[Idr] draft-dunbar-idr-sdwan-port-safi address the WAN Port property registration that is not covered by Ali's SECURE-EVPN

Linda Dunbar <linda.dunbar@huawei.com> Tue, 26 March 2019 22:32 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B65BD120072 for <idr@ietfa.amsl.com>; Tue, 26 Mar 2019 15:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id LzF3qKizZ7DP for <idr@ietfa.amsl.com>; Tue, 26 Mar 2019 15:32:03 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB965120058 for <idr@ietf.org>; Tue, 26 Mar 2019 15:32:03 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id 962398BC4F9ABBCEBCFC for <idr@ietf.org>; Tue, 26 Mar 2019 22:32:01 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com ( by lhreml701-cah.china.huawei.com ( with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 26 Mar 2019 22:32:00 +0000
Received: from SJCEML521-MBS.china.huawei.com ([]) by SJCEML701-CHM.china.huawei.com ([]) with mapi id 14.03.0439.000; Tue, 26 Mar 2019 15:31:55 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, idr wg <idr@ietf.org>
Thread-Topic: draft-dunbar-idr-sdwan-port-safi address the WAN Port property registration that is not covered by Ali's SECURE-EVPN
Thread-Index: AdTj8xmd93+GSvgSRLiyQoUk9BbENQALvUjw
Date: Tue, 26 Mar 2019 22:31:55 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B33C11A@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B33C11Asjceml521mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/tR9ayPViaKu3iHRpZ1awaM-rEbg>
Subject: [Idr] draft-dunbar-idr-sdwan-port-safi address the WAN Port property registration that is not covered by Ali's SECURE-EVPN
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 22:32:06 -0000


After my presentation of draft-dunbar-idr-sdwan-port-safi, you stated at the microphone that your draft-sajassi-bess-secure-evpn-01 can cover what is presented.

Your draft-sajassi-bess-secure-evpn-01 doesn't cover the following important features for SD-WAN:

Since SDWAN edge nodes (virtual or physical) deployment at a specific location can be ephemeral, Zero Touch Provisioning (ZTP) is a common requirement, which includes SDWAN node registering the properties of its WAN ports facing the public internet to its controller upon power up, whereas PE's WAN ports are pre-configured. A SD-WAN node can have multiple WAN ports, some egress to a private network through which traffic can traverse natively without encryption, and some ports egress to public network through which traffic has to be encrypted. Client's routes can egress to either WAN ports facing private network or WAN ports facing the public internet depending on the client specified policy and the feedback from the WAN traffic monitoring functions.

draft-dunbar-idr-sdwan-port-safi, is for advertising the properties of a SDWAN edge node WAN ports that face untrusted networks, such as the public internet. Those WAN ports may get assigned IP addresses from the Internet Service Providers (ISPs), may get assigned dynamic IP addresses via DHCP, or may have private addresses (e.g. inside third party Cloud DCs). Packets sent over those SDWAN WAN ports might need to be encrypted (depending on the user policies) or need to go through NAT. The newly proposed NLRI is for this purpose.

Best Regards,