IETF Logo Mail Archive

Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Linda Dunbar <linda.dunbar@futurewei.com> Fri, 28 June 2019 19:35 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFA78120897 for <idr@ietfa.amsl.com>; Fri, 28 Jun 2019 12:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0RlkGKPesfG for <idr@ietfa.amsl.com>; Fri, 28 Jun 2019 12:35:41 -0700 (PDT)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720096.outbound.protection.outlook.com [40.107.72.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBFE612087B for <idr@ietf.org>; Fri, 28 Jun 2019 12:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dMASywszU1hBsZwEnED1uSn/lnawU33/pu+hCCU8n2I=; b=FwuVsiu0Id1kq8ePNd6kHkazODGHa3YnzBhAnC+LtAygmjVxYzfz5am1qxTBuDaa2+5dtVDx3uSHm2vn9RWGjSAJbQelVTjFB52g1TzsVqn6UtJ/D0QgUC/0kko8zK1ThMnUfPWpOFvA+DiztDaMdUgWqlc6PVUCDyMKKPwFpwE=
Received: from MN2PR13MB3582.namprd13.prod.outlook.com (10.255.238.139) by MN2PR13MB3520.namprd13.prod.outlook.com (10.255.237.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.12; Fri, 28 Jun 2019 19:35:38 +0000
Received: from MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea]) by MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea%6]) with mapi id 15.20.2032.012; Fri, 28 Jun 2019 19:35:38 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
Thread-Index: AdUtPjQZBxvBfPhSTlipZ74SwoimTQABjpGAACCLVvD//7G0AP//duuQ
Date: Fri, 28 Jun 2019 19:35:38 +0000
Message-ID: <MN2PR13MB3582FF82EE3E77370FDCE60E85FC0@MN2PR13MB3582.namprd13.prod.outlook.com>
References: <MN2PR13MB35827C9D8B4F6E09577D7A7185FD0@MN2PR13MB3582.namprd13.prod.outlook.com> <DA6ED6BC-0221-4E06-B049-3F8C2254DB88@cisco.com> <MN2PR13MB3582DAAAFB3E6F67C917A80585FC0@MN2PR13MB3582.namprd13.prod.outlook.com> <6E041D15-2214-4F5B-B30A-51D12466A1FF@cisco.com>
In-Reply-To: <6E041D15-2214-4F5B-B30A-51D12466A1FF@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [12.111.81.95]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 776d5073-6f2a-40a8-cfd7-08d6fbffcc76
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:MN2PR13MB3520;
x-ms-traffictypediagnostic: MN2PR13MB3520:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MN2PR13MB35202E9B375311E397324C5885FC0@MN2PR13MB3520.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 00826B6158
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(396003)(366004)(346002)(376002)(39850400004)(199004)(189003)(9686003)(74316002)(3846002)(486006)(54896002)(733005)(236005)(5024004)(606006)(2906002)(54556002)(6116002)(14444005)(86362001)(55016002)(7696005)(6436002)(6246003)(53936002)(6306002)(229853002)(11346002)(71200400001)(25786009)(446003)(14454004)(71190400001)(73956011)(478600001)(2501003)(66946007)(256004)(52536014)(66576008)(5660300002)(76176011)(790700001)(7736002)(66446008)(476003)(9326002)(66066001)(64756008)(66476007)(316002)(966005)(66556008)(110136005)(44832011)(81156014)(76116006)(33656002)(8936002)(68736007)(81166006)(186003)(8676002)(99936001)(99286004)(102836004)(6506007)(66574012)(26005)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR13MB3520; H:MN2PR13MB3582.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PbyFn8Gm6PJqY6LVlyZ09GlAlk3gF55ythfMQm5WpupR70+rCFTyIBAbypeHPmAX0xOSoWbnDIGkSOYQSguuRAmyU0ITyb0TB4U2YX8tE8dZMYxNV91O8jufvKNzieCuxl04HmcD0+LwRIXDPenQ2CFG44pFmpsNq5dz0OfZ8UwI5Xz1XgcJBbKDk30eDn3ApEonkk2s3818edARv5/iGXaB4fL6ySoryuoAIsfvTLo8APB7QIZFFUJKhoKJ30f70j1BpwSewYCQHxBeI5+HFazl4V1j8L36oXTxJo7tpYphqtPH/7dPyE0zE05wov5pGqfJu/nqhQpi76ubfGTke8ltMwcwHHi4g1cmmxIyukFKghVb5XjdK78IDUb4SZIDckIl7hbkE57KSvwDoQLEj8tbMpWNR596bV1DcIERZ70=
Content-Type: multipart/related; boundary="_005_MN2PR13MB3582FF82EE3E77370FDCE60E85FC0MN2PR13MB3582namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 776d5073-6f2a-40a8-cfd7-08d6fbffcc76
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2019 19:35:38.3445 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ldunbar@futurewei.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3520
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/uen9Gs6NQxA5K9v2M9ilSVF1w3Q>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 19:35:46 -0000

Hi Ali,

So, R1 receives two BGP UPDATE messages from R2 for the route “P”:

  *   UPDATE-1 doesn’t have encap information and
  *   UPDATE-2 have the encap information.
  *   BGP NH of U1 is sent in U2

How does R1 propagate its WAN ports properties to RR (Controller)?

Linda

From: Ali Sajassi (sajassi) <sajassi@cisco.com>
Sent: Friday, June 28, 2019 12:52 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>; idr@ietf.org
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties


Hi Linda,

I think you may be not reading section 7 quite correctly. Packet P is forwarded by R1 to R2. Both updates U1 and U2 are sent by R2 to R1. What section 7 says is that there is no need for both of these updates to carry the Tunnel Encap attribute. In this example U1 doesn’t carry the attribute and the BGP NH of U1 is sent in U2 with the attribute. The recursive route resolution takes care of the tunnel attribute for U1 because U1 recurses to U2 and U2 has the attribute. As I mentioned earlier there are several different ways specified in [Tunnel-Encap] for not sending the attribute with every routes and they are:

  1.  Recursive resolution
  2.  Coloring
  3.  Local policy

With respect to the example you provided, instead of writing a lengthy email on that here, let me add a section to my document to explain how this scenario is taken care of by the tunnel-encap attribute.

Cheers
Ali



From: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Friday, June 28, 2019 at 9:57 AM
To: Cisco Employee <sajassi@cisco.com<mailto:sajassi@cisco.com>>, "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: RE: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Ali,

Thank you very much for the comments. A few more questions on your suggestions.

You said
“The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route”.

Then what will be the “route” in the UPDATE message?
Per RFC4271, An UPDATE message is used to advertise feasible routes that share common path attributes to a peer.

You stated in another email using  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller). The Section 7 of Tunnel-encap Recursive Next Hop Resolution is about how R2 advertises route “P” on behalf of R1 which doesn’t support Encapsulation, or allowing nested tunnels:

[cid:image003.png@01D52DA8.A2765F80]


Can you elaborate how to  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller)?

For SDWAN scenario (Figure below), the C-PE-1 needs to do two separate actions:

  1.  advertise to the SDWAN Ctrl on this WAN port A1 & A2 properties: A1 is assigned with private address, and A2 is connected to MPLS (e.g. AWS Direct Connect port)



  1.  Advertise the client routes attached to C-PE-1 to SDWAN Ctrl.



[cid:image004.png@01D52DA8.A2765F80]

I re-read the Section 7 (suggested by your other email), but still can’t figure out. Any help would be greatly appreciated.

Thank you very much.

Linda
From: Ali Sajassi (sajassi) <sajassi@cisco.com<mailto:sajassi@cisco.com>>
Sent: Friday, June 28, 2019 2:00 AM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties


Linda,

After the long thread we had on the topic of Tunnel-Encap, it should hopefully be clear by now that tunnel-encap can be used for your “WAN ports” and the property associated with a tunnel for these WAN ports can be signaled via the attribute. The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route and the [Tunnel-Encap] specified two way to do that: 1) recursive resolution and 2) coloring.  Furthermore, [Tunnel-Encap] allows you to setup multiple tunnels to a given end-point by advertising a single route along with the attribute for these tunnels. [Tunnel-Encap] does a nice job in providing examples for all of these.

Cheers,
Ali

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Thursday, June 27, 2019 at 4:34 PM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

IDR Experts:

We would love to hear your feedback, criticism, or suggestion for https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-idr-sdwan-port-safi%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C59b6240d1b1c4aacaa7908d6fbf14891%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636973411069791747&sdata=18GTypyArVnXkv5ybSRTi5rLNx6SBPl7yRYmfz5gu64%3D&reserved=0>

The document specifies a new BGP NLRI and SAFI for advertising WAN ports properties of a SDWAN edge node. SDWAN edge node’s WAN ports may face untrusted networks, such as the public internet, may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets forwarded through those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SDWAN edge nodes need to propagate those WAN ports properties to the peers who are authorized to communicate across different types of underlay networks including the untrusted networks.

Many people have suggested using the SAFI/NLRI used by draft-ietf-idr-tunnel-encaps-12. Here is why Tunnel-Encap is not enough:


  *   Tunnel-Encap draft describes how to construct a BGP UPDATE messages that advertise endpoints’ tunnel encapsulation capability and the respective attached client routes, so that the receivers of the BGP UPDATE can establish appropriate tunnels with the endpoints for the client routes. Tunnel-encap has a “Remote endpoint subTLV” for controller to advertise a node’s encapsulation capabilities.   The receivers of the Tunnel UPDATE would construct the encapsulation header with the Outer Destination Address equal to the address carried in the “Remote Endpoint sub-TLV”..
  *   The Tunnel-Encap draft doesn’t cover the SDWAN Edge WAN ports properties advertisement propagation, especially over untrusted networks.
  *   The addresses advertised by Tunnel-Encap UPDATE are the addresses of client routes reachable via the advertised encapsulation headers. The Address Family for the WAN ports of SDWAN Edge is totally different address family. The goal is to register the WAN port properties to its respective controller. Therefore, it is cleaner, less processing on receivers for implementation, and less error prone to have a different NLRI for WAN ports properties registration than re-using client route NLRI.

Greatly appreciate feedback and criticisms.

Thank you
Linda

v2.23.0 | Report a Bug | By Email