Re: [Idr] draft-dunbar-idr-sdwan-port-safi address the WAN Port property registration that is not covered by Ali's SECURE-EVPN

Robert Raszuk <robert@raszuk.net> Tue, 26 March 2019 23:14 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4408120105 for <idr@ietfa.amsl.com>; Tue, 26 Mar 2019 16:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRg0iAxlod-n for <idr@ietfa.amsl.com>; Tue, 26 Mar 2019 16:14:32 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BD94120005 for <idr@ietf.org>; Tue, 26 Mar 2019 16:14:32 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id c1so8786594qkk.4 for <idr@ietf.org>; Tue, 26 Mar 2019 16:14:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=euuj+moVAFu4B4hGQ7+/70CSrZQof7uMXxIlriaO7L0=; b=P/kVe+xxyTn8aDzvAxNvx9wGRkWU3Ip6OKG2kWn9eFJUhwkkiRGvGuRpcxoo2trSzF uTlcm9Oz9Q2ZgtGKDvUXlAkc078/ha+p6Wv27bOhSNVN1Fs34lYnng51T4NrozZqB3Wt qOfD81nwDi2UZILDwue2qhCQa0UbSJTXsb5twvJw1q69XczdxIC1tcDwpL02htKJIAGd Sku3Vk1mNLt+i0Efaed3EAyfxvHLbcilyL3HCqN6cAqDmvZpdMLk126yCAqjTwZ9RJIT lnLTysJI929IHJoFoc3KdyWtS9RyO6RXahL9zDdUDfI896+o6qE9H+Kr/H4qjcF7FZag Dtwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=euuj+moVAFu4B4hGQ7+/70CSrZQof7uMXxIlriaO7L0=; b=T5OzaCrEFSf/OvEWEvCLV3ji/GjZxCfIlrRkMnma0uJIIRmkD7SI8qs+z7bL5av0xZ NJFc8KGghsgE5AUgpMpGzDm/7mxvd3l84wHVHiBl8uECxAicglVwBvu4IVR1bqRoRobG Ajt11qFYorFzYzXfel4omwIFDNL3o9pIOx7ZiKXdoxV4Y7klV4ZWFpFCR4p5oly7iV8S LF4KjApqszat/J3Kszu+y6tFZf95EOSXEtvlOE2Ab7FTLdP/awKeNSEZRtsyyHDVq2N8 0JLtYSfv8JrBRzIry+sF5RENU0szmm/8KkMGJbSgwUlgfYMNXBIkf3L51oOq1dbCJNwY DJ8A==
X-Gm-Message-State: APjAAAV8Jzfdn03s2dKuDJ+SGT8tzU8n8TWJ3dDrMGgZmYNlUXU6wYxi +rO7hYt4nSA0RbhGlITEsLOgz6EmFX6GlHP74Zd0Eg==
X-Google-Smtp-Source: APXvYqx/JY9NEHsQdQLDLMJnBQXZGw/fJ2NpVfq5YyLY0maiMyydyalb1qlvSr4fwKId8gGusY6tQ7IRaq2Jo+HqmPw=
X-Received: by 2002:a37:448:: with SMTP id 69mr19993259qke.336.1553642071254; Tue, 26 Mar 2019 16:14:31 -0700 (PDT)
MIME-Version: 1.0
References: <4A95BA014132FF49AE685FAB4B9F17F66B33C11A@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B33C11A@sjceml521-mbs.china.huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 27 Mar 2019 00:14:19 +0100
Message-ID: <CAOj+MMFXESNVmTC_SabEnF2K=BRN9S7+xC=ovcjDA_s3GAef9Q@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, idr wg <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c3fd6f0585077b20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/e7HOjNggyO290QlOiaqUqisLrek>
Subject: Re: [Idr] draft-dunbar-idr-sdwan-port-safi address the WAN Port property registration that is not covered by Ali's SECURE-EVPN
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 23:14:35 -0000

Hi Linda,

> Your draft-sajassi-bess-secure-evpn-01 doesn’t cover the following
important features for SD-WAN

Please observe that while you may be correct in the observation made below
your proposal is realistically also nowhere near to what SDWAN needs to
truly operate.

Just think about SLA probing (both triggering path selection based on
dynamically signaled parameters by controller as well as reporting the
results to controller, think about managing the endpoints, doing upgrades,
performing endpoint debugging, think about OAM required for overlay and
underlay probing from each end point etc ... ) do you think all of this
really belongs in BGP ?

See any decent SDWAN deployment to succeed is way much more complex then
discovering endpoints and setting IPSec between them.

Now please also think what happens if you discover unauthorized/spoof
endpoints ....

Kind regards,
R.

On Tue, Mar 26, 2019 at 11:32 PM Linda Dunbar <linda.dunbar@huawei.com>
wrote:

>
>
> Ali,
>
>
>
> After my presentation of draft-dunbar-idr-sdwan-port-safi, you stated at
> the microphone that your draft-sajassi-bess-secure-evpn-01 can cover what
> is presented.
>
>
>
> Your draft-sajassi-bess-secure-evpn-01 doesn’t cover the following
> important features for SD-WAN:
>
>
>
> Since SDWAN edge nodes (virtual or physical) deployment at a specific
> location can be ephemeral, Zero Touch Provisioning (ZTP) is a common
> requirement, which includes SDWAN node registering the properties of its
> WAN ports facing the public internet to its controller upon power up,
> whereas PE’s WAN ports are pre-configured. A SD-WAN node can have multiple
> WAN ports, some egress to a private network through which traffic can
> traverse natively without encryption, and some ports egress to public
> network through which traffic has to be encrypted. Client’s routes can
> egress to either WAN ports facing private network or WAN ports facing the
> public internet depending on the client specified policy and the feedback
> from the WAN traffic monitoring functions.
>
>
>
> draft-dunbar-idr-sdwan-port-safi, is for advertising the properties of a
> SDWAN edge node WAN ports that face untrusted networks, such as the public
> internet. Those WAN ports may get assigned IP addresses from the Internet
> Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP,
> or may have private addresses (e.g. inside third party Cloud DCs). Packets
> sent over those SDWAN WAN ports might need to be encrypted (depending on
> the user policies) or need to go through NAT. The newly proposed NLRI is
> for this purpose.
>
>
>
> Best Regards,
>
>
>
> Linda
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>