Re: [Idr] draft-hujun-idr-bgp-ipsec
Robert Raszuk <robert@raszuk.net> Fri, 08 March 2019 22:25 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E142D1277C9 for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 14:25:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFNJpCev6rls for <idr@ietfa.amsl.com>; Fri, 8 Mar 2019 14:25:45 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9401612716C for <idr@ietf.org>; Fri, 8 Mar 2019 14:25:45 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id x6so12134952qki.6 for <idr@ietf.org>; Fri, 08 Mar 2019 14:25:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AI/9N6Kc+MdFM6rG+2nBFjwPcxVE+HnoX34I8pn/DYw=; b=UrVAYM5U8wMvrtnTbkWYvGhLie0pNdCkoepyMILcMbIb/6svNuaE9Aos3ybNJ+io/q HxNPcnvt7LuNB1115I8Cpn31/EMufNWvQAflZdsK1nxlmA1zQYC10rXh/C8Bo7b02cWw LetNpPLrq9AZpXABbao0xgFmjB4xspaQcBms5jJDVTWF2HZzS24WWRtOt/wNOX/1O7Hd s4+ff5cJTlY9jgb17KxnN5Uvo86lHZL6X51uBXt92I06/31QIbIXcbZ2z5M7TjCnils3 Nmx2k+a5xzuG+g0qRHVcDl7/5cLi4kQro7d9NyQiG1kTyzs52OcpZTQ6HqR1fCRdTZqA lk7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AI/9N6Kc+MdFM6rG+2nBFjwPcxVE+HnoX34I8pn/DYw=; b=AbB4AjRIpLNDgBDXRxu0/wviTUcX8wbJgFiiiIx5AUPZIQdn1gkQHvJqRS2JvaNOK2 14x1gk+GbM04TFE7elBJQ4H0/wNRUOwL4pXPMwVzRE8rJkAqbofOqsIGNnmalta7c/Cs NE1/Xk7BRLd6lQ4ZKinE2M5E7xh22Wfwn9HbyGp3pQMXT7XADOnbRHKwGp5yu2WALQTU SOcHErkf9DrJdHXTOrQhXnSJA3Ex3FR/GLA8x0+KeShI7U7v9KkiA6Yeudl1W7lx5ZN3 EAINKLJMehEIV4eLspBZqSjz7PF41ByvkyyiHS3R1LGGu46QPd59TdVZOklTjGvjn+M6 Bteg==
X-Gm-Message-State: APjAAAWiAMZ7Tw/xUNPWcKorfY85kfgEUe+X3aPxySa1I8QMuzjvXqwS EX0DtCcpfJof/4RjCjTwMv1EDo2tHe0Twjz5/m529w==
X-Google-Smtp-Source: APXvYqzKyxAtg8kHVF+DVd2H+5nKWmkIXlvZ0cRLQuwRzjIILgLrEFQnVM19QRdzSG6SX359DDStYuEjqgKArpgQmN8=
X-Received: by 2002:a37:bc04:: with SMTP id m4mr16020651qkf.41.1552083944699; Fri, 08 Mar 2019 14:25:44 -0800 (PST)
MIME-Version: 1.0
References: <CAOj+MMGYYO-0CmnGeXMfRo+VnVV0pYdyrR-ds56mqoRoLsh8Ew@mail.gmail.com> <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com>
In-Reply-To: <PR1PR07MB5755FF20AC4C0309ED2B170D954D0@PR1PR07MB5755.eurprd07.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 08 Mar 2019 23:25:34 +0100
Message-ID: <CAOj+MMGmqx5+p4ZyjaKpQ-2+83kFBqUmT6XvnwHNnd9-0K735Q@mail.gmail.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002f8cde05839cb4ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/dg1uq_lragaEO-P5royJTBCbUok>
Subject: Re: [Idr] draft-hujun-idr-bgp-ipsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 22:25:48 -0000
Ok that was not very clear from the draft. While your explanation is good - there may be folks who will try to include all remote prefixes as this sub-TLV is mandatory. I guess if instead of all zero's you make it also optional the room for bad encoding becomes smaller. But let's assume that you have two different IPSec encapsulation requirements A & B for the same local prefix C and two different remote prefixes pA & pB. How would you encode it in the single update msg ? Thx, R. On Fri, Mar 8, 2019 at 10:31 PM Hu, Jun (Nokia - US/Mountain View) < jun.hu@nokia.com> wrote: > Thanks for reviewing the draft; > > In your example (500 routers), R2 doesn’t necessary need to advertise 500 > remote prefixes because if R2 doesn’t have 500 different types IPsec > encapsulation requirements for the NLRI, what it could do it just include a > single all-zero remote prefix, means traffic from any source destined to > this NLRI should use this particular IPsec tunnel encapsulation config; > and I would expect using all-zero remote prefix would be the common use > case; > > > > *From:* Robert Raszuk <robert@raszuk.net> > *Sent:* Friday, March 8, 2019 12:49 PM > *To:* Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> > *Cc:* idr@ietf. org <idr@ietf.org> > *Subject:* draft-hujun-idr-bgp-ipsec > > > > Hi, > > > > I have read your proposal and have one question. > > > > The proposed encoding of additional sub-TLVs define local and remote > prefixes as traffic selectors. Looks great in your example of two end > points only. But introduction talks about scale so let's consider scale > factor. > > > > Assume you have 500 routers in the domain. > > > > When you advertise subnet B or C from R2 now you need to include in > mandatory Remote prefix sub-TLV 500 ingress prefixes as for each subnet > advertised you can only send it once in BGP. Then each ingress PE receiving > this huge list would need now to store all 500 ingress ACLs (mappings to > IPSec tunnels) where in fact perhaps realistically only one or two ingress > traffic subnets may ever be traversing via given edge router. > > > > And 500 is just following your example where ingress prefixes are directly > attached to ingress router (subnet A to R1). There can be valid mapping > cases where such sources are not directly attached. > > > > This really does not look at all efficient and is prone to generate a lot > of unnecessary state directly proportional to network size or expected > incoming src prefix number. > > > > If you really would like to use p2mp protocol for this configuration push > I would recommend to leave the current Tunnel Encapsulation Attribute > unchanged and simply propose to define a new SAFI with proper NLRI syntax > that it is precisely efficient to the very application you describe. > > > > Effectively what you are proposing is to carry in BGP src+dst based > mapping to IPSec tunnel deeply embedding this into sub-TLVs of tunnel > encapsulation attribute. > > > > In principle I agree that we do see more and more use cases for src+dst > based IP lookups both for native forwarding and with some form of > encapsulation but the proposed nested and not efficient encoding IMO > requires to be modified to work well in the assumed large scale. > > > > Thx a lot, > > R. > > > > > > > > > > > > > > >
- [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)
- Re: [Idr] draft-hujun-idr-bgp-ipsec Robert Raszuk
- Re: [Idr] draft-hujun-idr-bgp-ipsec Hu, Jun (Nokia - US/Mountain View)