IETF Logo Mail Archive

Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05

Adrian Farrel <adrian@olddog.co.uk> Tue, 20 February 2024 09:43 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1E3C14F682; Tue, 20 Feb 2024 01:43:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RMZBceekK3J; Tue, 20 Feb 2024 01:42:57 -0800 (PST)
Received: from mta5.iomartmail.com (mta5.iomartmail.com [62.128.193.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0B4BC14F694; Tue, 20 Feb 2024 01:42:54 -0800 (PST)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta5.iomartmail.com (8.14.7/8.14.7) with ESMTP id 41K9gnii004290; Tue, 20 Feb 2024 09:42:49 GMT
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D66D346050; Tue, 20 Feb 2024 09:42:48 +0000 (GMT)
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B659E4604C; Tue, 20 Feb 2024 09:42:48 +0000 (GMT)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs2.iomartmail.com (Postfix) with ESMTPS; Tue, 20 Feb 2024 09:42:48 +0000 (GMT)
Received: from LAPTOPK7AS653V ([85.255.233.52]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.7/8.14.7) with ESMTP id 41K9gkdK001673 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Feb 2024 09:42:47 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Linda Dunbar' <linda.dunbar@futurewei.com>, 'Yingzhen Qu' <yingzhen.ietf@gmail.com>
Cc: rtg-dir@ietf.org, draft-dmk-rtgwg-multisegment-sdwan.all@ietf.org, rtgwg@ietf.org
References: <170760111852.36779.1112884739220480182@ietfa.amsl.com> <CABY-gOPQYAPLAuQHwdjnQvN2hOoM_c+JaKKZ-+2BuQwz04f3pw@mail.gmail.com> <CO1PR13MB4920A3C89A7D9BE6D0113B4F854C2@CO1PR13MB4920.namprd13.prod.outlook.com> <0ce901da6181$857984e0$906c8ea0$@olddog.co.uk> <CO1PR13MB4920A3B157ED76C61FAF26A485502@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB4920A3B157ED76C61FAF26A485502@CO1PR13MB4920.namprd13.prod.outlook.com>
Date: Tue, 20 Feb 2024 09:42:46 -0000
Organization: Old Dog Consulting
Message-ID: <104e01da63e1$29ff9ca0$7dfed5e0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_104F_01DA63E1.2A017160"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIhZXvPWYwe54ij0Q2rsvqDmiHRcgF4q1sRAZybi/wBnRE0sQGW5Y/isFKegwA=
Content-Language: en-gb
X-Originating-IP: 85.255.233.52
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type; s=20221128; bh=YRHcEwd+XcL5eVUfGCP9o VHeOYCc8Hf5lIzLjEH9RgA=; b=irBcBdHceupsVwzA1n+8k9J3vpwr/60X4U02G LB2tUVCRxu7wJ0olMdUL6qsvos+fVYeqGFA3qzI+QBNO3l1F75oS1Y4RbGyS72+f dBC/DJPirozq8fSBGFrBuzhlKWFnwy4t0eNzz0lo65AzbuCsUK0d0Go3/QxymyUf dYjaqOZocivhh33ecUOM/IefbY2J+6hJBGQAVHE1dI4q8gY3JCQsPKVHz9MFHFgI cKRAItN5TmYBK3RlR3UmuQM5b/AE9mRyr4rnAnDsjJu2wdQtWZZEMSefD7MKrWlD 22pte1zjAS/0zH95LToEkc7FLAY70D+22qaKqOopqkhjtLJ/g==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-28202.006
X-TM-AS-Result: No--28.802-10.0-31-10
X-imss-scan-details: No--28.802-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-28202.006
X-TMASE-Result: 10--28.801900-10.000000
X-TMASE-MatchedRID: CxmI61mtwh/xIbpQ8BhdbI61Z+HJnvsOfkuZtv/FS5qcVtYw/GEBekB3 2ynv+GCSgDuCzW19Qw4Zybjw2sGulaNOXIxVDeaEL1mr25LaEY0lTuLXDXIWuJhvYdEwB1uLUxt 3itp9ysEQPI70rt+1S7fnbtrAw2oEiq265D4ITu+iU2dDS053x5CgGv5IWd4klA5gGtckIoDv2W tMAB/7S7qD2KnJ/Aqqy6MmQW2bOnNlO2T+SrImcoqCtN91iZApaDeXgWjzGeAJvvL2zxdK5DlCR r8Hb3qisDH6uV2uL+IQhD7/IjyHokB40z3xsh6Mhv1+2J3yQFx2ZYwNBqM6IkS0FpbI+14TXZkv SnzH02WVKUjeLHA1E4OXBVcEEoQJmcUNCy5hvn8EAUk+qoQrN9hQO8CvZj/X592Swrd60Uk4W7m lECl6bFXfVZa2dw5bOGyXdhuZG8nARO5okpNcRovefyp1glN01+Cp0Qg3BZ6ynk7TnYzMuv+I45 Q8H+H+p3nmW8jBg82u2B5y04kPg4NMBKUORLLARU4X3Mu13IwxXH/dlhvLv1gLks93sG9tJEz2l L+z80h0H1pFncPIhHdNoXv6UJm+TPmZYEXmxpGcnm0v4tsY4wTHaede/M0jcJquQxzIpMCsw16a nkSpXfu0JjibnX7jvT4chvRZJyDWjsIurDSdN+sLOhZcNxRipaCvbZ7/6tK15eNIExieaccpntx rC2Z2xO4FvTZs+ZwbZLZQawUR5uI3MWDezVIlBe3KRVyu+k3AHwIGoBwm5VGJGXffuLdve/cQkm t0G7G8Avv1k158POYgzQx99m4iM8zoXyk3UmxANB89sV0bJyH5xd1Wn9PCmyiLZetSf8mVHVxP1 hp9BUpZ1N/CwmPLh9eWnlL1x8CQZS2ujCtcuA==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/Kq3BAHu5d9MZkyc7lbtoirr5irg>
Subject: Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 09:43:01 -0000

Thanks, Linda.

 

I am now looking at the -06 version you posted.

 

I am doing some heavy snipping in this thread. Look for [AF2]

 

Adrian

 

[Linda] How about the following rearrangement of the Intro section? 

Enterprises connecting to Cloud DC may find significant benefits in leveraging the Cloud Backbone for transporting traffic between their CPEs, such as 

1.	Enterprises can benefit from the robust and high-performance infrastructure cloud service providers provide by leveraging diverse paths and harnessing cloud backbones' scalability and global reach to reduce the risk of downtime or disruptions. 
2.	The scalability of the Cloud Backbone allows for efficient handling of increased data traffic, accommodating the growing demands of modern enterprises.
3.	Cloud Backbone's centralized management and orchestration capabilities contribute to simplified network administration, enabling organizations to streamline their operations and respond more effectively to changing business requirements.


To ensure security, enterprise traffic between their CPEs requires encryption. By steering the encrypted traffic through the Cloud Backbone without the need for decryption and re-encryption at Cloud GWs, processing demands at these GWs can be significantly reduced. This streamlined approach not only maintains the integrity of the encrypted traffic but also optimizes processing resources, enhancing overall efficiency within the cloud infrastructure. 

This document describes a method for SD-WAN CPEs using GENEVE Encapsulation [RFC8926] to encapsulate the IPsec encrypted packets and send them to their closest Cloud GWs, who can steer the IPsec encrypted payload through the Cloud Backbone without decryption to optimal egress Cloud GWs which then forward the original IPsec encrypted payload to the destination CPEs. This method is for Cloud Backbone to connect multiple segments of SD-WAN without the Cloud GWs decrypting and re-encrypting the payloads.

[AF] This is much better. What is missing (perhaps obvious to you) is why a GW would otherwise need to decrypt and re-encrypt. I think you probably need:

*	Each GW must look at the {which?} fields in the packet to determine the next hop (i.e., GW) to which to forward the packet

[Linda] added a sentence saying that GW looks at the sub-TLV carried in the GENEVE header (which is specified Section 4 of the document)

[AF2] Ha! Sorry, I wasn’t clear. Yes, with Geneve encapsulation in use, the necessary information to steer the packet is visible in the GENEVE header and all is good. But what I was trying to get at is why you need to encapsulate in GENEVE. So, if you go to the solution before this draft was written, there is a packet trying to get end-to-end through some GWs. That packet is encrypted using IPsec, but when it gets to the GW, the GW has to decrypt the packet to access some information needed in order to steer the packet. I was asking, “When GENEVE is not in use, which fields of the IPsec-encrypted packet does the GW need to access that requires the GW to decrypt the packet?”

Now, your revised text is clearer in some respects, but the goal-posts seem to have moved….

[Linda] Change to the following: 

 

As some packets from an enterprise CPE are destined to services within the Cloud DC, therefore requiring the Cloud DC to decrypt and forward to their respective destinations, and some are steered across the Cloud Backbone to the destination CPEs, the Cloud ingress GW must be able to determine which packets to decrypt and which one to steer across without decryption. This document describes a method for SD-WAN CPEs using GENEVE Encapsulation [RFC8926] to encapsulate the IPsec encrypted packets and send them to their closest Cloud GWs, who can detect if the packet needs to be steered across its backbone without decryption by looking into the Sub-TLVs inside the GENEVE header, which are specified in Section 4. Once it is determined that the packet is for steering across the backbone, the IPsec encrypted payload is steered through the Cloud Backbone without decryption to an optimal egress Cloud GWs, which forward the original IPsec encrypted payload to the destination CPEs. This method is for Cloud Backbone to connect multiple segments of SD-WAN without the Cloud GWs decrypting and re-encrypting the payloads. GENEVE is selected in this document as the encapsulation protocol because it is already widely in use in Cloud DC sites.

[AF2] The first few sentences in this paragraph talk about the GW needing to determine which packets to decrypt before forwarding, and which to forward without decryption. I guess that is fine, although I don’t see why this cannot be achieved using the normal IPsec SAs. That is, you are saying what can be achieved using the GENEVE encapsulation, but you are not saying why the GENEVE encapsulation is needed.

[AF2] But at the end of the paragraph you have come back to “without the Cloud GWs decrypting and re-encrypting the payloads” without indicating why that would have been necessary (which was the intent of my original question).

4.1 has

   The Protocol Type (16 bits) = 50 (ESP) [RFC4303] indicates
   that IPsec ESP encapsulated data are appended at the end of
   the GENEVE header.

My understanding of RFC 8926 is that you put an Ethertype in the
Protocol Type field.

   Protocol Type (16 bits):  The type of protocol data unit appearing
      after the Geneve header.  This follows the Ethertype [ETYPES]
      convention, with Ethernet itself being represented by the value
      0x6558.

The value 50 (x32) would thus be interpreted as an IEEE802.3 Length
Field. I *think* what you are meant to do is put the ESP after an IP
header (per RFC 4303) and then use the appropriate Ethertype in the
GENEVE header. This probably also makes life a lot easier because the
encapsulating IP header tells the gateway a lot about the intended 
destination of the packet (for example, you wouldn't need the SD-WAN
Tunnel Endpoint Sub-TLV and the SD-WAN Tunnel Originator Sub-TLV).

[Linda] Per your suggestion, we removed the Section 3.1, simply stating that Geneve header is specified in Section 3 of [RFC8926].

The draft needs to apply a new GENEVE Option Class (multi-seg-SD-WAN Option Class) at IANA (https://www.iana.org/assignments/nvo3/nvo3.xhtml ). 

 

[AF2] Right, so you have fixed 4.1. Good. The encap is now Eth-IP-UDP-Geneve-IP-ESP-payload

 

[AF2] Which takes us back to asking what the Geneve encapsulation an the sub-TLVs buy us as the original IP header is now visible. Perhaps the question is whether the IPsec SA is CPE-CPE or end-to-end. I don’t think that has been made clear. If the SA is between CPEs, the SD-WAN end-point sub-TLV seems to only reproduce what is in the encapsulated IP header dst field, and the SD-WAN tunnel originator Sub-TLV seems to reproduce the encapsulated IP header src field. So, perhaps you are trying to build an overlay which:

*	Has very little to do with whether or not the payload is encrypted
*	Is all about indicating the entry, exit, and transit GWs in the overlay network

[AF2] Overlays and tunnels are great (q.v.) and I am just trying to understand what it is you are trying to do with this work.

2.

   SD-WAN      An overlay connectivity service that optimizes
               transport of IP Packets over one or more Underlay
               Connectivity Services by recognizing applications
               (Application Flows) and determining forwarding
               behavior by applying Policies to them. [MEF-70.1]

To be clear, and notwithstanding anything in MEF70.1, it is not
possible (or desirable) to identify end applications. What is
possible, using the fields highlighted in MEF70.1, is to select
traffic flows and apply steering policies to them to direct them
towards interfaces or tunnel endpoints so that they are carried
across the underlay.

[Linda] Joel Halpern asked me to provider reference for SD-WAN. I sent him several options. He thinks referencing MEF is better than using any vendor’s definition. 

[AF] I am not objecting to using MEF70.1 as a reference to explain the term “SD-WAN”.

I am objecting to the suggestion that points within the network should be able to identify user’s applications.

The language here is yours (it’s in your draft!) so you can change it to talk about traffic flows, and not mention applications at all.

[Linda] got it. Did a global change to remove all mention of “applications”.

[AF2] Except in -06 you still have…

   SD-WAN      An overlay connectivity service that optimizes

               transport of IP Packets over one or more Underlay

               Connectivity Services by recognizing applications

               (Application Flows) and determining forwarding

               behavior by applying Policies to them. [MEF-70.1]

 

3.1 points to the use of cloud security functions and SaaS features. If,
however, end-to-end encryption is in use through IPsec, and that is 
carried in GENEVE so that the gateways do not need to decrypt and re-
encrypt, the availability of those security functions will be limited
(because they cannot see into the payload packet). Doesn't that mean
that these pieces of this use case are lost?

[Linda] There are monitoring functions provided by Cloud DC than can check IPsec encrypted traffic. 

[AF] OK. Would you like to add references for those?

[Linda] different cloud operators provide different ones. mentioning one vendor’s function is not appropriate for IETF drafts.

Here are the current available monitoring tools by AWS: 

 https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-overview-vpn.html#monitoring-automated-manual 

 

[AF2] I am not too interested in proprietary solutions (although I note that the referenced page makes no mention of IPsec or encryption). May I suggest:

OLD

  - Cloud-based tools and SaaS (Software as a Service) can be

     easily utilized to collect and analyze the threat to the

     traffic.

NEW

  - Proprietary cloud-based tools and SaaS (Software as a Service)

    may be available in specific deployments to collect and analyze

    the threat to the traffic.

END

 

You need much more clarity on your choice to not set the C bit in the 
option types. You should state that this is a deliberate choice and 
describe how the packets will be processed if the option type is not
recognised.

Won't you need a registry for these option types?

[Linda] Are you talking about the multi-seg-SD-WAN Option Class specified in Section 4.2? (https://www.iana.org/assignments/nvo3/nvo3.xhtml ).

 

[AF] There are two things going on…

1.	You are requesting an assignment from the Option Class registry (TBD). No problem.
2.	You are defining three Type values. Here there are two issues:

a.	According to 3.5 of 8926, the Type field of an Option Class is 8 bits with the high order bit being named the C-bit. The C-bit has specific meaning. Your three values do not choose to set that bit. You should explain why.
b.	You may want to consider having a registry for these Type values so that new SD-WAN Option class types can be defined in future.

[Linda] add the following:

C-bit needs to be set, so that receiving node can drop the packet if it does not recognize the option [RFC8926].

[AF2] OK. This has not shown up in -06, so presumably still in your edit buffer. I don’t know whether you are supposed to write “Type 1 with the C-bit set” or “Type 129”

[AF2] Note that 8926 calls it the ‘C’ bit and the high-order bit.

[AF2] You haven’t answered the point about the new registry

---

4.6 and 4.7

Obviously, you are going to have to specify these TLVs in a future 
version. For the include case, you are going to have to say whether this
is an ordered list, whether the inclusion is mandatory, and whether the
list is strict or loose. You may also have to worry about the option
length in the GENEVE header especially in the case of IPv6.

[Linda] Yes. Will add. Just at this moment, Azure is not sure what information they are willing to provide . 

[AF] Apologies, I thought this was an IETF spec. If this document is describing a proprietary protocol, then the document needs a lot of work!

[Linda] I meant to say that they may not want internal IP address exposed. Node ID or Region ID are all okay. 

Add the TLV

 

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|Include-Transit| length        |Transit_Type   |I|Reserved     |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|                            Transit node ID                    |

~                                                               ~

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

            Figure 8 Include-Transit Sub-TLV

 

Multiple Include-Transit Sub-TLVs can be included in one GENEVE header to represent multiple nodes or regions to be included when the packet is steered through the Cloud Backbone. 

Transit_type: 

TBD1: when Transit node ID is represented as a numeric number, such as a Cloud Availability Region or Zone numeric identifier. 

TBD2: when Transit node ID is represented as string, such as a Cloud Availability Region or Zone name. 

TBD3: when Transit node ID is represented as an IP address.                 

I-bit: 

When set to 0: it indicates it needs best effort to steer through the transit node ID. 

When set to 1, it indicates that the Transit Node ID must be included through the Cloud Backbone. If the Transit Node ID cannot be traversed, an alert or alarm must be generated to the enterprise via an out-of-band channel. It is out of the scope of this document to specify those alerts or alarms. 

[AF2] That is making progress. Thanks. I think you are still missing:

*	Is this an ordered list or just a set?
*	How is the string encoded?
*	Will you have a new registry for these Transit_type values?

 

[AF2] Not sure that this discussion is needed prior to adoption, but you will need to have it before you reach RFC.

 

I'm curious why your new Multi Segment SD-WAN Sub-TLVs registry has 0
and 255 as reserved.

[Linda] To be on the safe side. I see many registries has 0 and 255 reserved. Is it okay? 

 

[AF] I am all in favour of safety. However, “I saw someone else did it, so I did it,” is as much reckless as safe! Have a reason for the things you do.

[Linda] In my option, it is a good practice to avoid 0 and FFFF in case some future operation needs to do some math function on the value. . 

 

[AF2] ROFL

v2.23.0 | Report a Bug | By Email