Re: [Idr] draft-hujun-idr-bgp-ipsec
Robert Raszuk <robert@raszuk.net> Sat, 09 March 2019 14:06 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8635C1276D0 for <idr@ietfa.amsl.com>; Sat, 9 Mar 2019 06:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jmHkbgi8mRf for <idr@ietfa.amsl.com>; Sat, 9 Mar 2019 06:06:23 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26FD126E5C for <idr@ietf.org>; Sat, 9 Mar 2019 06:06:22 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id s1so405181qte.5 for <idr@ietf.org>; Sat, 09 Mar 2019 06:06:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TSjaT7ccfEbuhhWBnJumPgTVj40Nfz8suTd7qvAOzuM=; b=CY+J2KldJB5IWOqh884jf6DsVnDGovItmJdnc+rjP7agiyjgFZ4BhippbwSKHvsecq 7Qlk38+nXSKeiDzkpdIIHRpIcMQL8K4u6+uzBgtA5aIwvWc48spf+odbSOGzLgxs4Qav y+D5SjzHjYGlxt+uDCZqYYzyoLDg/gl6w79MG5JhHFT24lLVKNRkT0EJY17WKxnIJQl1 TL44huZ8dkTi4EAr2y+cd4G+fHVcFTwhbRNXEZ5JaRhITwNTI4PVY800SOJ3b7JMjzHi +ikE5RlPf3iNnRwGDZeRN7hS7kHi9jLScfpkXP+Z5HEBlRmRVIPb5pAEh2UfkJGI1ix5 juCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TSjaT7ccfEbuhhWBnJumPgTVj40Nfz8suTd7qvAOzuM=; b=ihhxvo2n/H5MB/wFD33Vsapeyxcae1U1V5uUM0cIYXp6CndGFN2bgDWThSrPRy6VCt a3YVZxAgkrP2RmDFQGH9lcSScvoO/Tz3sXZh0NZah5JK1i72if0D06N3PxPwLWAlckQw fgQHZeLkqC57HkADiFArW+nYMi8M0t0mxk6eF/EmEjneTZ1pItjkZw76vRRx+e00RiYW 5naDFdAL1nJkbM0KCbJL7ysha+BjCBGN/HqVoIyxDVPRpXLzqr7zHejEJsm2ATC5oCL9 ehYRJWtlAkTULmtSL7d5cCi8B7poweeEA1tyg80ggptLkOEvB3UVU6sW5/Rcw+4EeOKN ewqg==
X-Gm-Message-State: APjAAAVpWY7DYYcIN4gkFZHVIz3QVwg505akoLH4OFQXBwhEWqT4e3Ca cWYbnycP34PLHLILpzhLp3+yMXxWHYGp4ruY9cWEIg==
X-Google-Smtp-Source: APXvYqxopqqGKtwH6spdH+BMQWu8HDSqi85tju8q2cI89+o+6+Mimp18BUzFxCfbFzpUiwRTPf/VAQBIo62BrSvTHGM=
X-Received: by 2002:ac8:6bc8:: with SMTP id b8mr120571qtt.219.1552140381647; Sat, 09 Mar 2019 06:06:21 -0800 (PST)
MIME-Version: 1.0
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com> <PR1PR07MB57559863F4ABDF1C509B2EAE954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MME-wJVFZGVXXH9aVoPKy59TxGjLAGvB10S9P4sLtZoLwA@mail.gmail.com> <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com>
In-Reply-To: <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Sat, 09 Mar 2019 15:06:12 +0100
Message-ID: <CAOj+MMHpqdmLG7c5oj0KmELLhqrEmoKTKDTHPeGx9Gw13BQ1Gw@mail.gmail.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001709670583a9d800"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/_3YdqpJIXEox55MJ1dYIvzVJFTc>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 14:06:26 -0000
Hi, I see what the intention was, but the current draft does not reflect it well. You should change all occurrences of: " Tunnel Encapsulation Attribute for IPsec" or "IPsec tunnel encapsulation attribute" to "IPsec TLV" as there is no such thing like "IPSec tunnel encapsulation attribute" in [I-D.ietf-idr-tunnel-encaps]. But this proposal really defines mapping to IPSec tunnel (based on source & destination prefix and optionally its context) and not really how the IPSec tunnel would be established or what such encapsulation parameters would be. Context via a list of RTs and remote address prefixes are already indirectly supported today as color of tunnel would match color of extended communities attached to a dst routes so remote addresses for mapping packets within a specific context would be easily achieved today. IMO use of color reference should be preffered solution instead of re-defining a different way to accomplished the same here verbatim. Mapping based on src prefix perhaps indeed is missing - but I will leave it to WG in general what is the plan to handle src+dst mapping in [I-D.ietf-idr-tunnel-encaps]. In your specific example to achieve the required mapping the encoding would be following: *BGP UPDATE 1 - NLRI lo0 * Tunnel Encapsulation Attribute: IPsec TLV-1 - Remote Endpoint 1 sub-tlv - color A sub-tlv IPsec TLV-2 - Remote Endpoint 2 sub-tlv - color B sub-tlv *BGP UPDATE 2 - NLRI Prefix A* Encapsulation Extended Community Color A *BGP UPDATE 3 - NLRI Prefix B* Encapsulation Extended Community Color B Thx, R. Thx, R. On Sat, Mar 9, 2019 at 7:49 AM Hu, Jun (Nokia - US/Mountain View) < jun.hu@nokia.com> wrote: > Maybe the text in my draft needs to be more clear, but my draft is > referencing [I-D.ietf-idr-tunnel-encaps] ; Yes, according to section 1.4 > of [I-D.ietf-idr-tunnel-encaps], IPsec tunnel is out of its scope, that’s > why my draft says it extends [I-D.ietf-idr-tunnel-encaps] to support IPsec > tunnel; > > > > So when I say “the BGP update of NLRI prefix C need to include a Tunnel > Encap attr, which include two IPsec TLVs…”, it means the BGP update include > a Tunnel Encap attr as specified in section-2 of [I-D.ietf-idr-tunnel-encaps], > and this Tunnel Encap attr include two TLVs: > > - TLV-1: Tunnel Type is 4 (I propose to reuse 4 for IPsec tunnel), > TLV-1 contains following sub-TLV: > - Remote Endpoint (as specified in section 3.1 of > [I-D.ietf-idr-tunnel-encaps]) : local IPsec tunnel endpoint address > of advertising router > - remote-prefix : pA > - color (as specified in 3.4.2 of [I-D.ietf-idr-tunnel-encaps], but > has new semantics for IPsec): A > - TLV-2: Tunnel Type is 4 , TLV-2 contains following sub-TLV: > - Remote Endpoint: local IPsec tunnel endpoint address of > advertising router > - remote-prefix: pB > - color: B > > > > hope this make things clearer > > > > *From:* Robert Raszuk <robert@raszuk.net> > *Sent:* Friday, March 8, 2019 3:19 PM > *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> > *Cc:* idr@ietf. org <idr@ietf.org> > *Subject:* Re: draft-hujun-idr-bgp-ipsec > > > > Hi, > > > > I think that the references are a bit wrong. And the confusion may be not > even your own fault, > > but IETF process related. > > > > I was looking for type 4 tunnel type in your normative reference but there > is none. > > > > [I-D.ietf-idr-tunnel-encaps] > > Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel > > Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-11 <https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11> > > (work in progress), February 2019. > > > > The reference your text may be referring to is perhaps RFC5566 instead > > since this is where type 4 for IPSec in Tunnel mode was defined. Different document. > > > > Unfortunately 5566 relied on 5512 which is obsoleted now. And we never > > concluded how any references to 5566 should be now handled. > > > > 1.4 > <https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11#section-1.4>. > Impact on RFC 5566 <https://tools.ietf.org/html/rfc5566> > > > > > > [RFC5566] uses the mechanisms defined in [RFC5512 <https://tools.ietf.org/html/rfc5512>]. While this > > document obsoletes [RFC5512 <https://tools.ietf.org/html/rfc5512>], it does not address the issue of how to > > use the mechanisms of [RFC5566 <https://tools.ietf.org/html/rfc5566>] without also using the Encapsulation > > SAFI. Those issues are considered to be outside the scope of this > > document. > > > > And [I-D.ietf-idr-tunnel-encaps] does not define anything for IPSec. > > > > So bottom line based on the current definition of Tunnel Encapsulation > > Attribute I am not sure where and how you want to provide the defined > > herein extensions. > > > > Therefor it is now hard to comment on encoding specifics of provided examples > > for two IPSec tunnel signalling options till normative references are sorted out. > > > > Thx, > > RR. > > > > > > On Fri, Mar 8, 2019 at 11:48 PM Hu, Jun (Nokia - US/Mountain View) < > jun.hu@nokia.com> wrote: > > I agree that making remote prefix sub-TLV optional and absence of it means > ANY is a better idea, will update the draft and example in it; > > > > To address use case in your email, the BGP update of NLRI prefix C need to > include a Tunnel Encap attr, which include two IPsec TLVs: > > - IPsec TLV-1: include remote-prefix sub-TLV pA and color sub TLV A > - IPsec TLV-2: include remote-prefix sub-TLV pB and color sub TLV B > > > > > > *From:* Robert Raszuk <robert@raszuk.net> > *Sent:* Friday, March 8, 2019 2:26 PM > *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> > *Cc:* idr@ietf. org <idr@ietf.org> > *Subject:* Re: draft-hujun-idr-bgp-ipsec > > > > > > Ok that was not very clear from the draft. While your explanation is good > - there may be folks who will try to include all remote prefixes as this > sub-TLV is mandatory. I guess if instead of all zero's you make it also > optional the room for bad encoding becomes smaller. > > > > But let's assume that you have two different IPSec encapsulation > requirements A & B for the same local prefix C and two different remote > prefixes pA & pB. > > > > How would you encode it in the single update msg ? > > > > Thx, > > R. > > > > On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) < > jun.hu@nokia.com> wrote: > > Thanks for reviewing the draft; > > In your example (500 routers), R2 doesn’t necessary need to advertise 500 > remote prefixes because if R2 doesn’t have 500 different types IPsec > encapsulation requirements for the NLRI, what it could do it just include a > single all-zero remote prefix, means traffic from any source destined to > this NLRI should use this particular IPsec tunnel encapsulation config; > and I would expect using all-zero remote prefix would be the common use > case; > > > > *From:* Robert Raszuk <robert@raszuk.net> > *Sent:* Friday, March 8, 2019 12:49 PM > *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> > *Cc:* idr@ietf. org <idr@ietf.org> > *Subject:* draft-hujun-idr-bgp-ipsec > > > > Hi, > > > > I have read your proposal and have one question. > > > > The proposed encoding of additional sub-TLVs define local and remote > prefixes as traffic selectors. Looks great in your example of two end > points only. But introduction talks about scale so let's consider scale > factor. > > > > Assume you have 500 routers in the domain. > > > > When you advertise subnet B or C from R2 now you need to include in > mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet > advertised you can only send it once in BGP. Then each ingress PE receiving > this huge list would need now to store all 500 ingress ACLs (mappings to > IPSec tunnels) where in fact perhaps realistically only one or two ingress > traffic subnets may ever be traversing via given edge router. > > > > And 500 is just following your example where ingress prefixes are directly > attached to ingress router (subnet A to R1). There can be valid mapping > cases where such sources are not directly attached. > > > > This really does not look at all efficient and is prone to generate a lot > of unnecessary state directly proportional to network size or expected > incoming src prefix number. > > > > If you really would like to use p2mp protocol for this configuration push > I would recommend to leave the current Tunnel Encapsulation Attribute > unchanged and simply propose to define a new SAFI with proper NLRI syntax > that it is precisely efficient to the very application you describe. > > > > Effectively what you are proposing is to carry in BGP src+dst based > mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel > encapsulation attribute. > > > > In principle I agree that we do see more and more use cases for src+dst > based IP lookups both for native forwarding and with some form of > encapsulation but the proposed nested and not efficient encoding IMO > requires to be modified to work well in the assumed large scale. > > > > Thx a lot, > > R. > > > > > > > > > > > > > > > >
- [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)