Re: [Idr] draft-hujun-idr-bgp-ipsec
Robert Raszuk <robert@raszuk.net> Sat, 09 March 2019 14:06 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8635C1276D0 for <idr@ietfa.amsl.com>; Sat, 9 Mar 2019 06:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jmHkbgi8mRf for <idr@ietfa.amsl.com>; Sat, 9 Mar 2019 06:06:23 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26FD126E5C for <idr@ietf.org>; Sat, 9 Mar 2019 06:06:22 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id s1so405181qte.5 for <idr@ietf.org>; Sat, 09 Mar 2019 06:06:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TSjaT7ccfEbuhhWBnJumPgTVj40Nfz8suTd7qvAOzuM=; b=CY+J2KldJB5IWOqh884jf6DsVnDGovItmJdnc+rjP7agiyjgFZ4BhippbwSKHvsecq 7Qlk38+nXSKeiDzkpdIIHRpIcMQL8K4u6+uzBgtA5aIwvWc48spf+odbSOGzLgxs4Qav y+D5SjzHjYGlxt+uDCZqYYzyoLDg/gl6w79MG5JhHFT24lLVKNRkT0EJY17WKxnIJQl1 TL44huZ8dkTi4EAr2y+cd4G+fHVcFTwhbRNXEZ5JaRhITwNTI4PVY800SOJ3b7JMjzHi +ikE5RlPf3iNnRwGDZeRN7hS7kHi9jLScfpkXP+Z5HEBlRmRVIPb5pAEh2UfkJGI1ix5 juCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TSjaT7ccfEbuhhWBnJumPgTVj40Nfz8suTd7qvAOzuM=; b=ihhxvo2n/H5MB/wFD33Vsapeyxcae1U1V5uUM0cIYXp6CndGFN2bgDWThSrPRy6VCt a3YVZxAgkrP2RmDFQGH9lcSScvoO/Tz3sXZh0NZah5JK1i72if0D06N3PxPwLWAlckQw fgQHZeLkqC57HkADiFArW+nYMi8M0t0mxk6eF/EmEjneTZ1pItjkZw76vRRx+e00RiYW 5naDFdAL1nJkbM0KCbJL7ysha+BjCBGN/HqVoIyxDVPRpXLzqr7zHejEJsm2ATC5oCL9 ehYRJWtlAkTULmtSL7d5cCi8B7poweeEA1tyg80ggptLkOEvB3UVU6sW5/Rcw+4EeOKN ewqg==
X-Gm-Message-State: APjAAAVpWY7DYYcIN4gkFZHVIz3QVwg505akoLH4OFQXBwhEWqT4e3Ca cWYbnycP34PLHLILpzhLp3+yMXxWHYGp4ruY9cWEIg==
X-Google-Smtp-Source: APXvYqxopqqGKtwH6spdH+BMQWu8HDSqi85tju8q2cI89+o+6+Mimp18BUzFxCfbFzpUiwRTPf/VAQBIo62BrSvTHGM=
X-Received: by 2002:ac8:6bc8:: with SMTP id b8mr120571qtt.219.1552140381647; Sat, 09 Mar 2019 06:06:21 -0800 (PST)
MIME-Version: 1.0
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com> <PR1PR07MB57559863F4ABDF1C509B2EAE954D0@PR1PR07MB5755.eurprd07.prod.outlook.com> <CAOj+MME-wJVFZGVXXH9aVoPKy59TxGjLAGvB10S9P4sLtZoLwA@mail.gmail.com> <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com>
In-Reply-To: <PR1PR07MB575593E68668F618C42AABBE954E0@PR1PR07MB5755.eurprd07.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Sat, 09 Mar 2019 15:06:12 +0100
Message-ID: <CAOj+MMHpqdmLG7c5oj0KmELLhqrEmoKTKDTHPeGx9Gw13BQ1Gw@mail.gmail.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001709670583a9d800"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/_3YdqpJIXEox55MJ1dYIvzVJFTc>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 14:06:26 -0000
Hi,
I see what the intention was, but the current draft does not reflect it
well.
You should change all occurrences of: " Tunnel Encapsulation Attribute for
IPsec" or "IPsec tunnel encapsulation attribute"
to "IPsec TLV" as there is no such thing like "IPSec tunnel encapsulation
attribute" in [I-D.ietf-idr-tunnel-encaps].
But this proposal really defines mapping to IPSec tunnel (based on source &
destination prefix and optionally its context) and not really how the IPSec
tunnel would be established or what such encapsulation parameters would be.
Context via a list of RTs and remote address prefixes are already
indirectly supported today as color of tunnel would match color of extended
communities attached to a dst routes so remote addresses for mapping
packets within a specific context would be easily achieved today. IMO use
of color reference should be preffered solution instead of re-defining a
different way to accomplished the same here verbatim.
Mapping based on src prefix perhaps indeed is missing - but I will leave it
to WG in general what is the plan to handle src+dst mapping
in [I-D.ietf-idr-tunnel-encaps].
In your specific example to achieve the required mapping the encoding would
be following:
*BGP UPDATE 1 - NLRI lo0 *
Tunnel Encapsulation Attribute:
IPsec TLV-1
- Remote Endpoint 1 sub-tlv
- color A sub-tlv
IPsec TLV-2
- Remote Endpoint 2 sub-tlv
- color B sub-tlv
*BGP UPDATE 2 - NLRI Prefix A*
Encapsulation Extended Community
Color A
*BGP UPDATE 3 - NLRI Prefix B*
Encapsulation Extended Community
Color B
Thx,
R.
Thx,
R.
On Sat, Mar 9, 2019 at 7:49 AM Hu, Jun (Nokia - US/Mountain View) <
jun.hu@nokia.com> wrote:
> Maybe the text in my draft needs to be more clear, but my draft is
> referencing [I-D.ietf-idr-tunnel-encaps] ; Yes, according to section 1.4
> of [I-D.ietf-idr-tunnel-encaps], IPsec tunnel is out of its scope, that’s
> why my draft says it extends [I-D.ietf-idr-tunnel-encaps] to support IPsec
> tunnel;
>
>
>
> So when I say “the BGP update of NLRI prefix C need to include a Tunnel
> Encap attr, which include two IPsec TLVs…”, it means the BGP update include
> a Tunnel Encap attr as specified in section-2 of [I-D.ietf-idr-tunnel-encaps],
> and this Tunnel Encap attr include two TLVs:
>
> - TLV-1: Tunnel Type is 4 (I propose to reuse 4 for IPsec tunnel),
> TLV-1 contains following sub-TLV:
> - Remote Endpoint (as specified in section 3.1 of
> [I-D.ietf-idr-tunnel-encaps]) : local IPsec tunnel endpoint address
> of advertising router
> - remote-prefix : pA
> - color (as specified in 3.4.2 of [I-D.ietf-idr-tunnel-encaps], but
> has new semantics for IPsec): A
> - TLV-2: Tunnel Type is 4 , TLV-2 contains following sub-TLV:
> - Remote Endpoint: local IPsec tunnel endpoint address of
> advertising router
> - remote-prefix: pB
> - color: B
>
>
>
> hope this make things clearer
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Friday, March 8, 2019 3:19 PM
> *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
> *Cc:* idr@ietf. org <idr@ietf.org>
> *Subject:* Re: draft-hujun-idr-bgp-ipsec
>
>
>
> Hi,
>
>
>
> I think that the references are a bit wrong. And the confusion may be not
> even your own fault,
>
> but IETF process related.
>
>
>
> I was looking for type 4 tunnel type in your normative reference but there
> is none.
>
>
>
> [I-D.ietf-idr-tunnel-encaps]
>
> Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel
>
> Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-11 <https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11>
>
> (work in progress), February 2019.
>
>
>
> The reference your text may be referring to is perhaps RFC5566 instead
>
> since this is where type 4 for IPSec in Tunnel mode was defined. Different document.
>
>
>
> Unfortunately 5566 relied on 5512 which is obsoleted now. And we never
>
> concluded how any references to 5566 should be now handled.
>
>
>
> 1.4
> <https://tools.ietf.org/html/draft-ietf-idr-tunnel-encaps-11#section-1.4>.
> Impact on RFC 5566 <https://tools.ietf.org/html/rfc5566>
>
>
>
>
>
> [RFC5566] uses the mechanisms defined in [RFC5512 <https://tools.ietf.org/html/rfc5512>]. While this
>
> document obsoletes [RFC5512 <https://tools.ietf.org/html/rfc5512>], it does not address the issue of how to
>
> use the mechanisms of [RFC5566 <https://tools.ietf.org/html/rfc5566>] without also using the Encapsulation
>
> SAFI. Those issues are considered to be outside the scope of this
>
> document.
>
>
>
> And [I-D.ietf-idr-tunnel-encaps] does not define anything for IPSec.
>
>
>
> So bottom line based on the current definition of Tunnel Encapsulation
>
> Attribute I am not sure where and how you want to provide the defined
>
> herein extensions.
>
>
>
> Therefor it is now hard to comment on encoding specifics of provided examples
>
> for two IPSec tunnel signalling options till normative references are sorted out.
>
>
>
> Thx,
>
> RR.
>
>
>
>
>
> On Fri, Mar 8, 2019 at 11:48 PM Hu, Jun (Nokia - US/Mountain View) <
> jun.hu@nokia.com> wrote:
>
> I agree that making remote prefix sub-TLV optional and absence of it means
> ANY is a better idea, will update the draft and example in it;
>
>
>
> To address use case in your email, the BGP update of NLRI prefix C need to
> include a Tunnel Encap attr, which include two IPsec TLVs:
>
> - IPsec TLV-1: include remote-prefix sub-TLV pA and color sub TLV A
> - IPsec TLV-2: include remote-prefix sub-TLV pB and color sub TLV B
>
>
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Friday, March 8, 2019 2:26 PM
> *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
> *Cc:* idr@ietf. org <idr@ietf.org>
> *Subject:* Re: draft-hujun-idr-bgp-ipsec
>
>
>
>
>
> Ok that was not very clear from the draft. While your explanation is good
> - there may be folks who will try to include all remote prefixes as this
> sub-TLV is mandatory. I guess if instead of all zero's you make it also
> optional the room for bad encoding becomes smaller.
>
>
>
> But let's assume that you have two different IPSec encapsulation
> requirements A & B for the same local prefix C and two different remote
> prefixes pA & pB.
>
>
>
> How would you encode it in the single update msg ?
>
>
>
> Thx,
>
> R.
>
>
>
> On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) <
> jun.hu@nokia.com> wrote:
>
> Thanks for reviewing the draft;
>
> In your example (500 routers), R2 doesn’t necessary need to advertise 500
> remote prefixes because if R2 doesn’t have 500 different types IPsec
> encapsulation requirements for the NLRI, what it could do it just include a
> single all-zero remote prefix, means traffic from any source destined to
> this NLRI should use this particular IPsec tunnel encapsulation config;
> and I would expect using all-zero remote prefix would be the common use
> case;
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Friday, March 8, 2019 12:49 PM
> *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
> *Cc:* idr@ietf. org <idr@ietf.org>
> *Subject:* draft-hujun-idr-bgp-ipsec
>
>
>
> Hi,
>
>
>
> I have read your proposal and have one question.
>
>
>
> The proposed encoding of additional sub-TLVs define local and remote
> prefixes as traffic selectors. Looks great in your example of two end
> points only. But introduction talks about scale so let's consider scale
> factor.
>
>
>
> Assume you have 500 routers in the domain.
>
>
>
> When you advertise subnet B or C from R2 now you need to include in
> mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet
> advertised you can only send it once in BGP. Then each ingress PE receiving
> this huge list would need now to store all 500 ingress ACLs (mappings to
> IPSec tunnels) where in fact perhaps realistically only one or two ingress
> traffic subnets may ever be traversing via given edge router.
>
>
>
> And 500 is just following your example where ingress prefixes are directly
> attached to ingress router (subnet A to R1). There can be valid mapping
> cases where such sources are not directly attached.
>
>
>
> This really does not look at all efficient and is prone to generate a lot
> of unnecessary state directly proportional to network size or expected
> incoming src prefix number.
>
>
>
> If you really would like to use p2mp protocol for this configuration push
> I would recommend to leave the current Tunnel Encapsulation Attribute
> unchanged and simply propose to define a new SAFI with proper NLRI syntax
> that it is precisely efficient to the very application you describe.
>
>
>
> Effectively what you are proposing is to carry in BGP src+dst based
> mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel
> encapsulation attribute.
>
>
>
> In principle I agree that we do see more and more use cases for src+dst
> based IP lookups both for native forwarding and with some form of
> encapsulation but the proposed nested and not efficient encoding IMO
> requires to be modified to work well in the assumed large scale.
>
>
>
> Thx a lot,
>
> R.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
- [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)