IETF Logo Mail Archive

Re: [lisp] Wireguard and LISP [Was: Virtual meeting]

"Marc Portoles Comeras (mportole)" <mportole@cisco.com> Tue, 24 March 2020 04:27 UTC

Return-Path: <mportole@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1873F3A0FCE for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2020 21:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.59
X-Spam-Level:
X-Spam-Status: No, score=-9.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VwaDjyWJ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=CNfo/zUi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgP10nvxe0WI for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2020 21:27:40 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C2143A02BB for <lisp@ietf.org>; Mon, 23 Mar 2020 21:27:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3376; q=dns/txt; s=iport; t=1585024060; x=1586233660; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=3ZJhI5fiNr5Mw8H7qvlfMshc1CfQpSihsGctyq0etzQ=; b=VwaDjyWJrsd9I1z7SDwDH/0cwQZ1uke8PliEostSKaX29RH2IsTPXkXE 5m2CJhQM61FVSj940mcDTj0ItPziyBjssEhP4J711BHVWtOYQHYkg24rr ajBGrtjZM5R2t448mykvdlZVe5VyiZ1OHT0DZpO0HbivoZnT7cUu5utcn M=;
IronPort-PHdr: 9a23:HV2M3xE2ESKqJuYg3dyiwp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+efvyaDYmG8BPfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CwAAD8inle/5JdJa1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7gVRQBWxYIAQLKoQYg0UDinGCX4lrjjKCUgNUCQEBAQwBARgLCgIEAQGERQIXghAkOBMCAwEBCwEBBQEBAQIBBQRthVYMhWQBAQECAQEBEBERDAEBLAsBBAsCAQgaAhkNAgICHwYLFRACBAENBSKDBAGCSwMOIAEOojUCgTmIYnWBMoJ/AQEFgkWCYg0LggwDBoEOKowvGj+BQYERJyCCTT6CG0kBAYR2MoIskHefFkQKgjySSoQ9HZtZjw2LRJAtAgQCBAUCDgEBBYFpIoFYcBU7KgGCQVAYDY4dg3OFFIVBdIEpjUYBAQ
X-IronPort-AV: E=Sophos;i="5.72,299,1580774400"; d="scan'208";a="452109684"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Mar 2020 04:27:38 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 02O4RbSX032284 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 24 Mar 2020 04:27:37 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 23:27:37 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 23:27:36 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 24 Mar 2020 00:27:36 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e3sa53pkn5Ux3R+KsrvGsuHDbo5qiwHQXUlh9XKIex8EBTw0JRrUm9STJWpsmfQq8N/nXcioBBn+GZ88XGNAdCx6ujxOZPIRq+CPaQT86vIfcjRiA8bj2wIzsiEiVJCDAWod6J9+xmwvXxcLmVMavGLIbDYZS4V6zduOGxJr2NctRcGALZZs3WTk/SSY2jhC0frD7mUlBuNjxrkbljyQ7P5fv9azKMFVBXKcnzoPZSwTeujnpzreeTV1mwrntJCCPEM8UcV66j0k/Tc5PesYIZHxgBo9u68p7IftD74T0Nri2S8Uv40pv0Dx25bcmF3/U40wQOLjdT5xWBxn6c7DIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3ZJhI5fiNr5Mw8H7qvlfMshc1CfQpSihsGctyq0etzQ=; b=C+RYPNWQepjZrKmfqkD5ZNtmB9tzCn/ram0WuZnfBPHshsI+axkht6yK3ZlSHSVvnMEO6MLUaS66aXaquCtoiqOhKm+eDIRb8giSr/SLoA7E09aSlp1fSvczSndoMD3qBm9bmn1sBffacO1pI3JoBHjb4IASWeVZw5TUzQj+xgWJcCo4uTeSyED6kTVKXk8CyLqqirphefCfXCNgNCPS/0XRGVdcU+q32HooFFJFoegpuFOVbY6LUOC5Wr2aKbRJNm2ZD57iw3tDhCEhXGwFY4oJbqRo7kp1zUPRk1uKOyvQtm8OM/M30kHziTQbc4w21wVO+oJAxjf5F57XG+27Vw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3ZJhI5fiNr5Mw8H7qvlfMshc1CfQpSihsGctyq0etzQ=; b=CNfo/zUiqh1W/cTMfzi7+Yyx7mcywTrfYEwg0inLiO19CX8roADK6ObHYiT3Y5rL+b/GIxqeM79309qLL9wzNuzBG2/1DBIrJ7SYQbwiIw7PLG8AKxVYtMvm5BtJQXUhU4gSuKnW/tchb2PdbsDhFjN/CZRZLLK0H8OYH6ialpI=
Received: from BYAPR11MB2661.namprd11.prod.outlook.com (2603:10b6:a02:c5::20) by BYAPR11MB3704.namprd11.prod.outlook.com (2603:10b6:a03:f9::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.20; Tue, 24 Mar 2020 04:27:35 +0000
Received: from BYAPR11MB2661.namprd11.prod.outlook.com ([fe80::e495:5580:5b80:92fa]) by BYAPR11MB2661.namprd11.prod.outlook.com ([fe80::e495:5580:5b80:92fa%6]) with mapi id 15.20.2835.021; Tue, 24 Mar 2020 04:27:35 +0000
From: "Marc Portoles Comeras (mportole)" <mportole@cisco.com>
To: Dino Farinacci <farinacci@gmail.com>, Albert Cabellos <albert.cabellos@gmail.com>
CC: "lisp@ietf.org list" <lisp@ietf.org>
Thread-Topic: [lisp] Wireguard and LISP [Was: Virtual meeting]
Thread-Index: AQHWAQu8bFduMrlC/Uypn+oU1M/QtahWtamA///7/IA=
Date: Tue, 24 Mar 2020 04:27:35 +0000
Message-ID: <95B658E8-B629-4E44-AB99-E9E406D11FF1@cisco.com>
References: <bf751274-3d10-4675-40ff-0876b968ec58@joelhalpern.com> <CAGE_Qexud9SVudjSxYAEADbfKL9M9QfCt4_c2GhQHO8fVbhV+A@mail.gmail.com> <7B04376E-6E99-4544-BC26-ADD799BE31D4@gmail.com>
In-Reply-To: <7B04376E-6E99-4544-BC26-ADD799BE31D4@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mportole@cisco.com;
x-originating-ip: [2001:420:c0c8:1002::6da]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 22078ea7-028f-497b-ceca-08d7cfabadc7
x-ms-traffictypediagnostic: BYAPR11MB3704:
x-microsoft-antispam-prvs: <BYAPR11MB3704FBE4398E29EE9DD0309ED2F10@BYAPR11MB3704.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03524FBD26
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(366004)(396003)(136003)(110136005)(6486002)(76116006)(478600001)(966005)(33656002)(2616005)(4326008)(36756003)(5660300002)(2906002)(6512007)(86362001)(186003)(66556008)(6506007)(8676002)(81156014)(81166006)(8936002)(66946007)(316002)(71200400001)(66476007)(66446008)(53546011)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3704; H:BYAPR11MB2661.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ITOtXzM2SjhctZ/uJ+x0hqKYEYsY5Cvn/8NQiFYoPSlCGC93lSKFoR1RNH8+AvpoOOy5yg0S6wXaXIrmFeJOqU5ArgVU3nJwytkTfyMlUgJAL3yKbGkWFMZKykuU0VY5Y8ro5mSEKLHr0umB31BmmydFqtRnGhhTxxMpHJ+ae//D5RLcWi+z1k4t0XZcGLv04qPlcqY+/FcMeTpDAiuG6SlQOySD1HcIm2A0Bbm3DJ4FzSchVqCWz67Lq6LEoucbeOsL8q/Me9UvoCgUmW7jbS7n8xjkvOKZvZyRsb/dNWyFY0+JbS+pnejUtxDjL82DWf30gPIGCF7i4m9U5pJQZ1gul9QyuKuNe6iim021l+l4CBSDEC0/3CcCpue/1WrZezSt2PTKWCF+O/XNBXJV1MJTzPbKSyaPY3nMEQBn7S0GcTG0Sqr62BKKnKU6Vt8R0irniWwkYcMsGAFeCe4HpbgLby8szham2+1lKqQ04I+W+16B1C0iMaIeLPbyxma+tp4AHrlqIyqsClEz238cFQ==
x-ms-exchange-antispam-messagedata: Bu5T/EvIWSpgldKfAu84dZsWoPipD6LKheR6P3E8bVu41eoYTWYKSTA+uHsCLN9tasrlPvB2RaNv6p3GsW8yUn4+r0ssc7P1bk47RIWhuoO5BuPtMpWoEyK3SOEP3c5kZFftwpix9ey3X76lerEt1//oGx/dRsGs9BChYdG7Z8U=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C48275535B160F4BBD75857E4B6FD5A2@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 22078ea7-028f-497b-ceca-08d7cfabadc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2020 04:27:35.6745 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: S+8VUWZlMy5nos7VUYpRjipFiPYbTSXQAK0fdsh29TtrM8gNE0b+EWfvBHlDeQZt8s9smPkwaxc1PCXq2L0Z4A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3704
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/SJ9igi2pYvwY9jhAsB7g5bLmjZo>
Subject: Re: [lisp] Wireguard and LISP [Was: Virtual meeting]
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 04:27:52 -0000

Albert, Dino,

Following this,
>> This raises -hopefully- interesting questions, how should LISP support multiple data-planes? In this context Wireguard can be seen just as another data-plane. Additionally, Wiregard provides a secure data-plane, can we learn something from them?
>Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the mapping system) to indicate which data-planes an ITR can use to encap traffic to the ETR.

Have you given any thought to supporting segmentation when using wireguard encapsulation in the  dataplane? Could the Receiver field in the wireguard header be used for that and linked somehow to LISP IIDs?

Marc

On 3/23/20, 2:42 PM, "lisp on behalf of Dino Farinacci" <lisp-bounces@ietf.org on behalf of farinacci@gmail.com> wrote:

> Wireguard does not have a control-plane, this means that Wireguard nodes need to be manually configured before being able to exchange packets. Manual configuration typically involved provisioning public keys using out-of-band mechanisms. In this context, we have architected and prototyped a control-plane for Wireguard using LISP, this enables automatic and secure retrieval of public keys using LISP.

Sounds good Albert. I have looked at Wireguard in the past and agree its great stuff.

Note the LISP-decent stuff allows the wireguard nodes to be their own mapping system. So you can continue to use and deploy Wireguard in a decentralized manner.

Also note, you can distribute public-keys using the draft-ietf-lisp-ecdsa-auth (and draft-farinacci-lisp-decent). Colin and I are working on distributing public-keys by the nodes that generate their own key-pairs without a need for a third-party trust anchor.

> This raises -hopefully- interesting questions, how should LISP support multiple data-planes? In this context Wireguard can be seen just as another data-plane. Additionally, Wiregard provides a secure data-plane, can we learn something from them? 

Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the mapping system) to indicate which data-planes an ITR can use to encap traffic to the ETR.

Note that if Wireguard wants to rekey the data-plane keys, it can use RLOC-probing DH key exchange documented in RFC 8061.

Let me know if you need any help or clarification.

Dino



_______________________________________________
lisp mailing list
lisp@ietf.org
https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email