Re: [Idr] Questions to draft-hujun-idr-bgp-ipsec-transport-mode-00.txt

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Mon, 18 November 2019 00:13 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F9D12026E for <idr@ietfa.amsl.com>; Sun, 17 Nov 2019 16:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duBjbZOW_X1t for <idr@ietfa.amsl.com>; Sun, 17 Nov 2019 16:13:00 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50093.outbound.protection.outlook.com [40.107.5.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D37A120071 for <idr@ietf.org>; Sun, 17 Nov 2019 16:12:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DQEgYSchUOt1WpB+ibbaNr/pbieaGW+FTbspNNakd5iSY3iJNB6HvD0NxK0Pb8jjBmcrv5+S1SypLmcz3RUOnLqPueU5/4VUmXivnnHQLpdCr3LTXbWTw2FAT61yCevmh0v5zPuK3LjRaweCrOn2GEFYfVHVPJj2peO2ck3mNR8sRT+ymIOk/V84fLKQjlB3kFQH2z/JXsKGkUxkK0VHf8FT7WUVR6vw4UIcJVPadd+/1/2L/VREqQaoK/hBR7SlCpAI+0UR4JdRIdWPHUxNSjMFQ5ZUf8eytGCCa639/cGGCIFEwaxaBHp7zArUq2Ipz5Ib7jRgDkdYRxSCPHP+eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=duDVWUDqwbCDoPXcErS88Ba/lovr8WpZhbzU0pX4lGA=; b=P0KyCs2POOcOqX1Y5yfliSyLlbm8QoeQcwGyX6hgHVIJHotnDkqOIkac8A9FWl8It7Kjic0S64GR9voeFoZWYiJt5kAbBGaoaMmETdhxCEzcurwrv21i+DImFMoyGsbN91U5G7eXa2SO6KHvNsFzKQECjvVL8poLpwB+hjTfsFJTnUHcR5JMa7MGXjxwdxO3PymM4+zkooXNlr4BIzDjyUNloBDzTfxE+pk/FycMcXCQlWRyqGFSeSO9CfLBjFjlhdOFJ6YV7TzDQlwsbjyKhUWBgb8i93t67Man1M23lNB1ChEJCzM0ZEhgenmX+tC1kUF3jWZnmQhuuNlSTyy5eg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=duDVWUDqwbCDoPXcErS88Ba/lovr8WpZhbzU0pX4lGA=; b=A77S2nSnErOItX1kSf1gDEo5gJTCn3FfnTfn86MfH+Iv50gooXLM812zSTGSEbDyFEAKcOcg5r+Jcd/4ycwhmQWMSNtZnJFObj71o4+moQ7L9j4IiKFXE2V32eFsh7QwzsBL+NSf8QuwiLZX1QpHzVMJLOxCTZ33w8GM+GsU4SM=
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com (10.169.150.18) by AM5PR0701MB2579.eurprd07.prod.outlook.com (10.173.93.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.9; Mon, 18 Nov 2019 00:12:57 +0000
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843]) by AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843%7]) with mapi id 15.20.2474.015; Mon, 18 Nov 2019 00:12:57 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, "idr@ietf.org" <idr@ietf.org>
CC: 'Paul Wouters' <paul@nohats.ca>, 'Benjamin Kaduk' <kaduk@mit.edu>, Susan Hares <shares@ndzh.com>
Thread-Topic: [Idr] Questions to draft-hujun-idr-bgp-ipsec-transport-mode-00.txt
Thread-Index: AQHVnUXeTi6Fcz2VfkqEcnPI0amb46eQDFhQ
Date: Mon, 18 Nov 2019 00:12:56 +0000
Message-ID: <AM5PR0701MB235377784562F4337C535BE3954D0@AM5PR0701MB2353.eurprd07.prod.outlook.com>
References: <BN8PR13MB26282ECD078CCDC78208E15385720@BN8PR13MB2628.namprd13.prod.outlook.com> <BN8PR13MB26280D084B8C786505DCA0EF85720@BN8PR13MB2628.namprd13.prod.outlook.com>
In-Reply-To: <BN8PR13MB26280D084B8C786505DCA0EF85720@BN8PR13MB2628.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [135.245.20.31]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 99f7083a-9f1d-46e0-dd2a-08d76bbc1082
x-ms-traffictypediagnostic: AM5PR0701MB2579:
x-microsoft-antispam-prvs: <AM5PR0701MB2579A0660B3FCBEC5DEF66FF954D0@AM5PR0701MB2579.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(376002)(396003)(39860400002)(136003)(13464003)(199004)(189003)(256004)(5660300002)(99286004)(52536014)(2501003)(476003)(14444005)(66574012)(86362001)(8676002)(71200400001)(110136005)(486006)(6436002)(54906003)(5024004)(8936002)(446003)(4001150100001)(606006)(71190400001)(2906002)(316002)(81166006)(55016002)(76176011)(11346002)(81156014)(7696005)(7736002)(66946007)(66476007)(53546011)(9686003)(66556008)(4326008)(6506007)(9326002)(64756008)(66446008)(102836004)(6246003)(74316002)(26005)(14454004)(6306002)(236005)(25786009)(54896002)(76116006)(45080400002)(478600001)(186003)(229853002)(3846002)(6116002)(790700001)(66066001)(966005)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0701MB2579; H:AM5PR0701MB2353.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MsaMkx2ZXAgDfJGar48dVQX0j1aiI/Ko24RWrEch8mJTv294lACDIDNVCWh3Yo2+agu///Zo+8FBW8aZurUKjjUB723EhzwGBP6yroW6T8Nzpp7p77z06dm0t87plZyiPK213aJ0g+bvfnbsGB8XtwxN+jgI+tEMTHAKTXsaUXdAqCtbzynhjtjknIh0F/X5/euXrxoQCI4R5HKzqurXGjIYMWtYkzviUaNr22jDV+XoxNZyoq1SlWbhUCt7cPcju5h60UMM4Kb5MNeMnAZCmZ+AZqDojkEtMQR2sUL+xL9cjqlo+KyQifAHEaobyfTufpKFUpkgT8TggBJX+Pk3lYIJ8D4iLa4nrk6j28gklCIdsJd95OORRDRw6KIoXkgBp6phkP0mH/CbaanqmVEgJSnuxjW0EUEY28u+OAk+off+CtZGB1Cq86uFvuuZsOMu
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM5PR0701MB235377784562F4337C535BE3954D0AM5PR0701MB2353_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 99f7083a-9f1d-46e0-dd2a-08d76bbc1082
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 00:12:56.9220 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XmiXRNWPExJ8imOoArcwI5mucUGLvU+vVcrtEAtl92vPLs2psTJ6SNn+jfk2IEyKiT9JLpq7w+k4naGNdxZkwA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2579
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/pKe0YZYZUGy1Panzw2B40KAV6jg>
Subject: Re: [Idr] Questions to draft-hujun-idr-bgp-ipsec-transport-mode-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 00:13:03 -0000

Hi Linda,
I assume your questions are really about draft-hujun-idr-bgp-ipsec-01? since draft-hujun-idr-bgp-ipsec-transport-mode-00 doesn't have figure 4;
"Figure 4: does R1 use Subnet A in NLRI? And have Tunnel-Encap with more detailed description on SubnetA<->SubnetB  & SubnetA<->Subnet C? "
 Yes, R1 will advertise subnet-A in NLRI; not sure I understand your 2nd part of the question, but section 2.1 of draft-hujun-idr-bgp-ipsec-01 defines local/remote prefix sub-TLV (NLRI could be used for local prefix)

"How does R1 need to know that Subnet A and Subnet B needs to communicate ahead of time? "
This depends on use case, in this example, both R1 and R2 belong to same admin domain, so this kind of thing could be planned ahead; in other use case, if the remote prefix is not known or user want same Ipsec config for all remote prefix, then an all-zero prefix could be used in remote prefix sub-TLV


"In addition, if the network has 4 routers, R1, R2, R3 and R4. Does the Update from R1 include all the <Local- Remote> pairs in each single UPDATE?

i.e. when R1 sends out the UPDATE for the Subnet A attached to R1, the UPDATE from R1 has to include
        Local subnet A <-> remote subnet B on R2
Local subnet A <-> remote subnet D on R3
Local subnet A <-> remote subnet F on R4


Is it correct? If there are 100 nodes in the network, the UPDATE message has to include 100 pairs?
"
As explained above, it could be done this way, but not necessary; it really depends on granularity user case needs





From: Linda Dunbar <linda.dunbar@futurewei.com>
Sent: Sunday, November 17, 2019 8:52 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>om>; Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>om>; idr@ietf.org
Cc: 'Paul Wouters' <paul@nohats.ca>ca>; 'Benjamin Kaduk' <kaduk@mit.edu>du>; Susan Hares <shares@ndzh.com>
Subject: RE: [Idr] Questions to draft-hujun-idr-bgp-ipsec-transport-mode-00.txt

Jun,

In addition, if the network has 4 routers, R1, R2, R3 and R4. Does the Update from R1 include all the <Local- Remote> pairs in each single UPDATE?

i.e. when R1 sends out the UPDATE for the Subnet A attached to R1, the UPDATE from R1 has to include
        Local subnet A <-> remote subnet B on R2
Local subnet A <-> remote subnet D on R3
Local subnet A <-> remote subnet F on R4


Is it correct? If there are 100 nodes in the network, the UPDATE message has to include 100 pairs?

Linda

-----Original Message-----
From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> On Behalf Of Linda Dunbar
Sent: Sunday, November 17, 2019 8:32 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; idr@ietf.org<mailto:idr@ietf.org>
Cc: 'Paul Wouters' <paul@nohats.ca<mailto:paul@nohats.ca>>; 'Benjamin Kaduk' <kaduk@mit.edu<mailto:kaduk@mit.edu>>; Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>>
Subject: [Idr] Questions to draft-hujun-idr-bgp-ipsec-transport-mode-00.txt

Jun,

I have some questions on your draft:

Figure 4: does R1 use Subnet A in NLRI? And have Tunnel-Encap with more detailed description on SubnetA<->SubnetB  & SubnetA<->Subnet C?

How does R1 need to know that Subnet A and Subnet B needs to communicate ahead of time?

Linda


-----Original Message-----
From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> On Behalf Of Hu, Jun (Nokia - US/Mountain View)
Sent: Friday, October 11, 2019 6:46 AM
To: idr@ietf.org<mailto:idr@ietf.org>
Cc: 'Paul Wouters' <paul@nohats.ca<mailto:paul@nohats.ca>>; 'Benjamin Kaduk' <kaduk@mit.edu<mailto:kaduk@mit.edu>>; Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>>
Subject: [Idr] FW: New Version Notification for draft-hujun-idr-bgp-ipsec-transport-mode-00.txt

Hi,
Here is a new draft for using BGP to provision IPsec transport mode protected tunnel config; this draft is in companion with draft-hujun-idr-bgp-ipsec-01 (Ipsec tunnel mode) to provide a complete solution of using BGP provision IPsec config.

Review and comment will be appreciated.

-----Original Message-----
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Sent: Thursday, October 10, 2019 3:41 PM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>; Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>
Subject: New Version Notification for draft-hujun-idr-bgp-ipsec-transport-mode-00.txt


A new version of I-D, draft-hujun-idr-bgp-ipsec-transport-mode-00.txt
has been successfully submitted by Hu Jun and posted to the IETF repository.

Name:           draft-hujun-idr-bgp-ipsec-transport-mode
Revision:       00
Title:          BGP Provisioned IPsec Transport Mode Protected Tunnel Configuration
Document date:  2019-10-10
Group:          Individual Submission
Pages:          7
URL:            https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-hujun-idr-bgp-ipsec-transport-mode-00.txt&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488703369&amp;sdata=L%2Bq8Gmm6svj7vUgwQqWCHqx6ex2MefKRN1U58vFwJ%2Fg%3D&amp;reserved=0
Status:         https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hujun-idr-bgp-ipsec-transport-mode%2F&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488703369&amp;sdata=fdGi7esvdmdejiZQ6s1ZjAauLjdtzETi4BXAC8664Ss%3D&amp;reserved=0
Htmlized:       https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hujun-idr-bgp-ipsec-transport-mode-00&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488703369&amp;sdata=5GCI9uiTuLRbdNSvjT48mpbe1IxTWT8sXPm6qzkRaIE%3D&amp;reserved=0
Htmlized:       https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-hujun-idr-bgp-ipsec-transport-mode&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488713364&amp;sdata=G3azT0TBfD9NmSvJ%2B%2BBaNCA70SFMM%2BEqrvX2IjTIef8%3D&amp;reserved=0


Abstract:
   This document defines a method of using BGP to advertise IPsec
   transport mode protected tunnel (like GRE tunnel with IPsec transport
   mode protection) configuration along with NLRI, based on
   [I-D.ietf-idr-tunnel-encaps] and [I-D.hujun-idr-bgp-ipsec].




Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fidr&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488713364&amp;sdata=5lz3DyKGqJb2asfcfarFXUtZptUy1XpsnAMsv6Rycic%3D&amp;reserved=0

_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fidr&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cdb93469d32784754e52008d76b5a3300%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637095907488713364&amp;sdata=5lz3DyKGqJb2asfcfarFXUtZptUy1XpsnAMsv6Rycic%3D&amp;reserved=0