IETF Logo Mail Archive

Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

"Mike Sullenberger (mls)" <mls@cisco.com> Thu, 14 September 2017 00:30 UTC

Return-Path: <mls@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF0113219A; Wed, 13 Sep 2017 17:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Djdpp4FbHMiz; Wed, 13 Sep 2017 17:30:16 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E87E127005; Wed, 13 Sep 2017 17:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=113772; q=dns/txt; s=iport; t=1505349016; x=1506558616; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=/eVv73kPN+txueQEjL4slWyfeDXFBS5aMVg+yfe57Zk=; b=Bs80KXEQjrQ7rnQCKpMLYY8rArS1vrKUIZK+RZ3eur7JYPxGlaioujqj b63pHppivs/Zkr77PVLevavK9LZdSOvmyPihiJHpJ+ByNOmOOhM3PJ6LV 15+M4HpgepuOx3MtQZ/NuY4GbfR13+MUgWwvc3qf32ntejeKc0Qq+O9D/ E=;
X-Files: image001.jpg, image002.gif : 58678, 134
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DhAgDUzLlZ/5BdJa1SBwMZAQEBAQEBAQEBAQEHAQEBAQGCb2tkbicHg3CaSIF0gnOFSI17ggQHAQIehFFPAhqEO1cBAgEBAQEBAmsohRgBAQEBAwUeAggBNhUQAgEIBwoEAQEGAQEBCg4DBAMCAgIFEAYEAwIMFAkIAQEECgQEAQgGDYd4ggYDFRCsCYEjgUxbhzkNg24BAQEBAQEBAQEBAQEBAQEBAQEBAQEOD4MrgTEwASCCOHuCVlKCWDyBHQoKAQcLARIZCwoVCAmCTIJhBYl/focBgROFJoUOAQKCB248AoZYAYEAOYdIhG6CHFuFDRKJHoFJjFeILAIRGQGBMQcBV4ECC3cVhWMFFxmBTnYBiRsNF4EMgQ8BAQE
X-IronPort-AV: E=Sophos;i="5.42,390,1500940800"; d="gif'147?jpg'147,145?scan'147,145,208,217,147,145";a="2637816"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Sep 2017 00:30:14 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id v8E0UErT023231 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Sep 2017 00:30:14 GMT
Received: from xch-aln-017.cisco.com (173.36.7.27) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 13 Sep 2017 19:30:14 -0500
Received: from xch-aln-017.cisco.com ([173.36.7.27]) by XCH-ALN-017.cisco.com ([173.36.7.27]) with mapi id 15.00.1263.000; Wed, 13 Sep 2017 19:30:13 -0500
From: "Mike Sullenberger (mls)" <mls@cisco.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
CC: "i2nsf@ietf.org" <i2nsf@ietf.org>, IPsecME WG <ipsec@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "Mike Sullenberger (mls)" <mls@cisco.com>
Thread-Topic: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.
Thread-Index: AdMoDbYLifW0BcxoSGSurAJRseRi2QAgJfEAABYKxgABAl2XIA==
Date: Thu, 14 Sep 2017 00:30:13 +0000
Message-ID: <fb6183ce8f97468aaec4c8d1137dc8f8@XCH-ALN-017.cisco.com>
References: <4A95BA014132FF49AE685FAB4B9F17F65946FE7F@SJCEML702-CHM.china.huawei.com> <ADFCA492-301B-4184-B969-BD1E70AB9E56@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F6594703D1@SJCEML702-CHM.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F6594703D1@SJCEML702-CHM.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.156.165.116]
Content-Type: multipart/related; boundary="_005_fb6183ce8f97468aaec4c8d1137dc8f8XCHALN017ciscocom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/M9OZaLguuli3D6Fdjbdi9UTweOQ>
Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 00:30:19 -0000

Linda,

If you want to securely encrypt traffic between endpoints then you are going to need to build point-point encrypted tunnels between these endpoints, this is the main reason that SD-WAN implementations use either a full-mesh or dynamic-mesh of point-point tunnels.  If you rely on a multi-point connection model then you end up using a group key encryption model which is less secure (many customers will not accept using group keys).

Mike.

[http://www.cisco.com/content/dam/m/en_us/signaturetool/images/banners/Events/cisco_live_las_vegas/email-signature-clus-17-lv-indigo.jpg]<http://www.ciscolive.com/>




Mike Sullenberger    CCIE-2902
mls@cisco.com<mailto:mls@cisco.com>
Tel: +1 408 527 8702
Cisco.com






DISTINGUISHED ENGINEER. ENGINEERING
Product Development
Cisco Systems, Inc.



[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.







From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Linda Dunbar
Sent: Friday, September 08, 2017 9:07 AM
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: i2nsf@ietf.org; IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

Yoav,

Not having interoperable solution for SD-WAN is a huge issue for enterprises. That is one of the main reasons that SD-WAN deployment has been slow since its inception in 2012.
In ONUG (Open Network User Group) where majority of participants are enterprises, it was overwhelmingly voted the need for interoperable SD-WAN solutions. As the result, the ONUG started a SD-WAN Exchange WG. However, ONUG is not a standard organization. Their main goal is to identify use cases, requirements, etc.

Well, SD-WAN has other issues, like SD-WAN solution builds point-to-point overlay paths between two end-points (or branch offices) as alternative paths. However, most enterprises need multi-point interconnection among multiple locations, as done by MPLS L2/L3-VPN. Using SD-WAN overlay paths to achieve any to any mesh interconnection among all branches not only requires all branches CPEs to be upgraded, but also require CPEs to manage routing among other CPEs located at other locations, which dramatically increase the complexity of the CPEs. Almost like going back to the complexity of frame relay where each CPE needs maintain mesh routing for all destinations.


Linda

From: Yoav Nir [mailto:ynir.ietf@gmail.com]
Sent: Friday, September 08, 2017 12:36 AM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>; IPsecME WG <ipsec@ietf.org<mailto:ipsec@ietf.org>>
Subject: Re: your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

Hi, Linda

The reason I brought up the Gap was because they described their network in a Packet Pusher’s episode ([1]).

And the solution for them was some vendor’s SD-WAN solution. As far as I can tell, each vendor’s SD-WAN solution is proprietary and non-interoperable with other vendors’ SD-WAN solution.

That vendor (Viptela, since then merged with Cisco) uses BGP on a large scale to pass configuration information between CPE devices and data center devices, and an SD-WAN controller to manage it all.  Other vendors use other technology to learn protected domains, and as I mentioned, there was an attempt to standardize something in IPsecME a few years ago, but that failed.

The draft we were discussing has no way to transfer domain information from the CPEs to the controller or to other CPEs, so I assume that it does not fit this use case.  At least not in its current form.

Yoav

[1] http://packetpushers.net/podcast/podcasts/show-274-packet-pushers-live-viptela-three-real-world-sd-wan-deployments-sponsored/

On 7 Sep 2017, at 22:33, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> wrote:

Yoav,

At yesterday’s I2NSF Interim meeting, you described an example of Gap having thousands of locations and most of them are in a mall where public network is available. You said that typically the VPN gateway placed in the store has no knowledge of the global network topology, nor does it know where the controller is located.

Today, many vendors’ remote CPEs support ONUG’s SD-WAN “Zero-touch deployment” requirement, where the remote CPEs devices can be connected to its controller via barcode scan/email/etc.

Does it solve the problem?

Thanks,
Linda

v2.23.0 | Report a Bug | By Email