Re: [nvo3] Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Xuxiaohu <xuxiaohu@huawei.com> Thu, 16 June 2016 08:55 UTC
Return-Path: <xuxiaohu@huawei.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC7612B042; Thu, 16 Jun 2016 01:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lpub5msF6jmb; Thu, 16 Jun 2016 01:55:44 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 998F512B014; Thu, 16 Jun 2016 01:55:43 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml705-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CQX21879; Thu, 16 Jun 2016 08:55:40 +0000 (GMT)
Received: from NKGEML412-HUB.china.huawei.com (10.98.56.73) by lhreml705-cah.china.huawei.com (10.201.5.168) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 16 Jun 2016 09:54:47 +0100
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml412-hub.china.huawei.com ([10.98.56.73]) with mapi id 14.03.0235.001; Thu, 16 Jun 2016 16:54:36 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, Tom Herbert <tom@herbertland.com>, "I2NSF@ietf.org" <I2NSF@ietf.org>
Thread-Topic: Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
Thread-Index: AQHRx6dF3l2HaItjV02ugKZ/+h5mbJ/rxyFg
Date: Thu, 16 Jun 2016 08:54:35 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5647D4@NKGEML515-MBX.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F657EB4B26@dfweml501-mbb> <d47517f0-b1b7-950d-ac81-04f16af591b8@labn.net> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0D5646D5@NKGEML515-MBX.china.huawei.com> <CALx6S34GyRTLfrX7oCViR9Mxyww=81RAFxT2FV9LLx=L7AQreQ@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657EB5167@dfweml501-mbb>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657EB5167@dfweml501-mbb>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5762698D.0152, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 5dd51d35443bf41b558e6d36ed42ae71
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/Y11QL4GWdzFMUhxaz6Ac8zlXD8U>
Cc: "IPsec@ietf.org" <IPsec@ietf.org>, Lou Berger <lberger@labn.net>, Liyizhou <liyizhou@huawei.com>, NVO3 <nvo3@ietf.org>
Subject: Re: [nvo3] Can Overlay nodes see any difference on how ECMP is used by the underlay in building the IPSec tunnels for a specific time span? (was : Flow Security Policies exchanged over I2NSF service layer interface?
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 08:55:49 -0000
Linda, To maximize the bandwidth utilization within data center networks, it's much desirable to transport traffic between two NVE/PE nodes across ECMPs of the underlay. It has nothing to do with overlay nodes and overlay controllers. Best regards, Xiaohu > -----Original Message----- > From: Linda Dunbar > Sent: Thursday, June 16, 2016 4:15 PM > To: Tom Herbert; Xuxiaohu; I2NSF@ietf.org > Cc: Lou Berger; Liyizhou; NVO3; IPsec@ietf.org > Subject: Can Overlay nodes see any difference on how ECMP is used by the > underlay in building the IPSec tunnels for a specific time span? (was : Flow > Security Policies exchanged over I2NSF service layer interface? > > Xiao Hu and Tom, > > Do you think that Overlay nodes will see any difference on How ECMP is used by > the underlay to build the IPSec tunnel between Ingress/Egress nodes for the > overlay network nodes? > > If yes, how can Overlay controller specify its specific requests to the underlay? Is > "needing ECMP" or "Don't care ECMP" be good enough? > > Thanks, Linda > > -----Original Message----- > From: Tom Herbert [mailto:tom@herbertland.com] > Sent: Wednesday, June 15, 2016 11:28 PM > To: Xuxiaohu > Cc: Lou Berger; Linda Dunbar; Liyizhou; NVO3; IPsec@ietf.org > Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting IPSec > connection from the Underlay for a specific time span? (was : Flow Security > Policies exchanged over I2NSF service layer interface? > > On Wed, Jun 15, 2016 at 8:03 PM, Xuxiaohu <xuxiaohu@huawei.com> wrote: > > Hi Lou, > > > > If IPsec tunnels are used within data centers, the security need is well satisfied. > However, the ECMP capability built on the UDP tunnels is lost at all. So, how > about encapsulating IPsec ESP over UDP tunnels for load-balancing > improvement purpose? Note that this ESP-over-UDP encapsulation is different > from the ESP-over-UDP encapsulation as described in RFC3948: the former uses > the UDP tunnel for load-balancing improvement purpose and therefore the > source port is used as an entropy field, in contrast, the latter uses the UDP > tunnel for NAT traversal purpose and therefore the source port is set to a > constant value (i.e.,4500). > > > > By the way, I had wrote a draft about this ESP-over-UDP approach (w/o > submission) three years ago when considering how to use UDP tunnels to > transport MPLS and IP traffic. If there is enough interest on this ESP-over-UDP > approach, I can update it and then submit it for further discussion. > > > Using the flow label for ECMP (RFC6438) solves this problem without requiring > the additional overhead of a UDP header. > > Tom > > > Best regards, > > Xiaohu > > > >> -----Original Message----- > >> From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Lou Berger > >> Sent: Wednesday, June 15, 2016 11:00 PM > >> To: Linda Dunbar; Liyizhou; NVO3 > >> Subject: Re: [nvo3] FW: Any use cases of Overlay network requesting > >> IPSec connection from the Underlay for a specific time span? (was : > >> Flow Security Policies exchanged over I2NSF service layer interface? > >> > >> > >> Yes -- this is a real use case. > >> > >> This use case (overlays interconnected over IPsec tunnels with NVE > >> end > >> points) motivated our work on RFC5566 and we built supported for it > >> (as well as other tunnel technologies) in a quagga based NVO3 controller. > >> This code is publicly available, but is not yet part of a standard quagga > release. > >> > >> Lou > >> > >> On 6/15/2016 8:55 AM, Linda Dunbar wrote: > >> > > >> > NVO3 Participants, > >> > > >> > > >> > > >> > I2NSF (Interface to Network Security function) has a work item in > >> > defining the flow security policy between domains (which includes > >> > inquiry of the capability from one domain to another and the actual > >> > flow policy rules from one domain to another). > >> > > >> > Very often, the paths (or links) among nodes of a overlay network > >> > are provided by other network operators (a.k.a. "underlay > >> > network"). The flow policy rules are intended to filter out > >> > unwanted traffic from underlay network so that various attack > >> > traffic won't saturated the access links to the overlay nodes. > >> > > >> > > >> > > >> > One interesting scenario brought up is Overlay nodes may need to > >> > request some traffic to be traversing IPsec channel. To achieve > >> > this goal, it is necessary for Overlay Network controller to > >> > inquire if the needed IPsec resource are even available before send > >> > the request (may even involve AAA process between controllers of > >> > each corresponding domain ). > >> > > >> > > >> > > >> > Want to have a survey if people see the use case of Overlay Network > >> > needing portion of traffic to be through IPSec channel? > >> > > >> > IPSec is supposed to be between two end nodes. Here we assume that > >> > the Overlay nodes don't have the resource or capability for IPsec, > >> > but expect IPsec between flow's ingress and egress nodes (i.e. NVE). > >> > > >> > > >> > > >> > Any opinion is appreciated. > >> > > >> > Thanks, > >> > > >> > Linda > >> > > >> > > >> > > >> > *From:*Linda Dunbar > >> > *Sent:* Tuesday, June 14, 2016 4:03 PM > >> > *To:* 'christian.jacquenet@orange.com'; BOUCADAIR Mohamed IMT/OLN > >> > *Cc:* I2NSF@ietf.org > >> > *Subject:* Any use cases of Overlay network requesting IPSec > >> > connection from the Underlay for a specific time span? (was : Flow > >> > Security Policies exchanged over I2NSF service layer interface? > >> > > >> > > >> > > >> > Christian, > >> > > >> > > >> > > >> > Your feedback seems to suggest that Overlay network Controller may > >> > send request to the underlay network controller requesting IPsec > >> > connections among overlay nodes. Do I understand you correctly? > >> > > >> > > >> > > >> > Are there any use cases of overlay network needing IPSec among > >> > their nodes only for a specific time span? i.e. Time based IPSec connection? > >> > > >> > > >> > > >> > Linda > >> > > >> > > >> > > >> > *From:*christian.jacquenet@orange.com > >> > <mailto:christian.jacquenet@orange.com> > >> > [mailto:christian.jacquenet@orange.com] > >> > *Sent:* Monday, June 13, 2016 11:23 AM > >> > *To:* Linda Dunbar; BOUCADAIR Mohamed IMT/OLN > >> > *Subject:* RE: Any feedback on the Protocol Independent Flow > >> > Security Policies exchanged over I2NSF service layer interface? > >> > > >> > > >> > > >> > > >> > > >> > *[snip]* > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > Very often, the paths (or links) among nodes of a overlay network > >> > are provided by other network operators (a.k.a. "underlay > >> > network"). Very much like traditional networks placing FW > >> > (Firewall) or IPS (Intrusion Prevention System) on the wire to > >> > enforce the flow security rules, I2NSF *_Protocol Independent Flow > >> > Security Policies_* can be used by overlay networks to request > >> > certain flow based security rules to be enforced by its underlay > >> > networks, to prevent the unwanted attacks traffic from occupying > >> > the physical links and ports to the overlay network nodes, and to > >> > avoid the overlay nodes' CPU/Storage/Port utilization being > >> > consumed down by the various attacks. Here is one example of > >> > "Overlay Video Communication network" exchange Flow Policies to the > Underlay network. > >> > > >> > > >> > > >> > > >> > > >> > cid:image001.png@01D1B516.7F74E410 > >> > > >> > > >> > > >> > */[CJ] /*The above example clearly shows the necessary interaction > >> > between the two PDPs/controllers, to make sure that decisions made > >> > by the network controller accommodate the needs of the video > >> > customer as possibly expressed towards the video controller: for > >> > example, customer demands that the confidentiality of the > >> > videoconference needs to be preserved, thereby suggesting the use > >> > of the IPsec protocol suite. The video controller may enforce an > >> > IPsec design based upon the transport mode, whereas the network > >> > controller is solicited to allocate IPsec resources (read for > >> > example no AH, ESP in NULL mode) accordingly. This may possibly > >> > raise conflicting configuration tasks (the video controller uses > >> > AH, the network controller doesn't), thereby leading to > >> > inconsistency that may jeopardize the service. Whether BGP FS is > >> > used to carry security policy information between the two > >> > controllers is hardly the point, imho: what matters is the > >> > consistency of the (flow-based security policies enforced by both parties, > and which should be derived from the customer's requirements (if any). > >> > > >> > The goal of I2NSF is to specify the common information model and > >> > data model for the *_ Protocol Independent Flow Security Policies > >> > _*which can be queried and set between domains. > >> > > >> > [CJ] OK. > >> > > >> > * * > >> > > >> > https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos- > >> > mit igation-api/ is just the starting point. (needs more work to > >> > improve the clarity). > >> > We are asking if people to express their opinion on this work to > >> > the I2NSF@ietf.org <mailto:I2NSF@ietf.org> list. > >> > > >> > [CJ] I need to read this draft and will get back to you > >> > accordingly, but this may take a couple of weeks as I'm pretty busy for the > time being. > >> > > >> > > >> > > >> > I'll let Med further comment as appropriate. > >> > > >> > > >> > > >> > Cheers, > >> > > >> > > >> > > >> > Christian. > >> > > >> > > >> > > >> > Thanks, Linda > >> > > >> > > >> > > >> > > >> > _____________________________________________________________ > >> _________ > >> > ___________________________________________________ > >> > > >> > Ce message et ses pieces jointes peuvent contenir des informations > >> > confidentielles ou privilegiees et ne doivent donc pas etre > >> > diffuses, exploites ou copies sans autorisation. Si vous avez recu > >> > ce message par erreur, veuillez le signaler a l'expediteur et le > >> > detruire ainsi que les pieces > >> jointes. Les messages electroniques etant susceptibles d'alteration, > >> Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > >> > > >> > This message and its attachments may contain confidential or > >> > privileged information that may be protected by law; they should > >> > not be > >> distributed, used or copied without authorisation. > >> > If you have received this email in error, please notify the sender > >> > and delete this > >> message and its attachments. > >> > As emails may be altered, Orange is not liable for messages that > >> > have been > >> modified, changed or falsified. > >> > Thank you. > >> > > >> > > >> > _______________________________________________ > >> > nvo3 mailing list > >> > nvo3@ietf.org > >> > https://www.ietf.org/mailman/listinfo/nvo3 > >> > >> > >> _______________________________________________ > >> nvo3 mailing list > >> nvo3@ietf.org > >> https://www.ietf.org/mailman/listinfo/nvo3 > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3
- Re: [nvo3] How does Overlay Network inform the Un… Sowmini Varadhan
- Re: [nvo3] [I2nsf] How does Overlay Network infor… Rafa Marin Lopez
- [nvo3] How does Overlay Network inform the Underl… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Sowmini Varadhan
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] Can Overlay nodes see any difference o… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] : Any use cases of Overlay network req… Linda Dunbar
- [nvo3] Can Overlay nodes see any difference on ho… Linda Dunbar
- Re: [nvo3] FW: Any use cases of Overlay network r… Tom Herbert
- Re: [nvo3] FW: Any use cases of Overlay network r… Xuxiaohu
- Re: [nvo3] FW: Any use cases of Overlay network r… Lucy yong
- Re: [nvo3] FW: Any use cases of Overlay network r… Lou Berger
- [nvo3] FW: Any use cases of Overlay network reque… Linda Dunbar