Re: [Idr] IPSec Tunnels and draft-sajassi-bess-secure-evpn

"Ali Sajassi (sajassi)" <sajassi@cisco.com> Fri, 31 July 2020 05:53 UTC

Return-Path: <sajassi@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 449F23A0E46; Thu, 30 Jul 2020 22:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=I9di8XZq; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ZcEbBoCm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNfWCUCftrBM; Thu, 30 Jul 2020 22:53:43 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81863A0E41; Thu, 30 Jul 2020 22:53:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11021; q=dns/txt; s=iport; t=1596174823; x=1597384423; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=6rgfFnPVGPb7sZyq7CzbiiObsTkN9AKS8kfwcOoEaNY=; b=I9di8XZqj9e2g8sCFaiEJokjbbOR6jpXIbEhi6LiKyhmBffX3+HTb2DU fsDjmfTxsuvwOqOrhTRj37ABNnCBT9l8E1hw26Li9ZRDSgFycd63h+t5B uDoBtxqonz8fCLyg83NIxugIfu9c6Z1auWOKJjBfVYBYcN6Eq2OCKy4WX 8=;
IronPort-PHdr: 9a23:YYQZ1BTGVHTsWPToTPB+PLYLKtpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBN+J7f5Wi6zdtKWzEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutYVHAoju56jtBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CsBQDnsCNf/5RdJa1gHAEBAQEBAQcBARIBAQQEAQGCCoEjL1EHb1gvLIQ1g0YDjU6BApJ0hGyCUwNVCwEBAQwBAS0CBAEBhEwCF4IXAiQ4EwIDAQELAQEFAQEBAgEGBG2FLwglDIVxAQEBBBIRHQEBNwEPAgEIDgMDAQIrAgICMB0IAQEEAQ0FFAcHgwQBgX5NAy4BpS0CgTmIYXaBMoMBAQEFgkqCURiCDgmBOIJvg1+GPxqCAIERJxyCGDU+hF2CdjOCLY9HRYJmhl2bOIEFCoJgmgADHoJ7iUyTMI1chESfIgIEAgQFAg4BAQWBaiOBV3AVSA0QAYI+UBcCDYwsgXODcYJCiBR0NwIGAQcBAQMJfI90AQE
X-IronPort-AV: E=Sophos;i="5.75,417,1589241600"; d="scan'208,217";a="532128404"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Jul 2020 05:53:41 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 06V5rfEx021045 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 Jul 2020 05:53:41 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 31 Jul 2020 00:53:41 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 31 Jul 2020 00:53:41 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 31 Jul 2020 00:53:41 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V8PUJGm0EmoSwHdbA6bwX+K2PZu8Gbsp7OO42lIP424NI42/L3h//QukKjVmg04HNTMnai05GwpTkFAhRBjD+gm/J4Z31vTE0jKAJ4OByfaE0vt6kndmsLZ99gCBDwPuuJOE26azhvuZygZJmFl0VKhefr0sWfIAf+vL3N3eGatO0VL+0CspfXlaqT1e0AkDJFiOhMsAjZqtMSH6F9p5RGIHhG34MO1GxKrTTo4CKpcWuWaSJsmQY/wNjv0uxOaQg+B6goibvAiBxj5fM7EyFn0Qx9R2rmemk1FxiULplgYA3uE3q736tlkwtygJRVxKFzrZYVxZ6CwCDJqwYoMN5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6rgfFnPVGPb7sZyq7CzbiiObsTkN9AKS8kfwcOoEaNY=; b=h0iiDkvNsDjv9bc0kY+UnFlcWCmeRAXjK4/6KnHdHjB8cXsIJoqD1lukEkz1a8HcLd47kJv/tOcGDxd7hZIhA/et+05uYgyZloCMeetlSB29nBQlZZHNnt0WffYA4VL4mnJX8Xc3hS8zF2k1fDNzLDUAHktVXhbOgOQH2sUxB/Dsn1P8DKchVJ8bwhY+VIWPnRf1cBEkDotmRDuQ+toOt54SJHf/k/dCyb8ZobuTtHmjHyr5XGxjU6LBg0GSf8EtfTCb2QqWqliEEraY/WxKO6EuXWhBRiy/jUL02TAp0+SSw097elpy+lcEjb2+5Ns48femkgjp+1aBXx1ZROplsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6rgfFnPVGPb7sZyq7CzbiiObsTkN9AKS8kfwcOoEaNY=; b=ZcEbBoCm9YN20sTYXEbXVIUrWMk0IhAB3BxE/a6oMtFA+1Ytzw4inKqVC+FiGd9AcX3wnW5q8V7VtwyT4FSKmkvrxHeqv9WrDQJj2pZ33SplqeKyzjF12x0kL4oo+qmkTqjhRCh4Pallb5lhkDRNLygFEm/h/Pplus1N6LsDTvc=
Received: from BY5PR11MB4260.namprd11.prod.outlook.com (2603:10b6:a03:1ba::30) by BY5PR11MB4484.namprd11.prod.outlook.com (2603:10b6:a03:1c3::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.17; Fri, 31 Jul 2020 05:53:39 +0000
Received: from BY5PR11MB4260.namprd11.prod.outlook.com ([fe80::7d6c:d61b:95de:2f7c]) by BY5PR11MB4260.namprd11.prod.outlook.com ([fe80::7d6c:d61b:95de:2f7c%6]) with mapi id 15.20.3239.020; Fri, 31 Jul 2020 05:53:39 +0000
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Susan Hares <shares@ndzh.com>, "bess@ietf.org" <bess@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: IPSec Tunnels and draft-sajassi-bess-secure-evpn
Thread-Index: AdZk8izhjCdDx5/XSYuR36KvQpfiTAB0hUQA
Date: Fri, 31 Jul 2020 05:53:39 +0000
Message-ID: <8A0EAEEB-52CA-48CB-BA5E-C64DFED1EEEF@cisco.com>
References: <007f01d664f3$e2b14ff0$a813efd0$@ndzh.com>
In-Reply-To: <007f01d664f3$e2b14ff0$a813efd0$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.39.20071300
authentication-results: ndzh.com; dkim=none (message not signed) header.d=none;ndzh.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:648:8800:39a0:5c33:6fca:c0ae:1401]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b95f434-af9e-412f-8785-08d8351612ef
x-ms-traffictypediagnostic: BY5PR11MB4484:
x-microsoft-antispam-prvs: <BY5PR11MB448451077D621907FE6B548FB04E0@BY5PR11MB4484.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: W32csGdF/PTWcKEvyHXAfL2oOvQ7UBmfFQcZNHkPA+APoNHJ7/kTMQ9ZnoLDhOklhkb7Dv86QNXNBPuhWrloFTGNuhE7a3Ag6Lj1izUS8GAhCu2fFIGIH5hU8bJWWQtRBG240xqon1Vp2wQUFlgEtxmHNIBoq8C01R+E5azzp4Tm4puEkvGOyRk3igXw82xLjPRK0GU1W0Poak6vT/5z5ppRC/pu+0CVXCJJSp74vshIbmV7mrgLyhVldZ9Bkx4eZgFFdJ3xZgxncRiFaMV9keoTx3EjFqKIsBTyNSXT0+6BC+Sseax7YYcs/llTf7DQYRIh1fFMb6jvNy8XMfKsYQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4260.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(396003)(346002)(136003)(376002)(83380400001)(110136005)(36756003)(2616005)(2906002)(186003)(86362001)(316002)(6512007)(4743002)(53546011)(478600001)(8936002)(5660300002)(4326008)(71200400001)(6506007)(6486002)(8676002)(33656002)(66946007)(76116006)(66446008)(64756008)(66556008)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Rx+yOoq6jQx3Y+me7cA9wnKBCHGBrF7CRtr5578mNuqpnRjYKQ4x6TmndcBL4V4l/e7w5cAy4t5SIOf5yyQsDO6MWYzBB8lwkHVpFdfZ1//5+CqtrZg8f9pLnrW73pWEMa0QqTKXduxmZmfCCvk+O4Fd1QQZuj60xSkVc9tEXvHCM6PBZJfmTGllSK/StdWgTsmopcC2xTEdhvjp/0QMTCl8gKkWa96zCcL3IrdLNBNTZo+P6Bd61vkG1jYfSffuFXk03q/ltmvlB8T6mtN4VlBw/OdzSGFjQfm2r7WoQQY1MTB4S+I7huO8qKse+fXmexx7XZeibg9GTGx3yuwibF4fOEp43Qer7Lt7rfryU7KEXd+MMi3v7c/uZeh5xOlicv/9a5AkQ+w/Fa8B7wc5luXhpF5n3mzhhtYrxlhkJ0w+RLn7C20c7AUDvllMW3SJnb7WbpJgDArZSTfZ7LxT/G50/UogkjOXeWK0EO96V9XQhWysURiuFLbLTwmx4pLy477FGZelhjdZZumYbg7QIrHsa959CH3YLV9Kb5aQuXXxupOE+F9av9d8TIwQOlj3JTMz6lYBE0H7CZN4oivswnjp2QAZwyX1X3iIAaU5dDuEpgwD1LWYeEMYicQ+HPI/oeL6nMh5jDxZ6yn0nxQbc1v8kj4zUJamwWMtY8TDX5n5JuL/lKTIS/cv/t30AwZRBGZ6Ig4KzLmEJe2pPcAgtA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_8A0EAEEB52CA48CBBA5EC64DFED1EEEFciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4260.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b95f434-af9e-412f-8785-08d8351612ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2020 05:53:39.5126 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EVRYJwRdVigln1fm/vJybSSmZ244SH2Am032IF1qxBzvc0yTcBEfX0SzXk2Ay8jgQn7y01CekfNEOumUgFnHWQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4484
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/vstIDzVIADqmmN32uz7neb-hzd8>
Subject: Re: [Idr] IPSec Tunnels and draft-sajassi-bess-secure-evpn
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 05:53:47 -0000

<added idr@ietf.org>

Sue,

Before getting to the discussions of the three IPsec proposals, there are some elements of draft-ietf-idr-tunnel-encaps-17.txt that I can see might have caused some confusions and I’d like to get those sorted out first.

The tunnel-encap draft specifies sub-tlv for VxLAN, VxLAN GDP, and NVGRE in sections 3.2.1, 3.2.2, and 3.2.3. I am not aware of any vendor that has implemented these sub-tlvs because the info in these sub-tlv already exist in EVPN routes (e.g., MAC addresses, Ethernet Tags, etc.) which they have implemented it. Therefore, all the vendors that I am aware of use Extended Community  defined in section 4.1  along with EVPN routes to signal VxLAN and GENEVE tunnel types. Furthermore, I am not aware of anyone using NVGRE encap! So, as the first step, we should remove these three sections from the draft if there is no objection.

Cheers,
Ali

From: Susan Hares <shares@ndzh.com>
Date: Tuesday, July 28, 2020 at 8:30 AM
To: Cisco Employee <sajassi@cisco.com>, "bess@ietf.org" <bess@ietf.org>
Cc: "'Hu, Jun (Nokia - US/Mountain View)'" <jun.hu@nokia.com>
Subject: IPSec Tunnels and draft-sajassi-bess-secure-evpn

Ali and bess WG:

IDR has 3 proposals for IPsec tunnels that impact draft-ietf-idr-tunnel-encaps-17.txt.  As an IDR co-chair/shepherd,  I have been discussing these three drafts (Ali and two other authors sets) to try to find out if we can have one general solutions.

The discussion has been very fruitful to point up BGP issues of interoperability, security, privacy, manageability, and scaling.  For example, there is a lack of a clear specification between RFC6514 (PMSI tunnel attribute) and the tunnel-encaps draft that specifies how these drafts interoperate.  I suspect the bess and idr chairs will need to discuss if tunnel-encaps has to address this point.

I wrote up my ideas in draft-hares-idr-bgp-ipsec-analysis-00.txt so the authors could tell me what I misunderstood.   You’ll find this draft stops half way.  I have the rest of the draft written, but I wanted feedback from all the author teams before sending it out.

After hearing some of the details from the authors, I would like to sponsor an IDR interim so we could discuss these issues at length.   If you think this is a good idea, please let me know.

One other thing… unfortunately, I scheduled a set of meetings for EDT time after IETF meetings this week.   Your next response will occur from 11-16 UTC on Wednesday.

Cheerily, Sue