[Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.

Linda Dunbar <linda.dunbar@huawei.com> Wed, 06 March 2019 15:55 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B37671279A0 for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 07:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.289
X-Spam-Level:
X-Spam-Status: No, score=-2.289 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDo6Q52Mmp5q for <idr@ietfa.amsl.com>; Wed, 6 Mar 2019 07:55:17 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BA4E12AF7E for <idr@ietf.org>; Wed, 6 Mar 2019 07:55:17 -0800 (PST)
Received: from lhreml703-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id CC850446C175331F72D1 for <idr@ietf.org>; Wed, 6 Mar 2019 15:55:14 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 6 Mar 2019 15:55:14 +0000
Received: from SJCEML521-MBS.china.huawei.com ([169.254.2.29]) by SJCEML702-CHM.china.huawei.com ([169.254.4.10]) with mapi id 14.03.0415.000; Wed, 6 Mar 2019 07:55:08 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>, "idr@ietf.org" <idr@ietf.org>
CC: "shares@ndzh.com" <shares@ndzh.com>
Thread-Topic: advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
Thread-Index: AdTUNMBwOFNYhyoITy27A3Y11MvQyA==
Date: Wed, 06 Mar 2019 15:55:08 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B2E8D3F@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.84]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B2E8D3Fsjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/k0HMyIJxgYBCF8GSGZscpjRlIhk>
Subject: [Idr] advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 15:55:20 -0000

Jun and IDR group,

We also submitted a draft for using BGP to propagate SDWAN WAN ports properties (including IPsec properties). Hope we can discuss more in IETF 104 to find a common ground.

https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/

Abstract
The document specifies a new BGP NLRI and SAFI for advertising properties of a SD-WAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SD-WAN edge need to propagate those WAN ports properties to its SDWAN controller, which propagates to the authorized peers and manage the IPsec SAs among those peers for encrypting traffic via the untrusted networks.
BGP Route Reflectors (RR) are proposed as points of combination for this information in order to allow scaling of the SDWAN.


Linda Dunbar


From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Hu, Jun (Nokia - US/Mountain View)
Sent: Tuesday, March 05, 2019 9:42 PM
To: idr@ietf.org
Cc: shares@ndzh.com
Subject: [Idr] draft-hujun-idr-bgp-ipsec-00

Hi,
I submitted following draft:

URL:            https://www.ietf.org/internet-drafts/draft-hujun-idr-bgp-ipsec-00.txt

Htmlized:       https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00


This document defines a method of using BGP to signal IPsec tunnel configuration along with NLRI, it uses and extends tunnel encapsulation attribute as specified in [I-D.ietf-idr-tunnel-encaps<https://tools.ietf.org/html/draft-hujun-idr-bgp-ipsec-00#ref-I-D.ietf-idr-tunnel-encaps>] for IPsec tunnel.

Review and comments are greatly appreciated!

Thanks
---------
Hu Jun, ION Nokia