Re: [Idr] Seeking feedback of draft-dunbar-idr-sdwan-port-safi using SDWAN SAFI to encode SDWAN Instance ID in the NLRI

Gyan Mishra <hayabusagsm@gmail.com> Wed, 01 April 2020 01:51 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CC83A0FD1; Tue, 31 Mar 2020 18:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level:
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXxB7AKc7On8; Tue, 31 Mar 2020 18:51:52 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13DE3A0FCE; Tue, 31 Mar 2020 18:51:52 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id x9so17497601iom.10; Tue, 31 Mar 2020 18:51:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CwTLQjfAxbsqBE+wWr/GivkFB/SJkQLKWUPbI8v+VQA=; b=fe9cw/P9zjb/t2A7LRXL8di9iBC3aX4i768aI6giWhwcFcDittke2+u0Asd9fYajnI bFs/rj5pkNn2apKCGAYgKi/uJTBuw0WJq6qRWST2R75xtXGO7n+FFTQXPC9o1IuTEVCX obGxGdLU/oYFW58m/ii2UlcZdQ86jd7T7mpn2/qz1VWPTGX1FTcxd0qE2nsGbAM68BmY SmryuvLLaK3jzv18RUlbo0uM9+IPt085HdbhBvVDS/NIugjvNJU1aB+szxSY7r2+YrSJ 0o4K7ZWRXeLyIhVbof84sohoGFic2WFNX3L0rWcjDiAd4WCsBkRwTxrsbqkMfG/ehSrk eyXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CwTLQjfAxbsqBE+wWr/GivkFB/SJkQLKWUPbI8v+VQA=; b=H5cN12vOFUVmxbj/pMuVGWLll+P1tQ0m4FIUw+UlGN9cEXdWvJRn0c8UVVkL0y8Gfs XiftFIkjr8gfsUjE4sUvzR7unwwy27tH1gC5Wi8rU7zRQboDxDy1/UQbSrRn1SvOtoqR mjyAK3Bl204oyRJsg+vu8HzGG/KsD8vEcNwaINdb/hDy6WdZRW8h3CrcRuNR5mQA6pyu F0LlzfwSBW//Z0LQ2xrshw0SaFPrmKDWo0aBOQ8ozcJMsZ1ppZ4CxKugA/5jPe8l04ff kjh6OEKXBRodejod4eza38gxTO7b4J9UgUrx+17byoBKRNsG1Pw1i9z6i78HeMNBCQ3D 8AAA==
X-Gm-Message-State: ANhLgQ33jErk9oYjBBS0AMUXkQSmW9QeWrDwwyzPkSCDzCcslVTJsAwi OHtqH3QY7sQO/FanSmIec0n1f5/UgoMzAOJNyFs=
X-Google-Smtp-Source: ADFU+vsDeEB77J/1Tmp/zkliAzuXwm16aVCQzE0E06dOmvj0GVkQHSOxg1stHmSouhWS0UHSIcLqLwKUFi4t7plTjIQ=
X-Received: by 2002:a02:e81:: with SMTP id 123mr7051575jae.0.1585705911786; Tue, 31 Mar 2020 18:51:51 -0700 (PDT)
MIME-Version: 1.0
References: <MWHPR1301MB2096E56F2D64346B8FD2085B85F00@MWHPR1301MB2096.namprd13.prod.outlook.com> <CAOj+MMH=oXPOt3ozQvEHkGv6kjh6XdPRfnBDVX9Uxzcvw1pfjQ@mail.gmail.com> <MWHPR1301MB20964B134DC3E970CA27669085F10@MWHPR1301MB2096.namprd13.prod.outlook.com> <CAOj+MMGm3fB_XVkVp11qc2mRop-EQEyW50U7iSmHX=nEviYmOQ@mail.gmail.com> <MWHPR1301MB2096D05170B44A353F3B516785CE0@MWHPR1301MB2096.namprd13.prod.outlook.com> <CABNhwV144D+2PJLyKsZogh9Xe9mL0zkgw6RCF6OBG-7ycHT7nA@mail.gmail.com> <CAOj+MMGqh0mZEanX9MBNYaZuOW0yR=jqEe29zJ3mMWsdQqM-gA@mail.gmail.com>
In-Reply-To: <CAOj+MMGqh0mZEanX9MBNYaZuOW0yR=jqEe29zJ3mMWsdQqM-gA@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 31 Mar 2020 21:51:41 -0400
Message-ID: <CABNhwV1-wQuf+b614SggHRSx=88=3bnywC2E1WiLgf62fPkoKQ@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Huaimo Chen <huaimo.chen@futurewei.com>, Linda Dunbar <linda.dunbar@futurewei.com>, "bess@ietf.org" <bess@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000972e7305a230ed20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/t8xKrqlfGKhFsFmD1T3TcLSxsHA>
Subject: Re: [Idr] Seeking feedback of draft-dunbar-idr-sdwan-port-safi using SDWAN SAFI to encode SDWAN Instance ID in the NLRI
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 01:51:59 -0000

Thanks Robert!! đź‘Ť

For me to really comprehend I have to have to put the tire to the road and
test in my Dev lab.  Any caveats with Cisco XR?  Ping me off list on cisco
specific reply.

Kind regards

Gyan

On Tue, Mar 31, 2020 at 6:43 AM Robert Raszuk <robert@raszuk.net> wrote:

> Hi Gyan,
>
> As topic 1 - Extended community which is used for filtering incoming
> updates can be configured under BGP AF - there is nothing in the protocol
> which mandates that such RTs need to be configured under VRF section.
>
> As of topic 2 - This is huge misconception by many people who think that
> SAFI 128 requires MPLS transport. So let me clearly state that SAFI 128
> application can happily run for many years now over pure IP transport. VPN
> labels and transport paradigm are completely separate. Hint: RFC7510 or
> RFC4023. Moreover - let me also state that MPLS transport does not bring
> any benefits other then few bits savings in the packet header as compared
> with say IPv4 transport. Contrary it costs a lot of complexity in the
> control plane and forwarding planes of the network elements.
>
> Thx,
> R.
>
>
>
> On Tue, Mar 31, 2020 at 7:48 AM Gyan Mishra <hayabusagsm@gmail.com> wrote:
>
>>
>> Robert  & Linda
>>
>> Sorry to inject myself into this thread.
>>
>> You stated that that RFC 4364 SAFI 128 for vpnv4 vpnv6 is the BGP control
>> plane service layer overlay from PE to RR. Agreed.  By default all PEs
>> including the SDWAN PE have RT Filtering enabled by default and only import
>> the RT into the VRF at the control plane level if the VRF is configured
>> with RT advertised by the RR is being imported by the PE, if not the SAFI
>> 128 prefixes are dropped.  So I understand that the BGP updates is a
>> control plane function, but how would the routes get imported by the PE if
>> the VRF is not defined on the PE.  RFC 4684 RTC capability allows only the
>> RTs imported on the PE to be advertised by the RR to reduced the SAFI 128
>> route advertised by the RR that would result in being filtered on the PE.
>>
>> So how would that work using SAFI 128 RT to provide the network slicing
>> for SDWAN without VRF configured.
>>
>> Also you mentioned that SAFI 128 L3 vpn services overlay can run over any
>> underlay and that does not have to be MPLS based.  I know SAFI 128 works
>> with SR-MPLS but there you are reusing the MPLS data plane.  With SRv6 due
>> to PM draft signaling by egress PE for end.dx instantiation, so there is
>> not any service label necessary as is with MPLS and thus SAFI 128 works
>> with SRv6.
>>
>> How would SAFI 128 work with IP underlay used with SDWAN?
>>
>> Even with  inter-as option b c ab, with BGP LU you do have topmost label
>> which is via BGP labeled unicast.  For inter as options if SAFI128 would
>> work w/o BGP LU you could just run SAFI 128 over IP.  I have never tried
>> but I think the control plane would come up but the data plane would be
>> broken.
>>
>> Kind regards
>>
>> Gyan
>>
>> On Tue, Mar 24, 2020 at 9:26 PM Linda Dunbar <linda.dunbar@futurewei.com>
>> wrote:
>>
>>> Robert,
>>>
>>>
>>>
>>> Want to confirm the following two points with you. Do I interpret your
>>> words correctly?
>>>
>>>
>>>
>>>    - If a CPE supports traditional VPN with multiple VRFs, and supports
>>>    multiple SDWAN instances, the traditional VRF configuration is still same
>>>    which are carried by BGP Route Target Extended community.
>>>    - For the SDWAN Instances supported by the same CPE, we can use
>>>    Extended Community with a different name (say SDWAN Target ID). When the
>>>    SDWAN Target ID is used, the SAFI 128 can be used for routes for the SDWAN
>>>    instance,  with the exception that the label in the NLRI is not the MPLS
>>>    label carried by the data packets .
>>>
>>>
>>>
>>> Thank you.
>>>
>>>
>>>
>>> Linda Dunbar
>>>
>>> *From:* Robert Raszuk <robert@raszuk.net>
>>> *Sent:* Tuesday, March 24, 2020 3:32 AM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>
>>> *Cc:* Huaimo Chen <huaimo.chen@futurewei.com>; idr@ietf.org;
>>> bess@ietf.org
>>> *Subject:* Re: [Idr] Seeking feedback of
>>> draft-dunbar-idr-sdwan-port-safi using SDWAN SAFI to encode SDWAN Instance
>>> ID in the NLRI
>>>
>>>
>>>
>>> Hi Linda,
>>>
>>>
>>>
>>> Nope you do not need VRFs. RT construct works at the control plane
>>> level. VRF may be useful for traffic separation purposes on
>>> multitenant CPEs or if you would like to relax requirements for unique IP
>>> across SDWAN sites - but not a must otherwise.
>>>
>>>
>>>
>>> My main point was  that BGP SAFI 128 gives you for free transport for
>>> multiple routing contexts so why not leverage it as is?
>>>
>>>
>>>
>>> Moreover you may suddenly also discover that RTC (RFC4684) is your
>>> SDWAN friend too.
>>>
>>>
>>>
>>> Many thx,
>>> R.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Mar 24, 2020 at 5:15 AM Linda Dunbar <linda.dunbar@futurewei.com>
>>> wrote:
>>>
>>> Robert,
>>>
>>>
>>>
>>> Thank you very much for the feedback.
>>>
>>>
>>>
>>> If using your suggested Route Target approach to represent the SDWAN
>>> Instance ID, does it mean that a SDWAN Edge has to use the same approach to
>>> configure the VRF for SDWAN instances?
>>>
>>> If the edge node supports both traditional VPN and SDWAN, will it cause
>>> confusion for RT to represent both?
>>>
>>>
>>>
>>> RT is encoded in the Extended_Communities Path Attribute, SAFI 128 is
>>> encoded in the MP_REACH_NLRI Path Attribute.
>>>
>>>
>>>
>>> What do you mean by saying “different name to Route target(s) carried in
>>> the SAFI 128”?
>>>
>>> Do you mean having a different name (say SDWAN_Target) in
>>> Extended_Communities Path Attribute, and have MP_REACH_NLRI Path Attribute
>>> including the SAFI 128?
>>>
>>>
>>>
>>> SDWAN Instance ID is for the control Plane, not to be carried by the
>>> data packets. SAFI 128 for VPN has the Label encoded in the NLRI field that
>>> is to be carried by the data packets. But SDWAN Instance ID is not carried
>>> by the Data Packets. Is it correct?
>>>
>>>
>>>
>>> Thank you.
>>>
>>> Linda
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* Robert Raszuk <robert@raszuk.net>
>>> *Sent:* Monday, March 23, 2020 2:28 PM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>
>>> *Cc:* Huaimo Chen <huaimo.chen@futurewei.com>; idr@ietf.org;
>>> bess@ietf.org
>>> *Subject:* Re: [Idr] Seeking feedback of
>>> draft-dunbar-idr-sdwan-port-safi using SDWAN SAFI to encode SDWAN Instance
>>> ID in the NLRI
>>>
>>>
>>>
>>> Hi Linda,
>>>
>>>
>>>
>>> I think you are mixing data plane and control plane.
>>>
>>>
>>>
>>> In SDWAN data plane is of no issue as you are interconnecting sites in a
>>> given VPN over mesh of secure tunnels.
>>>
>>>
>>>
>>> You are asking how to keep control plane separate between VPN instances.
>>> This is precisely what RFC4364 does already and RT import/export is used to
>>> indicate the instance which given set of reachability belongs. Why to
>>> reinvent the wheel and do something new just for the heck of it :) ?
>>>
>>>
>>>
>>> To be original you can at best invent a different name to Route
>>> target(s) carried in the SAFI 128 but let's keep the mechanism the same.
>>> That would be my suggestion.
>>>
>>>
>>>
>>> Kind regards,
>>>
>>> R.
>>>
>>>
>>>
>>> PS. While this is obvious for some many folks are still confused.
>>> RFC4364 does not need to run over MPLS data plane. It can run over IPSec or
>>> over DTLS or over UDP/IP just fine.
>>>
>>>
>>>
>>> On Mon, Mar 23, 2020 at 6:47 PM Linda Dunbar <linda.dunbar@futurewei.com>
>>> wrote:
>>>
>>> IDR experts:
>>>
>>>
>>>
>>> SDWAN is an overlay network arching over multiple types of networks. A
>>> SDWAN edge node may need to map client traffic to different SDWAN network
>>> instances (or segmentations).
>>>
>>> It might not be feasible to use the AS number in the BGP message to
>>> differentiate the SDWAN network instances as multiple SDWAN instances may
>>> share the same AS number.
>>>
>>>
>>>
>>> We would like to hear feedback from IDR group on using similar method as
>>>  Binding MPLS Labels to Address Prefixes [RFC8277] to bind SDWAN Instance
>>> ID to  prefixes.
>>>
>>>
>>>
>>> When  MPLS VPN SAFI (=128) is present, MPLS label is carried by NLRI
>>> [RFC8277] as:
>>>
>>>
>>>
>>>       0                   1                   2                   3
>>>
>>>       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>      |    Length     |                 Label                 |Rsrv |S|
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>      |                          Prefix                               ~
>>>
>>>      ~                                                               |
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>
>>>
>>>                        Figure 2: NLRI with One Label
>>>
>>>
>>>
>>> We would like to  propose the SDWAN Instance ID being encoded in the
>>> Label field as follows when SDWAN SAFI (=74 allocated by IANA) is used,:
>>>
>>>
>>>
>>>       0                   1                   2                   3
>>>
>>>       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>      |    Length     |      SDWAN Instance ID (Label)        |Rsrv |S|
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>      |                          Prefix                               ~
>>>
>>>      ~                                                               |
>>>
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>
>>>
>>>                         NLRI with SDWAN Instance ID.
>>>
>>>
>>>
>>> Greatly appreciate any comments or other suggestions..
>>>
>>>
>>>
>>> Thank you,
>>>
>>> Linda Dunbar
>>>
>>>
>>>
>>> *From:* Huaimo Chen <huaimo.chen@futurewei.com>
>>> *Sent:* Monday, March 23, 2020 9:14 AM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>; idr@ietf.org
>>> *Cc:* bess@ietf.org
>>> *Subject:* Re: [Idr] FW: Is there any problem of using Private AS as
>>> "Identifier" to differentiate SD-WAN Segmentation for
>>> draft-dunbar-bess-bgp-sdwan-usage?
>>>
>>>
>>>
>>> Hi Linda,
>>>
>>>
>>>
>>>     It seems that using another SAFI is a possible solution.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Huaimo
>>> ------------------------------
>>>
>>> *From:* Linda Dunbar <linda.dunbar@futurewei.com>
>>> *Sent:* Friday, March 20, 2020 12:54 AM
>>> *To:* Huaimo Chen <huaimo.chen@futurewei.com>; idr@ietf.org <
>>> idr@ietf.org>
>>> *Cc:* bess@ietf.org <bess@ietf.org>
>>> *Subject:* RE: [Idr] FW: Is there any problem of using Private AS as
>>> "Identifier" to differentiate SD-WAN Segmentation for
>>> draft-dunbar-bess-bgp-sdwan-usage?
>>>
>>>
>>>
>>> Huaimo,
>>>
>>>
>>>
>>> Thank you very much for the suggestion.
>>>
>>> Do you mean using the similar approach as VPN Label carried by NLRI Path
>>> Attribute [RFC8277] for SDWAN Segmentation Identifier?
>>>
>>> If yes, the UPDATE message should not use the MPLS VPN SAFI (=128) to
>>> avoid confusion, right?
>>>
>>>
>>>
>>> Linda
>>>
>>>
>>>
>>> *From:* Huaimo Chen <huaimo.chen@futurewei.com>
>>> *Sent:* Thursday, March 19, 2020 6:45 PM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>; idr@ietf.org
>>> *Cc:* bess@ietf.org
>>> *Subject:* Re: [Idr] FW: Is there any problem of using Private AS as
>>> "Identifier" to differentiate SD-WAN Segmentation for
>>> draft-dunbar-bess-bgp-sdwan-usage?
>>>
>>>
>>>
>>> Hi Linda,
>>>
>>>
>>>
>>>     It seems that a label may be used as an "Identifier" to
>>> differentiate SD-WAN Segmentation.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Huaimo
>>> ------------------------------
>>>
>>> *From:* Idr <idr-bounces@ietf.org> on behalf of Linda Dunbar <
>>> linda.dunbar@futurewei.com>
>>> *Sent:* Thursday, March 19, 2020 1:22 PM
>>> *To:* idr@ietf.org <idr@ietf.org>
>>> *Cc:* bess@ietf.org <bess@ietf.org>
>>> *Subject:* [Idr] FW: Is there any problem of using Private AS as
>>> "Identifier" to differentiate SD-WAN Segmentation for
>>> draft-dunbar-bess-bgp-sdwan-usage?
>>>
>>>
>>>
>>> BGP Experts,
>>>
>>>
>>>
>>> Do you know if  there is any problem of using  Private AS as
>>> "Identifier" to differentiate SD-WAN Segmentation? Here is the discussion
>>> in BESS WG. Want to get IDR WG feedbacks for this question.
>>>
>>>
>>>
>>> Thank you.
>>>
>>> Linda
>>>
>>>
>>>
>>> *From:* Linda Dunbar
>>> *Sent:* Thursday, March 19, 2020 11:54 AM
>>> *To:* Najem, Basil <basil.najem@bell.ca>; bess@ietf.org
>>> *Cc:* draft-dunbar-bess-bgp-sdwan-usage@ietf.org
>>> *Subject:* Is there any problem of using Private AS as "Identifier" to
>>> differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
>>>
>>>
>>>
>>> Based on Basil’s comment on needing an identifier to differentiate SDWAN
>>> instances, I added a section to  draft-dunbar-bess-bgp-sdwan-usage . Want
>>> to hear people’s feedback.
>>>
>>>
>>> 3.1    Requirements 3.1.1Supporting Multiple SDWAN Segmentations
>>>
>>> The term “network segmentation” is used extensively in SDWAN deployment.
>>> In general (and in this document), the “Network Segmentation” is referring
>>> to the process of dividing the network into logical sub-networks using
>>> isolation techniques on a forwarding device such as a switch, router, or
>>> firewall. For a homogeneous network, such as MPLS VPN or Layer 2 network,
>>> VRF or VLAN are used to separate network segments.
>>>
>>> As SDWAN is an overlay network arching over multiple types of networks,
>>> it is important to have distinct identifiers to differentiate SDWAN network
>>> instances (or segmentations). When different SDWAN network segments do not
>>> have their own assigned AS numbers, a very easy way is to use Private AS
>>> numbers, in the range of 64512 to 65535, to differentiate different SDWAN
>>> segmentations.. When using BGP to control the SDWAN networks, the Private
>>> AS numbers are carried by the BGP UPDATE messages to their corresponding
>>> RRs.
>>>
>>>
>>>
>>> Greatly appreciate any feedback on this description.
>>>
>>>
>>>
>>> Is there any scenario that Private AS cannot be used?
>>>
>>>
>>>
>>> Thank you very much.
>>>
>>>
>>>
>>> Linda Dunbar
>>>
>>>
>>>
>>> *From:* Najem, Basil <basil.najem@bell.ca>
>>> *Sent:* Friday, February 7, 2020 3:02 PM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>; bess@ietf.org
>>> *Cc:* draft-dunbar-bess-bgp-sdwan-usage@ietf.org
>>> *Subject:* RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage
>>> description of using BGP UPDATE messages to achieve SD-WAN Application
>>> Based Segmentation
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi Linda;
>>>
>>>
>>>
>>> The SD-WAN Segment is part of the SD-WAN fabric; in other words, there
>>> could be more than one Segment over a single underlay depending on the
>>> design and the business requirements.
>>>
>>>
>>>
>>> Each Segment represents a single and an isolated L3 domain; therefore, I
>>> suggested that we may need to include the Segment ID in the BGP update
>>> messages in order to identify and build the routing the table for each
>>> Segment (based on the Segment ID).
>>>
>>>
>>>
>>> Hope this helps.
>>>
>>>
>>>
>>> Regards;
>>>
>>>
>>>
>>> Basil
>>>
>>>
>>>
>>>
>>>
>>> *From:* Linda Dunbar <linda.dunbar@futurewei.com>
>>> *Sent:* February-03-20 10:40 AM
>>> *To:* Najem, Basil <basil.najem@bell.ca>; bess@ietf.org
>>> *Cc:* draft-dunbar-bess-bgp-sdwan-usage@ietf.org
>>> *Subject:* [EXT]RE: solicit feedback on
>>> draft-dunbar-bess-bgp-sdwan-usage description of using BGP UPDATE messages
>>> to achieve SD-WAN Application Based Segmentation
>>>
>>>
>>>
>>> Basil,
>>>
>>>
>>>
>>> Thank you very much for the comments.
>>>
>>> Your suggested wording change will be incorporated in the next revision.
>>>
>>>
>>>
>>> As for your suggestion of Segment and Segment ID of a SDWAN node (to be
>>> included in the BGP UPDATE), does the “Segment” mean the different
>>> Underlay?
>>>
>>> In the figure below, C-PE1 has 3 WAN ports: 2 to MPLS network and 1 to
>>> Public Internet.
>>>
>>> Do you mean C-PE1 has 3 WAN “segments”?
>>>
>>> If not, can you elaborate more?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks, Linda
>>>
>>>
>>>
>>> *From:* Najem, Basil <basil.najem@bell.ca>
>>> *Sent:* Sunday, February 02, 2020 5:48 PM
>>> *To:* Linda Dunbar <linda.dunbar@futurewei.com>; bess@ietf.org
>>> *Cc:* draft-dunbar-bess-bgp-sdwan-usage@ietf.org
>>> *Subject:* RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage
>>> description of using BGP UPDATE messages to achieve SD-WAN Application
>>> Based Segmentation
>>>
>>>
>>>
>>>
>>>
>>> Hello Linda;
>>>
>>>
>>>
>>> I haven’t gone through the entire document; however, I have the
>>> following quick comments
>>>
>>>
>>>
>>>    1. Regarding the following paragraph:
>>>
>>>
>>>
>>> 1.       Augment of transport, which refers to utilizing overlay paths
>>> over different underlay networks. Very often there are multiple parallel
>>> overlay paths between any two SDWAN edges, some of which are private
>>> networks over which traffic can traverse without encryption, others require
>>> encryption, e.g. over untrusted public networks.
>>>
>>>
>>>
>>> The traffic that traverses the privet networks can be either encrypted
>>> or unecrypted (in other words, the assumption that the traffic is NOT
>>> encrypted is not always correct). I would change the parpagaph to the
>>> following (for clarity):
>>>
>>>
>>>
>>> 1.       Augment of transport, which refers to utilizing overlay paths
>>> over different underlay networks. Very often there are multiple parallel
>>> overlay paths between any two SDWAN edges, some of which are private
>>> networks over which traffic can traverse with or without encryption,
>>> others require encryption, e.g. over untrusted public networks.
>>>
>>>
>>>
>>>
>>>
>>>    1. Another thing that we need to discuss is the Segment ID; each
>>>    Segment (at the SD-WAN Edge) MUST have an ID. The SD-WAN Policy will map
>>>    the Application Flow to the Segment. Since the Segment is a “routing
>>>    domain”, the BGP update will be exchanged with the memebers of a particular
>>>    Segment.
>>>
>>>
>>>
>>> As such: Should we include the Segment ID as an attribute in the BGP
>>> update messages? Perhaps we need to further discuss this in details.
>>>
>>>
>>>
>>> Any feedback is welcomed and it’s highly appreciated.
>>>
>>>
>>>
>>> Regards;
>>>
>>>
>>>
>>> Basil
>>>
>>>
>>>
>>>
>>>
>>> *From:* Linda Dunbar <linda.dunbar@futurewei.com>
>>> *Sent:* January-31-20 5:17 PM
>>> *To:* bess@ietf.org
>>> *Cc:* draft-dunbar-bess-bgp-sdwan-usage@ietf.org
>>> *Subject:* [EXT]solicit feedback on draft-dunbar-bess-bgp-sdwan-usage
>>> description of using BGP UPDATE messages to achieve SD-WAN Application
>>> Based Segmentation
>>>
>>>
>>>
>>> BESS participants:
>>>
>>>
>>>
>>> “SDWAN” networks is characterized by:
>>>
>>> 1.       Augment of transport, which refers to utilizing overlay paths
>>> over different underlay networks. Very often there are multiple parallel
>>> overlay paths between any two SDWAN edges, some of which are private
>>> networks over which traffic can traverse without encryption, others require
>>> encryption, e.g. over untrusted public networks.
>>>
>>> 2.       Enable direct Internet access from remote sites, instead
>>> hauling all traffic to Corporate HQ for centralized policy control.
>>>
>>> 3.       Some traffic are routed based on application IDs instead of
>>> based on destination IP addresses.
>>>
>>>
>>>
>>>
>>>
>>> https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/
>>> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce72069277dec49a5666a08d7cfcddf3f%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637206355463932513&sdata=LtBJOxohSHjupWERqW88kUik96QA8iKzaucSLxh6rSU%3D&reserved=0>
>>> describes examples of using BGP UPDATE messages to achieve the SDWAN
>>> Application Based Segmentation,  assuming that the applications are
>>> assigned with unique IP addresses.
>>>
>>> In the Figure below, the following BGP Updates can be advertised to
>>> ensure that Payment Application only communicates with the Payment Gateway:
>>>
>>>
>>>
>>>
>>>
>>> BGP UPDATE #1 from C-PE2 to RR for the RED P2P topology (only propagated
>>> to Payment GW node:
>>>
>>> -        MP-NLRI Path Attribute:
>>>
>>>    - 30.1.1.x/24
>>>
>>> -        Tunnel Encap Path Attribute
>>>
>>>    - IPsec Attributes for PaymentGW ->C-PE2
>>>
>>>
>>>
>>> BGP UPDATE #2 from C-PE2 to RR for the routes to be reached by Purple:
>>>
>>> -        MP-NLRI Path Attribute:
>>>
>>>    - 10.1.x.x
>>>          - 12.4.x.x
>>>
>>> -        TunnelEncap Path Attribute:
>>>
>>>    - Any node to C-PE2
>>>
>>>
>>>
>>>
>>>
>>> Your feedback is greatly appreciated.
>>>
>>>
>>>
>>> Thank you very much.
>>>
>>>
>>>
>>> Linda Dunbar
>>> ------------------------------
>>>
>>> *External Email:** Please use caution when opening links and
>>> attachments / **Courriel externe:** Soyez prudent avec les liens et
>>> documents joints *
>>> ------------------------------
>>>
>>> *External Email:** Please use caution when opening links and
>>> attachments / **Courriel externe:** Soyez prudent avec les liens et
>>> documents joints *
>>>
>>> _______________________________________________
>>> Idr mailing list
>>> Idr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/idr
>>> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fidr&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Ce72069277dec49a5666a08d7cfcddf3f%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637206355463932513&sdata=eqN85C344P7RxfO%2FBxoVZ0zNgGBsAcH%2F623Ye6TYHhs%3D&reserved=0>
>>>
>>> _______________________________________________
>>> Idr mailing list
>>> Idr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/idr
>>>
>> --
>>
>> Gyan  Mishra
>>
>> Network Engineering & Technology
>>
>> Verizon
>>
>> Silver Spring, MD 20904
>>
>> Phone: 301 502-1347
>>
>> Email: gyan.s.mishra@verizon.com
>>
>>
>>
>> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com