Re: [Idr] [bess] IPSec Tunnels and draft-sajassi-bess-secure-evpn

Susan Hares <shares@ndzh.com> Mon, 03 August 2020 01:42 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446AE3A0EE1; Sun, 2 Aug 2020 18:42:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.765
X-Spam-Level: *
X-Spam-Status: No, score=1.765 tagged_above=-999 required=5 tests=[DOS_OUTLOOK_TO_MX=1.449, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, KHOP_HELO_FCRDNS=0.212, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idxv4kL7CorG; Sun, 2 Aug 2020 18:42:07 -0700 (PDT)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B75223A0EE0; Sun, 2 Aug 2020 18:42:06 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=50.107.100.94;
From: "Susan Hares" <shares@ndzh.com>
To: "'John E Drake'" <jdrake@juniper.net>, "'Rabadan, Jorge \(Nokia - US/Mountain View\)'" <jorge.rabadan@nokia.com>, "'Ali Sajassi \(sajassi\)'" <sajassi=40cisco.com@dmarc.ietf.org>, <bess@ietf.org>, <idr@ietf.org>
References: <007f01d664f3$e2b14ff0$a813efd0$@ndzh.com> <8A0EAEEB-52CA-48CB-BA5E-C64DFED1EEEF@cisco.com> <00ff01d66732$61fc9fe0$25f5dfa0$@ndzh.com>, <81323BB6-3CB2-4D95-BAAE-12B798267FB8@cisco.com> <MWHPR08MB35209E626BD777C81D5E8CB8F74F0@MWHPR08MB3520.namprd08.prod.outlook.com> <DM5PR05MB3388339EFAA7FF0681D25FE7C74C0@DM5PR05MB3388.namprd05.prod.outlook.com>
In-Reply-To: <DM5PR05MB3388339EFAA7FF0681D25FE7C74C0@DM5PR05MB3388.namprd05.prod.outlook.com>
Date: Sun, 2 Aug 2020 21:41:53 -0400
Message-ID: <003f01d66937$444998c0$ccdcca40$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0040_01D66915.BD3A42B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH4NngJmhNd7Sc4WPNnARMeffEc5wHjB4nSAV5tMo0BiXSrzQFgM75zAkkap++onl78IA==
Content-Language: en-us
X-Antivirus: AVG (VPS 200802-4, 08/02/2020), Outbound message
X-Antivirus-Status: Not-Tested
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/_8KnGPZEos-TLol9qaeieu37fhY>
Subject: Re: [Idr] [bess] IPSec Tunnels and draft-sajassi-bess-secure-evpn
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 01:42:09 -0000

John: 

 

Thank you for your history lesson.    Implementation specifics helpful on
the IDR wiki page regarding tunnel-encapsulation draft. 

 

I suggest you chat with John Scudder (one of the co-authors on the draft)
regarding your concerns.  

 

Sue 

 

 

 

From: John E Drake [mailto:jdrake@juniper.net] 
Sent: Sunday, August 2, 2020 11:37 AM
To: Rabadan, Jorge (Nokia - US/Mountain View); Ali Sajassi (sajassi); Susan
Hares; bess@ietf.org; idr@ietf.org
Cc: Hu, Jun (Nokia - US/Mountain View)
Subject: RE: [bess] IPSec Tunnels and draft-sajassi-bess-secure-evpn

 

Hi,

 

I also agree with Ali.  Eric specifically included the Tunnel Encapsulation
Extended Community in his draft at our request in order to support RFC 8365.
I.e., the draft that became RFC 8365 initially used the Tunnel Encapsulation
Extended Community defined in RFC 5512 and pre-dated by several years the
initial version of Eric's draft, which did not have the Tunnel Encapsulation
Extended Community.

 

Yours Irrespectively,

 

John

 

 

Juniper Business Use Only

From: BESS <bess-bounces@ietf.org> On Behalf Of Rabadan, Jorge (Nokia -
US/Mountain View)
Sent: Saturday, August 1, 2020 4:30 AM
To: Ali Sajassi (sajassi) <sajassi=40cisco.com@dmarc.ietf.org>rg>; Susan Hares
<shares@ndzh.com>om>; bess@ietf.org; idr@ietf.org
Cc: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
Subject: Re: [bess] IPSec Tunnels and draft-sajassi-bess-secure-evpn

 

[External Email. Be cautious of content]

 

I fully agree with Ali.

I think the VXLAN TLV only makes sense for other families, and not for EVPN.
We've done EVPN public interoperability for a few years and everyone uses
the BGP encap extends community.

 

Thanks,

Jorge 

 

  _____  

From: BESS <bess-bounces@ietf.org> on behalf of Ali Sajassi (sajassi)
<sajassi=40cisco.com@dmarc.ietf.org>
Sent: Saturday, August 1, 2020 03:18
To: Susan Hares; bess@ietf.org; idr@ietf.org
Cc: Hu, Jun (Nokia - US/Mountain View)
Subject: Re: [bess] IPSec Tunnels and draft-sajassi-bess-secure-evpn 

 

Sue,

 

I am afraid if we don't clean up the draft, it can cause confusion as it has
already and result in immediate errata filing for it after publication. A
sub-bullet got added to the latest rev (rev17) that is not correct. It says
that the VxLAN sub-tlv is sent with EVPN route when V bit not set. However,
EVPN never uses this sub-tlv as its routes has all the needed info.
Furthermore, RFC 8365 is very clear that EVPN uses Tunnel Encapsulation
Extended Community (per section 4.1). As I said, I am not aware of any of
the vendors using these sub-TVLs and it is easy to have a quick poll.

 

Regarding the paragraph that got omitted, it is making it much more
ambiguous than it used to. I would opt for clarifying the paragraph rather
than removing it. If needed I can provide an updated paragraph. Section 9 of
RFC 8365 specifies how a VPN multicast route can be advertised with PMSI
tunnel attribute and Encapsulation extended community and has been
implemented by many vendors.

 

Cheers,

Ali

 

 

From: Susan Hares <shares@ndzh.com>
Date: Friday, July 31, 2020 at 5:02 AM
To: Cisco Employee <sajassi@cisco.com>om>, "bess@ietf.org" <bess@ietf.org>rg>,
"idr@ietf.org" <idr@ietf.org>
Cc: "'Hu, Jun (Nokia - US/Mountain View)'" <jun.hu@nokia.com>
Subject: RE: IPSec Tunnels and draft-sajassi-bess-secure-evpn 

 

Ali:

 

It is wise to start with the RFC6514 and the
draft-ietf-idr-tunnel-encapsulation draft..   

 

[WG chair hat on] 

The tunnel-encapsulation draft has passed general WG LC - so it is
inappropriate to call for the request to remove these sections.  The WG LC
that is currently running is whether to remove the "AS" field from the
tunnel endpoint field, and replace it with a reserved field.. 

 

The implementation page is on: 

https://trac.ietf.org/trac/idr/wiki/draft-ietf-idr-tunnel-encaps%20implement
ations
<https://urldefense.com/v3/__https:/trac.ietf.org/trac/idr/wiki/draft-ietf-i
dr-tunnel-encaps*20implementations__;JQ!!NEt6yMaO-gk!W5VnNHyc3oP29X0LQ_irbST
b8nBnntL-309BArYBPAtGu2up9mlhbj7kYmr1rr8$> 

 

If you wish to provide information on the cisco implementation, you are
welcome to add information on the page. 

I can call for an update to the page from vendors.

 

[WG chair hat off[

[Document shepherd hat on] 

 

The issue is during the edits the text from RFC6514 from Eric Rosen was
unclear.  The text was: 

 

   It has been suggested that it may sometimes be useful to attach a

   Tunnel Encapsulation attribute to a BGP UPDATE message that is also

   carrying a PMSI (Provider Multicast Service Interface) Tunnel

   attribute [
<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc6514__;
!!NEt6yMaO-gk!W5VnNHyc3oP29X0LQ_irbSTb8nBnntL-309BArYBPAtGu2up9mlhbj7kV1TIii
U$> RFC6514].  If the PMSI Tunnel attribute specifies an IP

   tunnel, the Tunnel Encapsulation attribute could be used to provide

   additional information about the IP tunnel.  The usage of the Tunnel

   Encapsulation attribute in combination with the PMSI Tunnel attribute

   is outside the scope of this document.

 

Since the text itself was unclear what additional information could be
provided, the authors removed it from the draft. 

 

As we had not received any feedback about active RFC6514 interactions on the
list. 

 

[document shepherd off]

 

If you have an implementation of the interaction between the RF6514 and
tunnel encapsulation, it would be valuable to provide:

 

a)  either a draft specifying the interaction you wish to IDR WG, or  

b)  comments that could replace the original the original text. 

 

Since the IDR draft has gone through multiple WG LC and a very complete
review from Alvaro - so a quick response would be appreciated.   IMHO a
draft on the interaction between RFC6514 and the tunnel-encapsulation draft
- would be the best thing at this point.  Let me know if you are interested
in working on such a draft. 

 

Sue 

 

 

From: Ali Sajassi (sajassi) [mailto:sajassi@cisco.com] 
Sent: Friday, July 31, 2020 1:54 AM
To: Susan Hares; bess@ietf.org; idr@ietf.org
Cc: 'Hu, Jun (Nokia - US/Mountain View)'
Subject: Re: IPSec Tunnels and draft-sajassi-bess-secure-evpn 

 

<added idr@ietf.org>

 

Sue,

 

Before getting to the discussions of the three IPsec proposals, there are
some elements of draft-ietf-idr-tunnel-encaps-17.txt that I can see might
have caused some confusions and I'd like to get those sorted out first. 

 

The tunnel-encap draft specifies sub-tlv for VxLAN, VxLAN GDP, and NVGRE in
sections 3.2.1, 3.2.2, and 3.2.3. I am not aware of any vendor that has
implemented these sub-tlvs because the info in these sub-tlv already exist
in EVPN routes (e.g., MAC addresses, Ethernet Tags, etc.) which they have
implemented it. Therefore, all the vendors that I am aware of use Extended
Community  defined in section 4.1  along with EVPN routes to signal VxLAN
and GENEVE tunnel types. Furthermore, I am not aware of anyone using NVGRE
encap! So, as the first step, we should remove these three sections from the
draft if there is no objection. 

 

Cheers,

Ali

 

From: Susan Hares <shares@ndzh.com>
Date: Tuesday, July 28, 2020 at 8:30 AM
To: Cisco Employee <sajassi@cisco.com>om>, "bess@ietf.org" <bess@ietf.org>
Cc: "'Hu, Jun (Nokia - US/Mountain View)'" <jun.hu@nokia.com>
Subject: IPSec Tunnels and draft-sajassi-bess-secure-evpn 

 

Ali and bess WG: 

 

IDR has 3 proposals for IPsec tunnels that impact
draft-ietf-idr-tunnel-encaps-17.txt.  As an IDR co-chair/shepherd,  I have
been discussing these three drafts (Ali and two other authors sets) to try
to find out if we can have one general solutions.   

 

The discussion has been very fruitful to point up BGP issues of
interoperability, security, privacy, manageability, and scaling..  For
example, there is a lack of a clear specification between RFC6514 (PMSI
tunnel attribute) and the tunnel-encaps draft that specifies how these
drafts interoperate.  I suspect the bess and idr chairs will need to discuss
if tunnel-encaps has to address this point. 

 

I wrote up my ideas in draft-hares-idr-bgp-ipsec-analysis-00.txt so the
authors could tell me what I misunderstood.   You'll find this draft stops
half way.  I have the rest of the draft written, but I wanted feedback from
all the author teams before sending it out. 

 

After hearing some of the details from the authors, I would like to sponsor
an IDR interim so we could discuss these issues at length.   If you think
this is a good idea, please let me know. 

 

One other thing. unfortunately, I scheduled a set of meetings for EDT time
after IETF meetings this week.   Your next response will occur from 11-16
UTC on Wednesday. 

 

Cheerily, Sue