Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?

Eric C Rosen <erosen@juniper.net> Tue, 10 July 2018 15:13 UTC

To: Linda Dunbar <linda.dunbar@huawei.com>, Jeff Tantsura <jefftant.ietf@gmail.com>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
References: <78D707C9-6DC2-459F-81E4-A53B46F1F019@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com>
From: Eric C Rosen <erosen@juniper.net>
Message-ID: <e0782033-0031-163f-de07-c055b4322efd@juniper.net>
Date: Tue, 10 Jul 2018 11:13:05 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0A8BCC@sjceml521-mbs.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------80F6F99B07E14A813365BAF6"
Content-Language: en-US
Received-SPF: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jul 2018 15:13:09.8476 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c15a5579-02cf-450f-55c7-08d5e677a645
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0501MB3866
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-10_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807100162
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/fjY2TNwmORZaSos8-sMSIVTe1OE>
Subject: Re: [Idr] Possible to set up priority for Tunnels established by draft-ietf-idr-tunnel-encaps-09 ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 15:13:33 -0000

On 7/9/2018 4:28 PM, Linda Dunbar wrote:
> We would like to use RR as controller to distribute more detailed 
> tunnel information, such as IPsec configuration & keys because in 
> managed large scale Overlay deployment (SD-WAN), it doesn’t scale to 
> allow all CPEs to negotiate IPsec keys. 

When first working on RFC 5566, I proposed a number of sub-TLVs that 
could be used to convey information about how to set up the IPsec 
Security Associations.  None of thes survived review by the security 
experts.  Setting up the Security Associations is the job of IKEv2. If 
you want to replace IKEv2 with BGP, you'll need a thorough security 
analysis of your proposed mechanism.

One might think it is okay to have BGP UPDATEs carry secret keys , as 
long as the UPDATEs only travel on sessions that are protected by 
IPsec.  I wouldn't necessarily assume that, as BGP UPDATEs have been 
known to leak (intentionally or unintentionally) beyond their intended 
scope.

Re: [Idr] Possible to set up priority for Tunnels… Eric C Rosen
Re: [Idr] Possible to set up priority for Tunnels… Eric C Rosen
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Keyur Patel
Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Jeff Tantsura
[Idr] Possible to set up priority for Tunnels est… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Robert Raszuk
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar
Re: [Idr] Possible to set up priority for Tunnels… Linda Dunbar