope the blast radius of the advertisement.

But personally I think this is pretty weak protection - if this would be the only protection against IPSec credential's hijack. IMO this needs to be protected a bit stronger such that even leak of the update will cause no harm or VPN compromise.

Thx,
R.



On Mon, Jul 9, 2018 at 10:50 PM, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> wrote:
Jeff,

The answer to your question “Why would you want to build what you are trying to do into protocol?” is

-        We want to use BGP to do more (i.e. use RR to distribute information injected from and by a controller). to eliminate dealing with the changes to NHRP/DSVPN.

Can you elaborate the “the existing technology”?

Linda

From: Jeff Tantsura [mailto:jefftant.ietf@gmail.com<mailto:jefftant.ietf@gmail.com>]
Sent: Monday, July 09, 2018 3:35 PM

To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; Eric C Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; idr@ietf.org<mailto:idr@ietf.org>; draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Linda,

You meant to say – you’d use RR to distribute information injected from and by a controller?
Reflector (as the name suggests) reflects the routes, it doesn’t originates them as part of the reflector functionality  (it for sure could as a BGP speaker if such functionality is collocated with RR)

Please read my initial questions, it looks like what you are trying to achieve could be done with the existing technology.
Thanks!

Cheers,
Jeff

From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Date: Monday, July 9, 2018 at 13:28
To: Jeff Tantsura <jefftant.ietf@gmail.com<mailto:jefftant.ietf@gmail.com>>, Eric C Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>, "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>, "draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>" <draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>>
Subject: RE: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Jeff,

We would like to use RR as controller to distribute more detailed tunnel information, such as IPsec configuration & keys because in managed large scale Overlay deployment (SD-WAN), it doesn’t scale to allow all CPEs to negotiate IPsec keys.

Linda

From: Jeff Tantsura [mailto:jefftant.ietf@gmail.com]
Sent: Monday, July 09, 2018 3:25 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; Eric C Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; idr@ietf.org<mailto:idr@ietf.org>; draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Hi Linda,

Why would you want to build what you are trying to do into protocol?
#1 local policy
#2  NO_ADVERTISE does that exactly

Cheers,
Jeff

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Date: Monday, July 9, 2018 at 13:14
To: Eric C Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>, "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>, "draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>" <draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>>
Subject: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Eric,

draft-ietf-idr-tunnel-encaps-09 discussed ways to resolve conflicts of multiple UPDATE messages with Tunnel Encap attributes.

Is it possible to have following capability?
-        Have a bit indicating a specific UPDATE is from authoritative source, therefore overwrite all other Tunnel Attributes for the Prefix X to avoid recursive next hop issues and tunnel selection at the receiving Router?
-        Have a bit indicating that a specific UPDATE only contain Tunnel attributes for the receiving Router, therefore can’t be forwarded?


You said that SAFI 7 is deprecated because no one seemed interested in using it. We are very interested in using it because
-        it can be easily distinguished from normal  BGP UPDATE
-         The receiving router doesn’t have to “Filter” the tunnel attributes before forwarding to others.
-        Can even be used for passing reconfigured IPsec keys to two ends of a tunnel.

Therefore we think SAFI 7 should be reserved.

Thanks, Linda Dunbar

From: Eric C Rosen [mailto:erosen@juniper.net]
Sent: Tuesday, July 03, 2018 12:21 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; idr@ietf.org<mailto:idr@ietf.org>; draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Re: What are side effect for having Encap SAFI? can draft-ietf-idr-tunnel-encaps-09 preserve trigger tunnel creation before VPN is established?

On 7/2/2018 6:31 PM, Linda Dunbar wrote:

Eric, IDR group,

It is indicated that RFC5512 is to be replaced by draft-ietf-idr-tunnel-encaps. But draft-ietf-idr-tunnel-encaps-09 stated that it deprecates the
Encapsulation SAFI.

We find the Encapsulation SAFI is quite useful for CPE based EVPN.  For example, a Controller (say RR) can send an update with Encapsulation SAFI to two end points to trigger a tunnel establishment between them.
What are side effect for having Encap SAFI? Can we preserve it in draft-ietf-idr-tunnel-encaps?

Thanks, Linda Dunbar


SAFI 7 was deprecated because no one seemed interested in using it, it creates additional operational issues, there is no real need for it, and it was discouraging folks from actually using the Tunnel Encapsulation attribute.  This is discussed briefly in section 1.2 of the draft.

You can get a similar effect by using the technique described in section 7 of the draft.

If PE1 is the egress point of a tunnel, have PE1 originate an UPDATE whose NLRI is PE1's loopback address.  Put the Tunnel Encapsulation attribute (with PE1 as remote endpoint) on this UPDATE.  (The next hop field of this UPDATE doesn't really matter, as long as it is resolvable.)  When PE1 originates VPN routes, it sets the next hop to be its loopback address.  Per section 7, this will result in packets being sent to PE1 though the specified tunnel.


_______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr

_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email