Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
Linda Dunbar <linda.dunbar@futurewei.com> Tue, 20 February 2024 18:17 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA6DC180B4B; Tue, 20 Feb 2024 10:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CayRsY4Fuv41; Tue, 20 Feb 2024 10:17:03 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2113.outbound.protection.outlook.com [40.107.223.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8EEC14CF01; Tue, 20 Feb 2024 10:16:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k7w4wLyrqiQEr4EgzQQANMGeXw+cVKert785E4YIHFtn+xSK2H3go+dS0g9T40XB7ScNTFHaGiEMlVGDsIgQrfo5vCIUjLX9B6BIfRA/6Unb4YS5uKHrW1O+sUoIBW6FHUUYm2PSax/VHnGdOBUhQNgrKRrO3bM9fbBYq09V4h3urN7m3YCoBQeQP8I5f7pouDmO+ItJj8NdvL4KWn1aoux7l0kR1TOWuc+JC0YwjZqmowAzInVw+dSNwYH3sGTEw7+Wp40gnzqrW3VsVi6ARY0avn4EnRTgUBBRGViGoeoyMt8U0v1cIFOb8klQuSBrQfy+dImMJGfXBslO5vcHOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IvjCk7lFiQQeX4yO3VCSXCP/F3xn9AG7kG8xfQovp/M=; b=bEsxMuXIY6zYxXYMKqaa1WviCh77hRMJBaIZCbbBr3Gm3jL56oMN4UKwUF//AUdEKvNDYpOuKlPy824pPXVysMy5TODlYQh7rYAgFpbCEIgzpaCcxHn11j67kjJFVLevx3P+T3/AZAjqTcclV4o2+UxUcvDkfYZdznT1Zz/1jnkQtysoEVPsuMJhvm1uQ5dOFL4zABkil1fvjAzCAbl+0YzHjuH21P2ev9m7cav+N30kkbIZB/agD8g+l6F1xDpPVC222ilE/n3Yh5ee8eDyyLNlAZVlxJQBliqzpL3NnF/9/C18k0NI7GBIti42AQGRYimfwv0+o5LJwb/NaIWJxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IvjCk7lFiQQeX4yO3VCSXCP/F3xn9AG7kG8xfQovp/M=; b=BXrWMplvMjc/oWuXP3sH/sOs2dCrOvaAOS7YI47XjuXJqBdjUVh+ty24C07xXWua+8p2RJCXTJoDZlOlkWXHoQXqNDd1I6gcQSs0cueZcz3bSY1lsTmjeTzNE4fexd/J2BI4GqdlySAqMMEPgLeiyXt95zUdb1BRxPsF3TFn0eA=
Received: from CO1PR13MB4920.namprd13.prod.outlook.com (2603:10b6:303:f7::17) by SA1PR13MB5040.namprd13.prod.outlook.com (2603:10b6:806:1a1::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.21; Tue, 20 Feb 2024 18:16:53 +0000
Received: from CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::e6e5:1a02:6552:c0c1]) by CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::e6e5:1a02:6552:c0c1%6]) with mapi id 15.20.7292.036; Tue, 20 Feb 2024 18:16:53 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, 'Yingzhen Qu' <yingzhen.ietf@gmail.com>
CC: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "draft-dmk-rtgwg-multisegment-sdwan.all@ietf.org" <draft-dmk-rtgwg-multisegment-sdwan.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Thread-Topic: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
Thread-Index: AQHaXGmFyoaOp6gxrk6X58NdBz9y97EFxAqAgAdpjYCAARyeAIADvDiAgAEDEQCAAHg7cA==
Date: Tue, 20 Feb 2024 18:16:53 +0000
Message-ID: <CO1PR13MB492029ED9D1456F3B64EDE9585502@CO1PR13MB4920.namprd13.prod.outlook.com>
References: <170760111852.36779.1112884739220480182@ietfa.amsl.com> <CABY-gOPQYAPLAuQHwdjnQvN2hOoM_c+JaKKZ-+2BuQwz04f3pw@mail.gmail.com> <CO1PR13MB4920A3C89A7D9BE6D0113B4F854C2@CO1PR13MB4920.namprd13.prod.outlook.com> <0ce901da6181$857984e0$906c8ea0$@olddog.co.uk> <CO1PR13MB4920A3B157ED76C61FAF26A485502@CO1PR13MB4920.namprd13.prod.outlook.com> <104e01da63e1$29ff9ca0$7dfed5e0$@olddog.co.uk>
In-Reply-To: <104e01da63e1$29ff9ca0$7dfed5e0$@olddog.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR13MB4920:EE_|SA1PR13MB5040:EE_
x-ms-office365-filtering-correlation-id: 1842af86-1174-48d6-db28-08dc32401da1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6FJGWtLTMpHEumgaRCTWXeY5tqIMD5RB3eDWHAoVs4vDCnZPt8gg3NVUB40aKwnMv2OnjzNcrcqAB9q5PjUmcyX/+MVoMa44X/UIkN3K5Jfe5X+mN5KQDIIEqFIMTEtMopze0vtkiSyjbSRgs6A7X1+6I6lGdkqJ4m0vrW8dBkcO28Rq7289uUkbmIYEnGBi4wnZ8YdyWIX9JM1kg1HWOkPa0tF/3AWOgvG4zQbz1qv8k76B855MKFhmwfpyPoVtWLBG5Dgy2UBPW7nk+k6driyQsSutio5ZPhnXRvuyZTp/PdAMr2Tx+oWaVESTyLk4Ikt6b+DAUfl7PLkKYm1QN/wyLJOVSt9FxZnzfz3ds82B7+AuSJsuWqf+oDLwyul37WfXtgh/av1UVMoIn7A/Whv526uKHgO5y36NNxn3YH+FXGxy+cGGkrVhxdJEEomiWhskCcKgdI9ai/YVadjF+4yv3O6PulOETtj8Nt2NxrHAyaeHBNey3AFT+Ic+yYzIW9T37kebnhLKrFgOPTNxYTGX9BJoA3yA4XiWd/RWJKpLlUZMFW5FskE11/nSkVUcqAKk6wKtX/6koZly5N3SG9jAJ2Jd2aDAl3wYZn32EmE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR13MB4920.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JFjfbW1AQKP9g3BG7zSi8TTEnQ1+bHs4Z1Opp/NuoK5Lc7K9GMLO2LyNHUU8hMSJwwcSo8L6xH+B86+PMON7UNpKh5X1d2wU3LynvzdtZNt/ZfPsrT6/WMEvRLf9Ppp4ieBLNnbLfVEgjV88MzLxTs0BmicS+T+qnLkZu+5xZlQ0B1pHaQTzur76EWJBksewSn76tDZ5aGO3xOP9qYHzDVzQoI43zt1mlr9oT9KfsRdJEFoZ6YdzM6nPsNx/Rcye5FW3sVq1tJL7AxavA9TPHC9kCs1lEvm/jsRoWLaNokkFNSYgezTqSyu9CQqPeQm9bu9IkmHNdnPV1vOM8D3DdGmstMDLNnGgTkalhpRyOHYx/HYNMSCRbUajLp20xnrok/b1Bh3ZO7lxaK38EnlcQdsYB99CZHv3vvanZFiWmE6AxYW/22rZ7Hj2IzOiCd5fMszNFnYGb1oFT+62oJIBCx7APHn2hkXIHSKrMmwXgeCUIJFFkvluw8swO+BXP/1AGHVtrX8ZnlO5XEuSBsRFLikmbqbvTqvt8Ywi6vFq8czqcAUqeK4Ell+aEdWftWF6N3hx1nDbTH+wXIn1XkcNvjIjloeEETLENbc25heJHAmcYdUPZ95Ky0FV3eMGrkmrRgs7c70DWIbxZEPNbAxwiKlydcywvRQrUHt0or+N3hVciaUX8PTMLwyB7xjvb2RT0Wfl0jTQ0tKFU5EwQTmm2jyfuXwZ4ISZGBBGOYK8jWiYuy0R/ae0fux1ROmsSk26AccPa3lYYijzsUYSilgvf0hYSiJXmJEx9BIR/qrW9cRBG0jZ/87CmCYzkVVxeluVqWd7/vVXek1W0618nYw1XFzHQMQSrxs1G8/u6Y49N0vql/VX77yVNDrlf9nLiPCjtUylQymOqXvpF0dmgBeCI5G34oNVmz/CT0fqyfdABNKBZZuEO54ZudGO3WzhCOOqm6Z3bZFfNms5LlJPXQIRqP8Nb2PP/+lAKlvWsoVR2pannBH6ogIlIICkWfdRSxw8YFTxtM2DyUK3qCOYAiEYk/QTQI9piLVxOutMC8g5+0MUqJNodQcGJk8ykNxU2Eq4hUH1G7AEnDAvej72vdQd2K0PTv+N/oFoPdDUNFCjD/phk9PCE1odYTlBilUfBGjSs7QfCRTYZuzSfGqX97cld7249OAtX0SkN0vRKxqVjf/t89Xkdlcywji/qWoDMSI6RRX9CHmOV3c2bW/u9qZlA8xsDqfbU9R7ig9yGrczLlIkFHITDyu7zFhfPRqO9QsyBGRXe7MFeVEFqTTdfNMdt6tvUP76Eqhv2izntN+gBREAZOpxcyKJyKdNwj60RV9IXdoFsU1YiffOTpvMFfd2MRkPhss5Lrou5BHOH0A2FehO2Ed03EQ83A0kEkLtHZx75vRzv2l7rJn71pPLttNw3ZXU4seS2VvayZZCe7nxwskQC201ncgKEqwMr57w3fmPuoLDQAEKM54Bth39ejXx5yrjmZo2t6/3xIiJ5DDJGel/qDWh2EW9QbteAcmLIuaLUt6IyHjqLnfnG+Zl3OuU9tk1JKHxROY0Ee2LxT/c9GN5swOomCi17+7VEG/7PO7q
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB492029ED9D1456F3B64EDE9585502CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1842af86-1174-48d6-db28-08dc32401da1
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2024 18:16:53.6155 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OoexRaz8tc+AJUX9OOwTUZ3nmhza8/UGnw4OGMHQkZUIpol8sRMWXvTXvDeqQta9tCeR6Wzwn4z8ZO65pRE7Pw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR13MB5040
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/7dD8NTW2XvLz8Q_xaQVVF67oc6o>
Subject: Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 18:17:08 -0000
Adrian, Thank you again. See my resolutions to your comments under [Linda2] in purple. Linda From: Adrian Farrel <adrian@olddog.co.uk> Sent: Tuesday, February 20, 2024 3:43 AM To: Linda Dunbar <linda.dunbar@futurewei.com>; 'Yingzhen Qu' <yingzhen.ietf@gmail.com> Cc: rtg-dir@ietf.org; draft-dmk-rtgwg-multisegment-sdwan.all@ietf.org; rtgwg@ietf.org Subject: RE: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05 Thanks, Linda. I am now looking at the -06 version you posted. I am doing some heavy snipping in this thread. Look for [AF2] Adrian [Linda] How about the following rearrangement of the Intro section? Enterprises connecting to Cloud DC may find significant benefits in leveraging the Cloud Backbone for transporting traffic between their CPEs, such as 1. Enterprises can benefit from the robust and high-performance infrastructure cloud service providers provide by leveraging diverse paths and harnessing cloud backbones' scalability and global reach to reduce the risk of downtime or disruptions. 2. The scalability of the Cloud Backbone allows for efficient handling of increased data traffic, accommodating the growing demands of modern enterprises. 3. Cloud Backbone's centralized management and orchestration capabilities contribute to simplified network administration, enabling organizations to streamline their operations and respond more effectively to changing business requirements. To ensure security, enterprise traffic between their CPEs requires encryption. By steering the encrypted traffic through the Cloud Backbone without the need for decryption and re-encryption at Cloud GWs, processing demands at these GWs can be significantly reduced. This streamlined approach not only maintains the integrity of the encrypted traffic but also optimizes processing resources, enhancing overall efficiency within the cloud infrastructure. This document describes a method for SD-WAN CPEs using GENEVE Encapsulation [RFC8926] to encapsulate the IPsec encrypted packets and send them to their closest Cloud GWs, who can steer the IPsec encrypted payload through the Cloud Backbone without decryption to optimal egress Cloud GWs which then forward the original IPsec encrypted payload to the destination CPEs. This method is for Cloud Backbone to connect multiple segments of SD-WAN without the Cloud GWs decrypting and re-encrypting the payloads. [AF] This is much better. What is missing (perhaps obvious to you) is why a GW would otherwise need to decrypt and re-encrypt. I think you probably need: * Each GW must look at the {which?} fields in the packet to determine the next hop (i.e., GW) to which to forward the packet [Linda] added a sentence saying that GW looks at the sub-TLV carried in the GENEVE header (which is specified Section 4 of the document) [AF2] Ha! Sorry, I wasn't clear. Yes, with Geneve encapsulation in use, the necessary information to steer the packet is visible in the GENEVE header and all is good. But what I was trying to get at is why you need to encapsulate in GENEVE. So, if you go to the solution before this draft was written, there is a packet trying to get end-to-end through some GWs. That packet is encrypted using IPsec, but when it gets to the GW, the GW has to decrypt the packet to access some information needed in order to steer the packet. I was asking, "When GENEVE is not in use, which fields of the IPsec-encrypted packet does the GW need to access that requires the GW to decrypt the packet?" Now, your revised text is clearer in some respects, but the goal-posts seem to have moved.... [Linda] Change to the following: As some packets from an enterprise CPE are destined to services within the Cloud DC, therefore requiring the Cloud DC to decrypt and forward to their respective destinations, and some are steered across the Cloud Backbone to the destination CPEs, the Cloud ingress GW must be able to determine which packets to decrypt and which one to steer across without decryption. This document describes a method for SD-WAN CPEs using GENEVE Encapsulation [RFC8926] to encapsulate the IPsec encrypted packets and send them to their closest Cloud GWs, who can detect if the packet needs to be steered across its backbone without decryption by looking into the Sub-TLVs inside the GENEVE header, which are specified in Section 4. Once it is determined that the packet is for steering across the backbone, the IPsec encrypted payload is steered through the Cloud Backbone without decryption to an optimal egress Cloud GWs, which forward the original IPsec encrypted payload to the destination CPEs. This method is for Cloud Backbone to connect multiple segments of SD-WAN without the Cloud GWs decrypting and re-encrypting the payloads. GENEVE is selected in this document as the encapsulation protocol because it is already widely in use in Cloud DC sites. [AF2] The first few sentences in this paragraph talk about the GW needing to determine which packets to decrypt before forwarding, and which to forward without decryption. I guess that is fine, although I don't see why this cannot be achieved using the normal IPsec SAs. That is, you are saying what can be achieved using the GENEVE encapsulation, but you are not saying why the GENEVE encapsulation is needed. [AF2] But at the end of the paragraph you have come back to "without the Cloud GWs decrypting and re-encrypting the payloads" without indicating why that would have been necessary (which was the intent of my original question). [Linda2] Let me try again. How about the following write-up? "To ensure security, enterprise traffic between their CPEs is encrypted and remains inaccessible to any third parties, including the Cloud DC. For the encrypted packets to be steered through the Cloud Backbone, the packet header must contain information indicating the packet's intended route. Given that the IPsec SA between CPEs is exclusively maintained between the CPEs and is not accessible to Cloud GWs, the encrypted packet needs to be carried by a tunnel between the source CPE and the ingress Cloud GW. This tunnel can be another layer of IPsec, which adds processing overhead to the Cloud GW to decrypt the outer IPsec tunnel solely for steering the encrypted payload. By steering the encrypted traffic through the Cloud Backbone without the need for decryption and re-encryption at Cloud GWs, processing demands at these GWs can be significantly reduced. This streamlined approach not only maintains the integrity of the encrypted traffic but also optimizes processing resources, enhancing overall efficiency within the cloud infrastructure. This document introduces a method for SD-WAN CPEs that utilizes GENEVE Encapsulation [RFC8926] to encapsulate IPsec encrypted packets, directing them to the nearest Cloud GWs. These gateways can determine whether the packet needs to traverse the backbone without decryption by inspecting Sub-TLVs within the GENEVE header, as specified in Section 4. Once determined that the packet is intended for backbone traversal, the IPsec encrypted payload is steered through the Cloud Backbone without decryption to optimal egress Cloud GWs. These gateways then forward the original IPsec encrypted payload to the destination CPEs. This method facilitates the Cloud Backbone's connecting multiple SD-WAN segments without Cloud GWs decrypting and re-encrypting payloads. GENEVE is selected in this document as the encapsulation protocol due to its widespread usage in Cloud DC sites." 4.1 has The Protocol Type (16 bits) = 50 (ESP) [RFC4303] indicates that IPsec ESP encapsulated data are appended at the end of the GENEVE header. My understanding of RFC 8926 is that you put an Ethertype in the Protocol Type field. Protocol Type (16 bits): The type of protocol data unit appearing after the Geneve header. This follows the Ethertype [ETYPES] convention, with Ethernet itself being represented by the value 0x6558. The value 50 (x32) would thus be interpreted as an IEEE802.3 Length Field. I *think* what you are meant to do is put the ESP after an IP header (per RFC 4303) and then use the appropriate Ethertype in the GENEVE header. This probably also makes life a lot easier because the encapsulating IP header tells the gateway a lot about the intended destination of the packet (for example, you wouldn't need the SD-WAN Tunnel Endpoint Sub-TLV and the SD-WAN Tunnel Originator Sub-TLV). [Linda] Per your suggestion, we removed the Section 3.1, simply stating that Geneve header is specified in Section 3 of [RFC8926]. The draft needs to apply a new GENEVE Option Class (multi-seg-SD-WAN Option Class) at IANA (https://www.iana.org/assignments/nvo3/nvo3.xhtml ). [AF2] Right, so you have fixed 4.1. Good. The encap is now Eth-IP-UDP-Geneve-IP-ESP-payload [AF2] Which takes us back to asking what the Geneve encapsulation an the sub-TLVs buy us as the original IP header is now visible. Perhaps the question is whether the IPsec SA is CPE-CPE or end-to-end. I don't think that has been made clear. If the SA is between CPEs, the SD-WAN end-point sub-TLV seems to only reproduce what is in the encapsulated IP header dst field, and the SD-WAN tunnel originator Sub-TLV seems to reproduce the encapsulated IP header src field. So, perhaps you are trying to build an overlay which: * Has very little to do with whether or not the payload is encrypted * Is all about indicating the entry, exit, and transit GWs in the overlay network [AF2] Overlays and tunnels are great (q.v.) and I am just trying to understand what it is you are trying to do with this work. [Linda2] with the above changed write-up, is it more clear? 2. SD-WAN An overlay connectivity service that optimizes transport of IP Packets over one or more Underlay Connectivity Services by recognizing applications (Application Flows) and determining forwarding behavior by applying Policies to them. [MEF-70.1] To be clear, and notwithstanding anything in MEF70.1, it is not possible (or desirable) to identify end applications. What is possible, using the fields highlighted in MEF70.1, is to select traffic flows and apply steering policies to them to direct them towards interfaces or tunnel endpoints so that they are carried across the underlay. [Linda] Joel Halpern asked me to provider reference for SD-WAN. I sent him several options. He thinks referencing MEF is better than using any vendor's definition. [AF] I am not objecting to using MEF70.1 as a reference to explain the term "SD-WAN". I am objecting to the suggestion that points within the network should be able to identify user's applications. The language here is yours (it's in your draft!) so you can change it to talk about traffic flows, and not mention applications at all. [Linda] got it. Did a global change to remove all mention of "applications". [AF2] Except in -06 you still have... SD-WAN An overlay connectivity service that optimizes transport of IP Packets over one or more Underlay Connectivity Services by recognizing applications (Application Flows) and determining forwarding behavior by applying Policies to them. [MEF-70.1] [Linda2] will change in -07 3.1 points to the use of cloud security functions and SaaS features. If, however, end-to-end encryption is in use through IPsec, and that is carried in GENEVE so that the gateways do not need to decrypt and re- encrypt, the availability of those security functions will be limited (because they cannot see into the payload packet). Doesn't that mean that these pieces of this use case are lost? [Linda] There are monitoring functions provided by Cloud DC than can check IPsec encrypted traffic. [AF] OK. Would you like to add references for those? [Linda] different cloud operators provide different ones. mentioning one vendor's function is not appropriate for IETF drafts. Here are the current available monitoring tools by AWS: https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-overview-vpn.html#monitoring-automated-manual [AF2] I am not too interested in proprietary solutions (although I note that the referenced page makes no mention of IPsec or encryption). May I suggest: OLD - Cloud-based tools and SaaS (Software as a Service) can be easily utilized to collect and analyze the threat to the traffic. NEW - Proprietary cloud-based tools and SaaS (Software as a Service) may be available in specific deployments to collect and analyze the threat to the traffic. END [Linda2] Thanks for the suggestion, changed in -7 You need much more clarity on your choice to not set the C bit in the option types. You should state that this is a deliberate choice and describe how the packets will be processed if the option type is not recognised. Won't you need a registry for these option types? [Linda] Are you talking about the multi-seg-SD-WAN Option Class specified in Section 4.2? (https://www.iana.org/assignments/nvo3/nvo3.xhtml ). [AF] There are two things going on... 1. You are requesting an assignment from the Option Class registry (TBD). No problem. 2. You are defining three Type values. Here there are two issues: * According to 3.5 of 8926, the Type field of an Option Class is 8 bits with the high order bit being named the C-bit. The C-bit has specific meaning. Your three values do not choose to set that bit. You should explain why. * You may want to consider having a registry for these Type values so that new SD-WAN Option class types can be defined in future. [Linda] add the following: C-bit needs to be set, so that receiving node can drop the packet if it does not recognize the option [RFC8926]. [AF2] OK. This has not shown up in -06, so presumably still in your edit buffer. I don't know whether you are supposed to write "Type 1 with the C-bit set" or "Type 129" [AF2] Note that 8926 calls it the 'C' bit and the high-order bit. [AF2] You haven't answered the point about the new registry [Linda2] Yes, need IANA registry. Reflected in -7 --- 4.6 and 4.7 Obviously, you are going to have to specify these TLVs in a future version. For the include case, you are going to have to say whether this is an ordered list, whether the inclusion is mandatory, and whether the list is strict or loose. You may also have to worry about the option length in the GENEVE header especially in the case of IPv6. [Linda] Yes. Will add. Just at this moment, Azure is not sure what information they are willing to provide . [AF] Apologies, I thought this was an IETF spec. If this document is describing a proprietary protocol, then the document needs a lot of work! [Linda] I meant to say that they may not want internal IP address exposed. Node ID or Region ID are all okay. Add the TLV 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Include-Transit| length |Transit_Type |I|Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transit node ID | ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 8 Include-Transit Sub-TLV Multiple Include-Transit Sub-TLVs can be included in one GENEVE header to represent multiple nodes or regions to be included when the packet is steered through the Cloud Backbone. Transit_type: TBD1: when Transit node ID is represented as a numeric number, such as a Cloud Availability Region or Zone numeric identifier. TBD2: when Transit node ID is represented as string, such as a Cloud Availability Region or Zone name. TBD3: when Transit node ID is represented as an IP address. I-bit: When set to 0: it indicates it needs best effort to steer through the transit node ID. When set to 1, it indicates that the Transit Node ID must be included through the Cloud Backbone. If the Transit Node ID cannot be traversed, an alert or alarm must be generated to the enterprise via an out-of-band channel. It is out of the scope of this document to specify those alerts or alarms. [AF2] That is making progress. Thanks. I think you are still missing: * Is this an ordered list or just a set? [Linda2] No * How is the string encoded? [Linda2] strictly between the enterprise <-> Cloud Provider. * Will you have a new registry for these Transit_type values? [Linda2] Yes. [AF2] Not sure that this discussion is needed prior to adoption, but you will need to have it before you reach RFC. I'm curious why your new Multi Segment SD-WAN Sub-TLVs registry has 0 and 255 as reserved. [Linda] To be on the safe side. I see many registries has 0 and 255 reserved. Is it okay? [AF] I am all in favour of safety. However, "I saw someone else did it, so I did it," is as much reckless as safe! Have a reason for the things you do. [Linda] In my option, it is a good practice to avoid 0 and FFFF in case some future operation needs to do some math function on the value. . [AF2] ROFL
- [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-… Adrian Farrel via Datatracker
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Yingzhen Qu
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar