IETF Logo Mail Archive

Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

"Ali Sajassi (sajassi)" <sajassi@cisco.com> Mon, 01 July 2019 06:39 UTC

Return-Path: <sajassi@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C75120256 for <idr@ietfa.amsl.com>; Sun, 30 Jun 2019 23:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.4
X-Spam-Level:
X-Spam-Status: No, score=-14.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GFpG3Jlp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=N2ZBqcqv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0pL8ngCli6b for <idr@ietfa.amsl.com>; Sun, 30 Jun 2019 23:39:10 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 172A6120234 for <idr@ietf.org>; Sun, 30 Jun 2019 23:39:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=259763; q=dns/txt; s=iport; t=1561963149; x=1563172749; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=lcanrw1lU1lx2xOAeJpzqBha6sg4l4IunO3naLsarp0=; b=GFpG3JlpXCBKNiZRpIOxtTPYsW0DHmdpe3oiBbAsjfQr01b8slu90/7/ DQYjL7IXpbspFp+5vBsOweHxzDTlsvgwAjQr520PZpTB7J6FvcbV2CRws UmbFMM01rI2riccl6F4pTF++3k2aQDQXrJ9oYgoP2upAsxjE6Zq3rkNWu s=;
X-Files: image001.png, image002.png : 82710, 71339
IronPort-PHdr: 9a23:zz9YfhTBDB54b9QKxYfFR9kHcdpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESXBdfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOjczHs1ZT15N9HCgOk8TE8H7NBXf
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ChBAD0qRld/5pdJa2GdASWd6ZEDwWLMIYROrZqjzI
X-IronPort-AV: E=Sophos;i="5.63,437,1557187200"; d="png'150?scan'150,208,217,150";a="585337071"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Jul 2019 06:39:07 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x616d7WH012593 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 1 Jul 2019 06:39:08 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 1 Jul 2019 01:39:07 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 1 Jul 2019 01:39:06 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 1 Jul 2019 01:39:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TBebzd+AhN5XXBZ8wiJPpKOxyCXmfT4noIejgDescYc=; b=N2ZBqcqvjt5mwuHgzQ7C7vmXsTDFpOgFmpRSS866SV1aBViU3YejGVYaEN4SgDiwT2QWkb1/W4u5ttbSajH+L+NfPzw/kaqH9rdyBMq1+uqjTEaiEfUgaROo+GUow1nnQR7veTQ8K66mf+AhPLo5/zPpelS5kK7iKO1g1IRgheI=
Received: from BYAPR11MB3703.namprd11.prod.outlook.com (20.178.237.220) by BYAPR11MB2968.namprd11.prod.outlook.com (20.177.224.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.17; Mon, 1 Jul 2019 06:39:05 +0000
Received: from BYAPR11MB3703.namprd11.prod.outlook.com ([fe80::4ca0:1d8d:a720:2ca9]) by BYAPR11MB3703.namprd11.prod.outlook.com ([fe80::4ca0:1d8d:a720:2ca9%5]) with mapi id 15.20.2032.019; Mon, 1 Jul 2019 06:39:05 +0000
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
Thread-Index: AdUtPjQZBxvBfPhSTlipZ74SwoimTQABjpGAACCLVvD//7G0AP//duuQ//7fX8CABaTHgA==
Date: Mon, 01 Jul 2019 06:39:05 +0000
Message-ID: <F2833610-8A79-424E-9989-ECBF75632492@cisco.com>
References: <MN2PR13MB35827C9D8B4F6E09577D7A7185FD0@MN2PR13MB3582.namprd13.prod.outlook.com> <DA6ED6BC-0221-4E06-B049-3F8C2254DB88@cisco.com> <MN2PR13MB3582DAAAFB3E6F67C917A80585FC0@MN2PR13MB3582.namprd13.prod.outlook.com> <6E041D15-2214-4F5B-B30A-51D12466A1FF@cisco.com> <MN2PR13MB3582FF82EE3E77370FDCE60E85FC0@MN2PR13MB3582.namprd13.prod.outlook.com> <MN2PR13MB358214EFADCACA8AB5A43B2685FC0@MN2PR13MB3582.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB358214EFADCACA8AB5A43B2685FC0@MN2PR13MB3582.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sajassi@cisco.com;
x-originating-ip: [128.107.241.183]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae96d72a-34c2-4064-4163-08d6fdeed008
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BYAPR11MB2968;
x-ms-traffictypediagnostic: BYAPR11MB2968:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BYAPR11MB29684F14D5D8DCD395FC928AB0F90@BYAPR11MB2968.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 00851CA28B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(396003)(346002)(39860400002)(366004)(199004)(189003)(73956011)(86362001)(66576008)(316002)(58126008)(5024004)(14454004)(68736007)(6246003)(256004)(76116006)(66446008)(64756008)(66556008)(66476007)(66946007)(36756003)(66574012)(71190400001)(606006)(486006)(236005)(66066001)(102836004)(11346002)(71200400001)(14444005)(478600001)(476003)(53546011)(81156014)(81166006)(6506007)(7736002)(2906002)(2616005)(54556002)(8676002)(53936002)(76176011)(99286004)(33656002)(229853002)(54896002)(6512007)(5660300002)(99936001)(186003)(26005)(2501003)(9326002)(3846002)(6486002)(790700001)(25786009)(6116002)(6436002)(733005)(110136005)(8936002)(446003)(6306002)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2968; H:BYAPR11MB3703.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: xhlltGzr8bZqc4ZjPVfTMTq7bI5ph+Bs61LJ6vRrHwD6UxXSLq7qoayqe5qo8fHaJcM/CVIGn9pH8AU4IfmCKk2TYY0yeQvZkfrPwCWs9YyIIYz3aSd0j1+2rWdi3OkSZUEavGI05IpxMpIHe0nILVM0jdd7/T3o0LXrqkvA/bdMM/mW2IM4WAIyji1Wv1tUh+5dujJo63zmKoo0B/+OGWgpycCQEwJXQHFBAX/amsU3tTSq09Q4/BxiUno/gqCMsoDOvHs7aszeVeyu3jxujDM5e6RypDlBRx23XrQdm77cNjOfgvUYHRYCEUblEsxjrph5L6zfskSoA9vigx4XLDBKeLfhpLovEu6R7tW/87tD9tX5eyZHBFiJ3BH25YLQIY8KCl/a88oo/wFgCnwvHZngD3FRRLXNj/qjfYX1tQQ=
Content-Type: multipart/related; boundary="_005_F28336108A79424E9989ECBF75632492ciscocom_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ae96d72a-34c2-4064-4163-08d6fdeed008
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2019 06:39:05.2510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sajassi@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2968
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/fPwAreqsZkA4y-1f5kLiGjVk1gg>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 06:39:17 -0000

Hi Linda,

Both updates don’t need to have the P route in the NLRI field. For example, R2 can advertise tenant’s route P with next hop of X in update-1. And then advertise route X with BGP NH Y in update-2 along with the desired tunnel encap. When R1 receives these two updates, it will recurses P-> X -> Y and it inherits the tunnel attribute advertised with U2 for P. Recursive route resolution is one way of doing this. The other ways of doing it, are local policy and coloring.

Cheers,
Ali

From: Linda Dunbar <linda.dunbar@futurewei.com>
Date: Friday, June 28, 2019 at 12:57 PM
To: Cisco Employee <sajassi@cisco.com>, "idr@ietf.org" <idr@ietf.org>
Subject: RE: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Ali,

Is it correct that Both UPDATE-1 and UPDATE-2 have the route “P” in the NLRI field?

Linda

From: Linda Dunbar
Sent: Friday, June 28, 2019 2:36 PM
To: Ali Sajassi (sajassi) <sajassi@cisco.com>; idr@ietf.org
Subject: RE: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Hi Ali,

So, R1 receives two BGP UPDATE messages from R2 for the route “P”:

  *   UPDATE-1 doesn’t have encap information and
  *   UPDATE-2 have the encap information.
  *   BGP NH of U1 is sent in U2

How does R1 propagate its WAN ports properties to RR (Controller)?

Linda

From: Ali Sajassi (sajassi) <sajassi@cisco.com<mailto:sajassi@cisco.com>>
Sent: Friday, June 28, 2019 12:52 PM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties


Hi Linda,

I think you may be not reading section 7 quite correctly. Packet P is forwarded by R1 to R2. Both updates U1 and U2 are sent by R2 to R1. What section 7 says is that there is no need for both of these updates to carry the Tunnel Encap attribute. In this example U1 doesn’t carry the attribute and the BGP NH of U1 is sent in U2 with the attribute. The recursive route resolution takes care of the tunnel attribute for U1 because U1 recurses to U2 and U2 has the attribute. As I mentioned earlier there are several different ways specified in [Tunnel-Encap] for not sending the attribute with every routes and they are:

  1.  Recursive resolution
  2.  Coloring
  3.  Local policy

With respect to the example you provided, instead of writing a lengthy email on that here, let me add a section to my document to explain how this scenario is taken care of by the tunnel-encap attribute.

Cheers
Ali



From: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Friday, June 28, 2019 at 9:57 AM
To: Cisco Employee <sajassi@cisco.com<mailto:sajassi@cisco.com>>, "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: RE: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Ali,

Thank you very much for the comments. A few more questions on your suggestions.

You said
“The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route”.

Then what will be the “route” in the UPDATE message?
Per RFC4271, An UPDATE message is used to advertise feasible routes that share common path attributes to a peer.

You stated in another email using  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller). The Section 7 of Tunnel-encap Recursive Next Hop Resolution is about how R2 advertises route “P” on behalf of R1 which doesn’t support Encapsulation, or allowing nested tunnels:

[cid:image003.png@01D52DA8.A2765F80]


Can you elaborate how to  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller)?

For SDWAN scenario (Figure below), the C-PE-1 needs to do two separate actions:

  1.  advertise to the SDWAN Ctrl on this WAN port A1 & A2 properties: A1 is assigned with private address, and A2 is connected to MPLS (e.g. AWS Direct Connect port)



  1.  Advertise the client routes attached to C-PE-1 to SDWAN Ctrl.



[cid:image004.png@01D52DA8.A2765F80]

I re-read the Section 7 (suggested by your other email), but still can’t figure out. Any help would be greatly appreciated.

Thank you very much.

Linda
From: Ali Sajassi (sajassi) <sajassi@cisco.com<mailto:sajassi@cisco.com>>
Sent: Friday, June 28, 2019 2:00 AM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties


Linda,

After the long thread we had on the topic of Tunnel-Encap, it should hopefully be clear by now that tunnel-encap can be used for your “WAN ports” and the property associated with a tunnel for these WAN ports can be signaled via the attribute. The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route and the [Tunnel-Encap] specified two way to do that: 1) recursive resolution and 2) coloring.  Furthermore, [Tunnel-Encap] allows you to setup multiple tunnels to a given end-point by advertising a single route along with the attribute for these tunnels. [Tunnel-Encap] does a nice job in providing examples for all of these.

Cheers,
Ali

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Thursday, June 27, 2019 at 4:34 PM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

IDR Experts:

We would love to hear your feedback, criticism, or suggestion for https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-idr-sdwan-port-safi%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C59b6240d1b1c4aacaa7908d6fbf14891%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636973411069791747&sdata=18GTypyArVnXkv5ybSRTi5rLNx6SBPl7yRYmfz5gu64%3D&reserved=0>

The document specifies a new BGP NLRI and SAFI for advertising WAN ports properties of a SDWAN edge node. SDWAN edge node’s WAN ports may face untrusted networks, such as the public internet, may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets forwarded through those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SDWAN edge nodes need to propagate those WAN ports properties to the peers who are authorized to communicate across different types of underlay networks including the untrusted networks.

Many people have suggested using the SAFI/NLRI used by draft-ietf-idr-tunnel-encaps-12. Here is why Tunnel-Encap is not enough:


  *   Tunnel-Encap draft describes how to construct a BGP UPDATE messages that advertise endpoints’ tunnel encapsulation capability and the respective attached client routes, so that the receivers of the BGP UPDATE can establish appropriate tunnels with the endpoints for the client routes. Tunnel-encap has a “Remote endpoint subTLV” for controller to advertise a node’s encapsulation capabilities.   The receivers of the Tunnel UPDATE would construct the encapsulation header with the Outer Destination Address equal to the address carried in the “Remote Endpoint sub-TLV”..
  *   The Tunnel-Encap draft doesn’t cover the SDWAN Edge WAN ports properties advertisement propagation, especially over untrusted networks.
  *   The addresses advertised by Tunnel-Encap UPDATE are the addresses of client routes reachable via the advertised encapsulation headers. The Address Family for the WAN ports of SDWAN Edge is totally different address family. The goal is to register the WAN port properties to its respective controller. Therefore, it is cleaner, less processing on receivers for implementation, and less error prone to have a different NLRI for WAN ports properties registration than re-using client route NLRI.

Greatly appreciate feedback and criticisms.

Thank you
Linda

v2.23.0 | Report a Bug | By Email