IETF Logo Mail Archive

Re: [nvo3] Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?

Xuxiaohu <xuxiaohu@huawei.com> Thu, 16 June 2016 08:55 UTC

Return-Path: <xuxiaohu@huawei.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC7612B042; Thu, 16 Jun 2016 01:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lpub5msF6jmb; Thu, 16 Jun 2016 01:55:44 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 998F512B014; Thu, 16 Jun 2016 01:55:43 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml705-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CQX21879; Thu, 16 Jun 2016 08:55:40 +0000 (GMT)
Received: from NKGEML412-HUB.china.huawei.com (10.98.56.73) by lhreml705-cah.china.huawei.com (10.201.5.168) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 16 Jun 2016 09:54:47 +0100
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml412-hub.china.huawei.com ([10.98.56.73]) with mapi id 14.03.0235.001; Thu, 16 Jun 2016 16:54:36 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, Tom Herbert <tom@herbertland.com>, "I2NSF@ietf.org" <I2NSF@ietf.org>
Thread-Topic: Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Thread-Index: AQHRx6dF3l2HaItjV02ugKZ/+h5mbJ/rxyFg
Date: Thu, 16 Jun 2016 08:54:35 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5647D4@NKGEML515-MBX.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb> <d47517f0-b1b7-950d-ac81-04f16af591b8@labn.net> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5646D5@NKGEML515-MBX.china.huawei.com> <CALx6S34GyRTLfrX7oCViR9Mxyww=81RAFxT2FV9LLx=L7AQreQ@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657EB5167@dfweml501-mbb>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657EB5167@dfweml501-mbb>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5762698D.0152, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 5dd51d35443bf41b558e6d36ed42ae71
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/Y11QL4GWdzFMUhxaz6Ac8zlXD8U>
Cc: "IPsec@ietf.org" <IPsec@ietf.org>, Lou Berger <lberger@labn.net>, Liyizhou <liyizhou@huawei.com>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 08:55:49 -0000

Linda,

To maximize the bandwidth utilization within data center networks, it's much desirable to transport traffic between two NVE/PE nodes across ECMPs of the underlay. It has nothing to do with overlay nodes and overlay controllers.

Best regards,
Xiaohu

> -----Original Message-----
> From: Linda Dunbar
> Sent: Thursday, June 16, 2016 4:15 PM
> To: Tom Herbert; Xuxiaohu; I2NSF@ietf.org
> Cc: Lou Berger; Liyizhou; NVO3; IPsec@ietf.org
> Subject: Can Overlay nodes see any difference on how ECMP is used by the
> underlay in building the IPSec tunnels for a specific time span? (was : Flow
> Security Policies exchanged over I2NSF service layer interface?
> 
> Xiao Hu and Tom,
> 
> Do you think that Overlay nodes will see any difference on How ECMP is used by
> the underlay to build the IPSec tunnel between Ingress/Egress nodes for the
> overlay network nodes?
> 
> If yes, how can Overlay controller specify its specific requests to the underlay? Is
> "needing ECMP" or "Don't care ECMP" be good enough?
> 
> Thanks, Linda
> 
> -----Original Message-----
> From: Tom Herbert [mailto:tom@herbertland.com]
> Sent: Wednesday, June 15, 2016 11:28 PM
> To: Xuxiaohu
> Cc: Lou Berger; Linda Dunbar; Liyizhou; NVO3; IPsec@ietf.org
> Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec
> connection from the Underlay for a specific time span? (was : Flow Security
> Policies exchanged over I2NSF service layer interface?
> 
> On Wed, Jun 15, 2016 at 8:03 PM, Xuxiaohu <xuxiaohu@huawei.com> wrote:
> > Hi Lou,
> >
> > If IPsec tunnels are used within data centers, the security need is well satisfied.
> However, the ECMP capability built on the UDP tunnels is lost at all. So, how
> about encapsulating IPsec ESP over UDP tunnels for load-balancing
> improvement purpose? Note that this ESP-over-UDP encapsulation is different
> from the ESP-over-UDP encapsulation as described in RFC3948: the former uses
> the UDP tunnel for load-balancing improvement purpose and therefore the
> source port is used as an entropy field, in contrast, the latter uses the UDP
> tunnel for NAT traversal purpose and therefore the source port is set to a
> constant value (i.e.,4500).
> >
> > By the way, I had wrote a draft about this ESP-over-UDP approach (w/o
> submission) three years ago when considering how to use UDP tunnels to
> transport MPLS and IP traffic. If there is enough interest on this ESP-over-UDP
> approach, I can update it and then submit it for further discussion.
> >
> Using the flow label for ECMP (RFC6438) solves this problem without requiring
> the additional overhead of a UDP header.
> 
> Tom
> 
> > Best regards,
> > Xiaohu
> >
> >> -----Original Message-----
> >> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Lou Berger
> >> Sent: Wednesday, June 15, 2016 11:00 PM
> >> To: Linda Dunbar; Liyizhou; NVO3
> >> Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting
> >> IPSec connection from the Underlay for a specific time span? (was :
> >> Flow Security Policies exchanged over I2NSF service layer interface?
> >>
> >>
> >> Yes -- this is a real use case.
> >>
> >> This use case (overlays interconnected over IPsec tunnels with NVE
> >> end
> >> points) motivated our work on RFC5566 and we built supported for it
> >> (as well as other tunnel technologies) in a quagga based NVO3 controller.
> >> This code is publicly available, but is not yet part of a standard quagga
> release.
> >>
> >> Lou
> >>
> >> On 6/15/2016 8:55 AM, Linda Dunbar wrote:
> >> >
> >> > NVO3 Participants,
> >> >
> >> >
> >> >
> >> > I2NSF (Interface to Network Security function) has a work item in
> >> > defining the flow security policy between domains (which includes
> >> > inquiry of the capability from one domain to another and the actual
> >> > flow policy rules from one domain to another).
> >> >
> >> > Very often, the paths (or links) among nodes of a overlay network
> >> > are provided by other network operators (a.k.a. "underlay
> >> > network").  The flow policy rules are intended to filter out
> >> > unwanted traffic from underlay network so that various attack
> >> > traffic won't saturated the access links to the overlay nodes.
> >> >
> >> >
> >> >
> >> > One interesting scenario brought up is Overlay nodes may need to
> >> > request some traffic to be traversing IPsec channel. To achieve
> >> > this goal, it is necessary for Overlay Network controller to
> >> > inquire if the needed IPsec resource are even available before send
> >> > the request (may even involve AAA process between controllers of
> >> > each corresponding domain ).
> >> >
> >> >
> >> >
> >> > Want to have a survey if people see the use case of Overlay Network
> >> > needing portion of traffic to be through IPSec channel?
> >> >
> >> > IPSec is supposed to be between two end nodes. Here we assume that
> >> > the Overlay nodes don't have the resource or capability for IPsec,
> >> > but expect IPsec between flow's ingress and egress nodes (i.e. NVE).
> >> >
> >> >
> >> >
> >> > Any opinion is appreciated.
> >> >
> >> > Thanks,
> >> >
> >> > Linda
> >> >
> >> >
> >> >
> >> > *From:*Linda Dunbar
> >> > *Sent:* Tuesday, June 14, 2016 4:03 PM
> >> > *To:* 'christian.jacquenet@orange.com'; BOUCADAIR Mohamed IMT/OLN
> >> > *Cc:* I2NSF@ietf.org
> >> > *Subject:* Any use cases of Overlay network requesting IPSec
> >> > connection from the Underlay for a specific time span? (was : Flow
> >> > Security Policies exchanged over I2NSF service layer interface?
> >> >
> >> >
> >> >
> >> > Christian,
> >> >
> >> >
> >> >
> >> > Your feedback seems to suggest that Overlay network Controller may
> >> > send request to the underlay network controller requesting IPsec
> >> > connections among overlay nodes. Do I understand you correctly?
> >> >
> >> >
> >> >
> >> > Are there any use cases of overlay network needing IPSec among
> >> > their nodes only for a specific time span? i.e. Time based IPSec connection?
> >> >
> >> >
> >> >
> >> > Linda
> >> >
> >> >
> >> >
> >> > *From:*christian.jacquenet@orange.com
> >> > <mailto:christian.jacquenet@orange.com>
> >> > [mailto:christian.jacquenet@orange.com]
> >> > *Sent:* Monday, June 13, 2016 11:23 AM
> >> > *To:* Linda Dunbar; BOUCADAIR Mohamed IMT/OLN
> >> > *Subject:* RE: Any feedback on the Protocol Independent Flow
> >> > Security Policies exchanged over I2NSF service layer interface?
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > *[snip]*
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Very often, the paths (or links) among nodes of a overlay network
> >> > are provided by other network operators (a.k.a. "underlay
> >> > network").  Very much like traditional networks placing FW
> >> > (Firewall) or IPS (Intrusion Prevention System) on the wire to
> >> > enforce the flow security rules, I2NSF *_Protocol Independent Flow
> >> > Security Policies_* can be used by overlay networks to request
> >> > certain flow based security rules to be enforced by its underlay
> >> > networks, to prevent the unwanted attacks traffic from occupying
> >> > the physical links and ports to the overlay network nodes, and to
> >> > avoid the overlay nodes' CPU/Storage/Port utilization being
> >> > consumed down by the various attacks.  Here is one example of
> >> > "Overlay Video Communication network" exchange Flow Policies to the
> Underlay network.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > cid:image001.png@01D1B516.7F74E410
> >> >
> >> >
> >> >
> >> > */[CJ] /*The above example clearly shows the necessary interaction
> >> > between the two PDPs/controllers, to make sure that decisions made
> >> > by the network controller accommodate the needs of the video
> >> > customer as possibly expressed towards the video controller: for
> >> > example, customer demands that the confidentiality of the
> >> > videoconference needs to be preserved, thereby suggesting the use
> >> > of the IPsec protocol suite. The video controller may enforce an
> >> > IPsec design based upon the transport mode, whereas the network
> >> > controller is solicited to allocate IPsec resources (read for
> >> > example no AH, ESP in NULL mode) accordingly. This may possibly
> >> > raise conflicting configuration tasks (the video controller uses
> >> > AH, the network controller doesn't), thereby leading to
> >> > inconsistency that may jeopardize the service. Whether BGP FS is
> >> > used to carry security policy information between the two
> >> > controllers is hardly the point, imho: what matters is the
> >> > consistency of the (flow-based security policies enforced by both parties,
> and which should be derived from the customer's requirements (if any).
> >> >
> >> > The goal of I2NSF is to specify the common information model and
> >> > data model for the *_ Protocol Independent Flow Security Policies
> >> > _*which can be queried and set between domains.
> >> >
> >> > [CJ] OK.
> >> >
> >> > * *
> >> >
> >> > https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-
> >> > mit igation-api/ is just the starting point. (needs more work to
> >> > improve the clarity).
> >> > We are asking if people to express their opinion on this work to
> >> > the I2NSF@ietf.org <mailto:I2NSF@ietf.org> list.
> >> >
> >> > [CJ] I need to read this draft and will get back to you
> >> > accordingly, but this may take a couple of weeks as I'm pretty busy for the
> time being.
> >> >
> >> >
> >> >
> >> > I'll let Med further comment as appropriate.
> >> >
> >> >
> >> >
> >> > Cheers,
> >> >
> >> >
> >> >
> >> > Christian.
> >> >
> >> >
> >> >
> >> > Thanks, Linda
> >> >
> >> >
> >> >
> >> >
> >>
> _____________________________________________________________
> >> _________
> >> > ___________________________________________________
> >> >
> >> > Ce message et ses pieces jointes peuvent contenir des informations
> >> > confidentielles ou privilegiees et ne doivent donc pas etre
> >> > diffuses, exploites ou copies sans autorisation. Si vous avez recu
> >> > ce message par erreur, veuillez le signaler a l'expediteur et le
> >> > detruire ainsi que les pieces
> >> jointes. Les messages electroniques etant susceptibles d'alteration,
> >> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
> >> >
> >> > This message and its attachments may contain confidential or
> >> > privileged information that may be protected by law; they should
> >> > not be
> >> distributed, used or copied without authorisation.
> >> > If you have received this email in error, please notify the sender
> >> > and delete this
> >> message and its attachments.
> >> > As emails may be altered, Orange is not liable for messages that
> >> > have been
> >> modified, changed or falsified.
> >> > Thank you.
> >> >
> >> >
> >> > _______________________________________________
> >> > nvo3 mailing list
> >> > nvo3@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/nvo3
> >>
> >>
> >> _______________________________________________
> >> nvo3 mailing list
> >> nvo3@ietf.org
> >> https://www.ietf.org/mailman/listinfo/nvo3
> >
> > _______________________________________________
> > nvo3 mailing list
> > nvo3@ietf.org
> > https://www.ietf.org/mailman/listinfo/nvo3

v2.23.0 | Report a Bug | By Email