IETF Logo Mail Archive

Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

"Ali Sajassi (sajassi)" <sajassi@cisco.com> Fri, 28 June 2019 17:51 UTC

Return-Path: <sajassi@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EB11206DD for <idr@ietfa.amsl.com>; Fri, 28 Jun 2019 10:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.399
X-Spam-Level:
X-Spam-Status: No, score=-14.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WjJNFPxC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=W35i19EB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veS6yVWpQ4Lb for <idr@ietfa.amsl.com>; Fri, 28 Jun 2019 10:51:46 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57B601206E4 for <idr@ietf.org>; Fri, 28 Jun 2019 10:51:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=202519; q=dns/txt; s=iport; t=1561744304; x=1562953904; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=m58XKnTJNLXX3cP/fteyKrJwvKMps7M+0rOKmtZEseo=; b=WjJNFPxCI6ITq9uDP0iaMlRPPNNY3so4wuN1x4aSmRyf7j6rx3EitQrt vj7CgGAG1kPhqDH1KKxZgZeWGZIbr8uVHXsqLJT21Aw+9lgGgVoPxpTNd 2C/4aVihJsWth0CZyxX3p9k0vdxXnKXLc3kYElDzKwMnpJnnxcK50Vv4x s=;
X-Files: image001.png, image002.png : 48023, 70669
IronPort-PHdr: 9a23:RuIDGRFm3ThzZKMwwdMQfp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1A3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+eeXjbSUhB8VqX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAAB4UhZd/5pdJa1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBVQIBAQEBAQsBgRQvUANqVSAECyiDXECBX4FoA45eTIFqJY4giSSBLhSBEANUAgcBAQEJAQIBASILAgEBgQVdgl4CF4JpIzYHDgEDAQEEAQECAQVtijcMhUoBAQEBAwUHBhECCAESAQElBA8PAgEGAhEDAQEBBgEBARgBAgQDAgICBRAPDBQJCAEBBAERAQ4UgnsEAQGBagMdAQIMi1CQYAKBOIhgcYEygnkBAQWBRkGDBgMVggoHAwaBNAGLQR0XgX+BEScME4JMPoJhAgIBARaBFAESATYJDQmCVDKCJowfgkGEfIEKh0+Ed4JKgXyEPgkCghaFRwGBCzSKb4IDG4IriyaKEowNgSCBMIYIjB6DSwIEAgQFAg4BAQWBVgExDVpxcBVlAYJBE4IKJAwXFIM6hRSFP3IBAQEBgSWMV4FUbwEB
X-IronPort-AV: E=Sophos;i="5.63,428,1557187200"; d="png'150?scan'150,208,217,150";a="584308419"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Jun 2019 17:51:42 +0000
Received: from XCH-ALN-017.cisco.com (xch-aln-017.cisco.com [173.36.7.27]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x5SHpggI015383 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 28 Jun 2019 17:51:42 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-017.cisco.com (173.36.7.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 28 Jun 2019 12:51:41 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 28 Jun 2019 12:51:40 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 28 Jun 2019 12:51:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZLyVT5A91ThQRbEG43cok8UoGOJxGggUUZaKIlYnXRE=; b=W35i19EB8OyL3Fa2dkBntpJUL5PHMbR6fHhuhYb7YiY5Q3bu1XCsYZo+xTH36rdC1mrM7LAaZfPgUX70cxOeghLn02apC+Cm//rFqpaWx+W3v9k7OZ7073LBbK5P9nsC8lg+aOqGQ/Bj8sZN27PkqV5ufwuAldUpTcNlQGK/MPc=
Received: from BYAPR11MB3703.namprd11.prod.outlook.com (20.178.237.220) by BYAPR11MB2966.namprd11.prod.outlook.com (20.177.224.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.18; Fri, 28 Jun 2019 17:51:39 +0000
Received: from BYAPR11MB3703.namprd11.prod.outlook.com ([fe80::4ca0:1d8d:a720:2ca9]) by BYAPR11MB3703.namprd11.prod.outlook.com ([fe80::4ca0:1d8d:a720:2ca9%5]) with mapi id 15.20.2032.018; Fri, 28 Jun 2019 17:51:39 +0000
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
Thread-Index: AdUtPjQZBxvBfPhSTlipZ74SwoimTQABjpGAACCLVvD//7G0AA==
Date: Fri, 28 Jun 2019 17:51:39 +0000
Message-ID: <6E041D15-2214-4F5B-B30A-51D12466A1FF@cisco.com>
References: <MN2PR13MB35827C9D8B4F6E09577D7A7185FD0@MN2PR13MB3582.namprd13.prod.outlook.com> <DA6ED6BC-0221-4E06-B049-3F8C2254DB88@cisco.com> <MN2PR13MB3582DAAAFB3E6F67C917A80585FC0@MN2PR13MB3582.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB3582DAAAFB3E6F67C917A80585FC0@MN2PR13MB3582.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sajassi@cisco.com;
x-originating-ip: [2001:420:417:1250:c488:b7d3:e55f:274e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d558ba0c-670b-4383-d135-08d6fbf145ad
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BYAPR11MB2966;
x-ms-traffictypediagnostic: BYAPR11MB2966:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BYAPR11MB2966E67B08DADF94DFE5AFD0B0FC0@BYAPR11MB2966.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 00826B6158
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(376002)(346002)(396003)(199004)(189003)(33656002)(14454004)(99936001)(606006)(966005)(99286004)(102836004)(6436002)(186003)(9326002)(53936002)(68736007)(236005)(54896002)(6306002)(6512007)(54556002)(733005)(478600001)(229853002)(53546011)(6486002)(6506007)(76176011)(8676002)(81166006)(6116002)(7736002)(81156014)(790700001)(8936002)(64756008)(66556008)(5660300002)(6246003)(58126008)(316002)(110136005)(66446008)(66476007)(73956011)(76116006)(66946007)(66576008)(86362001)(66574012)(446003)(11346002)(476003)(2616005)(486006)(36756003)(25786009)(2501003)(2906002)(14444005)(256004)(5024004)(46003)(71200400001)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2966; H:BYAPR11MB3703.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: u4Bp9TUpQZSEv06fVDW7wT0+vVMQOsQoailw3W4qt9UfKcRVtNGYGhFCqTqBiJ3A6Yo80jFfhzvyKU3U5T6ajCKUQMvjpgjNUrbNwBTZ4ipxcY1TAH8kK7p3zyOWVXr0l5iTJgVH02RIwgSogayTFbKznTHI4/NU444tbsRWWNvzRxOciYbNVU4wgboY/D3SAgSj8UKcYIoLo2hn/u9aU0KdklTFeamu/3FqW/rVfQHupC9dFZPFX96TMSoGyjqSEb29ssJJh1YS4rPpog8oETS88DonDxHuAZQ1hdtfKbeqvLhBdWYNLON8HtnXlNgWF9iO1eytcbjdOgjoQEXQGnaywlqCzQhh7T7pZPYf2imo863JP3l4qh9L0iuJDR/j+Pl3luoFI2CrMmqBCSZZuENIeuZWf92q6lFrbqtzw8Y=
Content-Type: multipart/related; boundary="_005_6E041D1522144F5BB30A51D12466A1FFciscocom_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d558ba0c-670b-4383-d135-08d6fbf145ad
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2019 17:51:39.2793 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sajassi@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2966
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.27, xch-aln-017.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/q7IhQtBGYoLCXagdAGzZI9d68OQ>
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 17:51:52 -0000

Hi Linda,

I think you may be not reading section 7 quite correctly. Packet P is forwarded by R1 to R2. Both updates U1 and U2 are sent by R2 to R1. What section 7 says is that there is no need for both of these updates to carry the Tunnel Encap attribute. In this example U1 doesn’t carry the attribute and the BGP NH of U1 is sent in U2 with the attribute. The recursive route resolution takes care of the tunnel attribute for U1 because U1 recurses to U2 and U2 has the attribute. As I mentioned earlier there are several different ways specified in [Tunnel-Encap] for not sending the attribute with every routes and they are:

  1.  Recursive resolution
  2.  Coloring
  3.  Local policy

With respect to the example you provided, instead of writing a lengthy email on that here, let me add a section to my document to explain how this scenario is taken care of by the tunnel-encap attribute.

Cheers
Ali



From: Linda Dunbar <linda.dunbar@futurewei.com>
Date: Friday, June 28, 2019 at 9:57 AM
To: Cisco Employee <sajassi@cisco.com>, "idr@ietf.org" <idr@ietf.org>
Subject: RE: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

Ali,

Thank you very much for the comments. A few more questions on your suggestions.

You said
“The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route”.

Then what will be the “route” in the UPDATE message?
Per RFC4271, An UPDATE message is used to advertise feasible routes that share common path attributes to a peer.

You stated in another email using  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller). The Section 7 of Tunnel-encap Recursive Next Hop Resolution is about how R2 advertises route “P” on behalf of R1 which doesn’t support Encapsulation, or allowing nested tunnels:

[cid:image003.png@01D52DA8.A2765F80]


Can you elaborate how to  [Tunnel-encap] “recursive resolution and coloring” to propagate the WAN ports properties to RR (Controller)?

For SDWAN scenario (Figure below), the C-PE-1 needs to do two separate actions:

  1.  advertise to the SDWAN Ctrl on this WAN port A1 & A2 properties: A1 is assigned with private address, and A2 is connected to MPLS (e.g. AWS Direct Connect port)



  1.  Advertise the client routes attached to C-PE-1 to SDWAN Ctrl.



[cid:image004.png@01D52DA8.A2765F80]

I re-read the Section 7 (suggested by your other email), but still can’t figure out. Any help would be greatly appreciated.

Thank you very much.

Linda
From: Ali Sajassi (sajassi) <sajassi@cisco.com>
Sent: Friday, June 28, 2019 2:00 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>; idr@ietf.org
Subject: Re: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties


Linda,

After the long thread we had on the topic of Tunnel-Encap, it should hopefully be clear by now that tunnel-encap can be used for your “WAN ports” and the property associated with a tunnel for these WAN ports can be signaled via the attribute. The Tunnel-Encap attribute does NOT need to be sent along with each tenant’s route and the [Tunnel-Encap] specified two way to do that: 1) recursive resolution and 2) coloring.  Furthermore, [Tunnel-Encap] allows you to setup multiple tunnels to a given end-point by advertising a single route along with the attribute for these tunnels. [Tunnel-Encap] does a nice job in providing examples for all of these.

Cheers,
Ali

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Date: Thursday, June 27, 2019 at 4:34 PM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] soliciting feedback for draft-dunbar-idr-sdwan-port-safi, which specifies a new NLRI for SDWAN edge to advertise its WAN ports properties

IDR Experts:

We would love to hear your feedback, criticism, or suggestion for https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-port-safi/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-idr-sdwan-port-safi%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C8b44503c6fe840dcf4c508d6fb964ed0%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636973020328257074&sdata=xe6HeEhhFo4VYyMrMEX2KMOpIOyMd8Vpa9dDNS%2BgqN4%3D&reserved=0>

The document specifies a new BGP NLRI and SAFI for advertising WAN ports properties of a SDWAN edge node. SDWAN edge node’s WAN ports may face untrusted networks, such as the public internet, may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets forwarded through those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. SDWAN edge nodes need to propagate those WAN ports properties to the peers who are authorized to communicate across different types of underlay networks including the untrusted networks.

Many people have suggested using the SAFI/NLRI used by draft-ietf-idr-tunnel-encaps-12. Here is why Tunnel-Encap is not enough:


  *   Tunnel-Encap draft describes how to construct a BGP UPDATE messages that advertise endpoints’ tunnel encapsulation capability and the respective attached client routes, so that the receivers of the BGP UPDATE can establish appropriate tunnels with the endpoints for the client routes. Tunnel-encap has a “Remote endpoint subTLV” for controller to advertise a node’s encapsulation capabilities.   The receivers of the Tunnel UPDATE would construct the encapsulation header with the Outer Destination Address equal to the address carried in the “Remote Endpoint sub-TLV”..
  *   The Tunnel-Encap draft doesn’t cover the SDWAN Edge WAN ports properties advertisement propagation, especially over untrusted networks.
  *   The addresses advertised by Tunnel-Encap UPDATE are the addresses of client routes reachable via the advertised encapsulation headers. The Address Family for the WAN ports of SDWAN Edge is totally different address family. The goal is to register the WAN port properties to its respective controller. Therefore, it is cleaner, less processing on receivers for implementation, and less error prone to have a different NLRI for WAN ports properties registration than re-using client route NLRI.

Greatly appreciate feedback and criticisms.

Thank you
Linda

v2.23.0 | Report a Bug | By Email