Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
Adrian Farrel <adrian@olddog.co.uk> Wed, 21 February 2024 08:52 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96813C15109E; Wed, 21 Feb 2024 00:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhwfSi2ignXI; Wed, 21 Feb 2024 00:52:01 -0800 (PST)
Received: from mta8.iomartmail.com (mta8.iomartmail.com [62.128.193.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3319BC15108B; Wed, 21 Feb 2024 00:51:58 -0800 (PST)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta8.iomartmail.com (8.14.7/8.14.7) with ESMTP id 41L8pqfJ002852; Wed, 21 Feb 2024 08:51:52 GMT
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D7614604B; Wed, 21 Feb 2024 08:51:52 +0000 (GMT)
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E167846048; Wed, 21 Feb 2024 08:51:51 +0000 (GMT)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs2.iomartmail.com (Postfix) with ESMTPS; Wed, 21 Feb 2024 08:51:51 +0000 (GMT)
Received: from LAPTOPK7AS653V ([148.252.132.27]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.7/8.14.7) with ESMTP id 41L8pmfF009209 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 21 Feb 2024 08:51:49 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Linda Dunbar' <linda.dunbar@futurewei.com>, 'Yingzhen Qu' <yingzhen.ietf@gmail.com>
Cc: rtg-dir@ietf.org, draft-dmk-rtgwg-multisegment-sdwan.all@ietf.org, rtgwg@ietf.org
References: <170760111852.36779.1112884739220480182@ietfa.amsl.com> <CABY-gOPQYAPLAuQHwdjnQvN2hOoM_c+JaKKZ-+2BuQwz04f3pw@mail.gmail.com> <CO1PR13MB4920A3C89A7D9BE6D0113B4F854C2@CO1PR13MB4920.namprd13.prod.outlook.com> <0ce901da6181$857984e0$906c8ea0$@olddog.co.uk> <CO1PR13MB4920A3B157ED76C61FAF26A485502@CO1PR13MB4920.namprd13.prod.outlook.com> <104e01da63e1$29ff9ca0$7dfed5e0$@olddog.co.uk> <CO1PR13MB492029ED9D1456F3B64EDE9585502@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB492029ED9D1456F3B64EDE9585502@CO1PR13MB4920.namprd13.prod.outlook.com>
Date: Wed, 21 Feb 2024 08:51:49 -0000
Organization: Old Dog Consulting
Message-ID: <004f01da64a3$35ea5f10$a1bf1d30$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0050_01DA64A3.35ED4540"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIhZXvPWYwe54ij0Q2rsvqDmiHRcgF4q1sRAZybi/wBnRE0sQGW5Y/iAx+H6RAB+CjEG7ArbNgg
Content-Language: en-gb
X-Originating-IP: 148.252.132.27
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type; s=20221128; bh=zO9owwMycDByETswCsBax 7ThnV5CEt6+FwDhu4Y49AI=; b=TbNLe8e6aYN1Ex5DIMxU+rwcaZVcUh2/+hc5b C/eal5/wIdQW0nNg+UX+0mU1MfOvzc4swzZzuX5i0NZI0kGh23GyqQssmPy7ghHJ /ApI5iJO74Ba7+6BrLeun/y31BpSx6jwhftE0UeErIerIB2yxaC72AnYHI/rckBs 7ro6mFA8NY8AJAA7l+x22OZMQyfwxUBqFDjFTMfBuidLWraZfS2aBuIkI9DJ8NLQ 14QcD2xcgMzHKwAeOFS/yinZAlRMnsa4R7KkSAHnMRodQDns/Prd175rfDCfAbt7 hPR4vfOcXG+fzTMxa6PzDK1M1b8thR24YIPfyCxQU99vHb3vQ==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-28204.005
X-TM-AS-Result: No--35.744-10.0-31-10
X-imss-scan-details: No--35.744-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-28204.005
X-TMASE-Result: 10--35.743500-10.000000
X-TMASE-MatchedRID: CxmI61mtwh/xIbpQ8BhdbI61Z+HJnvsO2rWnqd4fvlQwA0zrW4Apb4zW +pUeGsis9EoXyKMKe+z6DhgT3dBZd74UW3kWydSPbbJ1kjy/hk7WN3XQ/7wsTymOv1Uo8OW+rNn 3jFDYniG5CQ+USzkSlrlnC7e1EEyAE69ZAbbX99RZRmuDptXfZ5KhhQs+egPOikvE2QGlUYQFrN vPd3tz/Ks56LhEMRafCuNKNULdtNoOb9XQDGUdbUNxBShCnTSwaDeXgWjzGeAVdewhX2WAAUVa8 miri4Io1OYlw6XumHgQhD7/IjyHooWDz7mPxd0pBcaL/tyWL2MzNsXWBvGVBj+B/tp8itBTGSEK Eg7q+DykV52mAIXFpYjqcgUPBZ4KVlWj4EEFi/Avun/+8u/hs2UfjhTZG7XaVC4aflv2vZmheSf a1JDlkuqANXfqVonH2x0pgWk4NORtIP5YpJZlnaoXHZz/dXlxWfgivgcUPZMum94DE3gzX2PyL1 P+xKk8XFHzOmntR+4W72/BUdOd4f/TRfo/HClEAjqAxuWkdTEE5QLI2nUmaUBJWZqYnN7aYxqmc ULrxeY58FZaNP+VyWLefidyCJTeEwrLJRWzqcyyMWcHlEdDX8E9L9xpdPcoVgkL9epqBvGSsj39 Y+7eN8RavgnETVO2flBYoKYhSNOjZjhaeJzbReXYI0z4MDj0iTglTilRJ2skm/L/MIL+8gW/iVQ nEOYhgMBtpml0DCBJpV9rHFX3j7MwnTKgkbsOwbRQ2Bpmlio3l2plwgrtWLmyqTXHGxLI387ROT CkGUPCfvo3UgFFJJpJ/iGeRMFQP7A6mmzUskBANB89sV0bJ30tCKdnhB58r10pknZXGJrJ4y0wP 1A6AB8AKgKWeNGh0KkIUsNMdlSQZS2ujCtcuA==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/v0JVbYPcOHzD8URjB243OTxKzMc>
Subject: Re: [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-multisegment-sdwan-05
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 08:52:06 -0000
Hi again,
Thanks for continuing to engage in this discussion.
This email is me getting out of the way of further progress of this draft.
Cheers,
Adrian
[snip]
[Linda2] Let me try again. How about the following write-up?
"To ensure security, enterprise traffic between their CPEs is encrypted and
remains inaccessible to any third parties, including the Cloud DC. For the
encrypted packets to be steered through the Cloud Backbone, the packet
header must contain information indicating the packet's intended route.
Given that the IPsec SA between CPEs is exclusively maintained between the
CPEs and is not accessible to Cloud GWs, the encrypted packet needs to be
carried by a tunnel between the source CPE and the ingress Cloud GW. This
tunnel can be another layer of IPsec, which adds processing overhead to the
Cloud GW to decrypt the outer IPsec tunnel solely for steering the encrypted
payload.
By steering the encrypted traffic through the Cloud Backbone without the
need for decryption and re-encryption at Cloud GWs, processing demands at
these GWs can be significantly reduced. This streamlined approach not only
maintains the integrity of the encrypted traffic but also optimizes
processing resources, enhancing overall efficiency within the cloud
infrastructure.
This document introduces a method for SD-WAN CPEs that utilizes GENEVE
Encapsulation [RFC8926] to encapsulate IPsec encrypted packets, directing
them to the nearest Cloud GWs. These gateways can determine whether the
packet needs to traverse the backbone without decryption by inspecting
Sub-TLVs within the GENEVE header, as specified in Section 4. Once
determined that the packet is intended for backbone traversal, the IPsec
encrypted payload is steered through the Cloud Backbone without decryption
to optimal egress Cloud GWs. These gateways then forward the original IPsec
encrypted payload to the destination CPEs. This method facilitates the Cloud
Backbone's connecting multiple SD-WAN segments without Cloud GWs decrypting
and re-encrypting payloads.
GENEVE is selected in this document as the encapsulation protocol due to its
widespread usage in Cloud DC sites."
[AF3] OK. It is clear in this text what you think you are doing and why. I
cannot say that I agree with your motivation, but it is clear. I don't have
(or intend to have) an implementation, so I should not stand in the way of
this.
[snip]
[AF2] Which takes us back to asking what the Geneve encapsulation an the
sub-TLVs buy us as the original IP header is now visible. Perhaps the
question is whether the IPsec SA is CPE-CPE or end-to-end. I don't think
that has been made clear. If the SA is between CPEs, the SD-WAN end-point
sub-TLV seems to only reproduce what is in the encapsulated IP header dst
field, and the SD-WAN tunnel originator Sub-TLV seems to reproduce the
encapsulated IP header src field. So, perhaps you are trying to build an
overlay which:
* Has very little to do with whether or not the payload is encrypted
* Is all about indicating the entry, exit, and transit GWs in the
overlay network
[AF2] Overlays and tunnels are great (q.v.) and I am just trying to
understand what it is you are trying to do with this work.
[Linda2] with the above changed write-up, is it more clear?
[AF3] Well, as I say, it is clear, but I don't agree. But that is no reason
for me to stand in the way.
[snip]
[Linda] add the following:
C-bit needs to be set, so that receiving node can drop the packet if it does
not recognize the option [RFC8926].
[AF2] OK. This has not shown up in -06, so presumably still in your edit
buffer. I don't know whether you are supposed to write "Type 1 with the
C-bit set" or "Type 129"
[AF2] Note that 8926 calls it the 'C' bit and the high-order bit.
[AF2] You haven't answered the point about the new registry
[Linda2] Yes, need IANA registry. Reflected in -7
[AF3] OK. I see the registry. I think you still have work to do on it
related to the 'C' bit. You don't have to do that now, but you will need to
do it.
You seem to have crashed the use of "TBD1" etc which were for Transit node
ID types (section 4.5) but you have reused those flags in section 11 for the
Multi-seg-SDWAN_subTypes
And you'll have to give IANA a clue about selecting from the range 128-255
to make sure the C-bit is set.
Note that in the body text you have two cases of subType3
---
4.6 and 4.7
Obviously, you are going to have to specify these TLVs in a future
version. For the include case, you are going to have to say whether this
is an ordered list, whether the inclusion is mandatory, and whether the
list is strict or loose. You may also have to worry about the option
length in the GENEVE header especially in the case of IPv6.
[Linda] Yes. Will add. Just at this moment, Azure is not sure what
information they are willing to provide .
[AF] Apologies, I thought this was an IETF spec. If this document is
describing a proprietary protocol, then the document needs a lot of work!
[Linda] I meant to say that they may not want internal IP address exposed.
Node ID or Region ID are all okay.
Add the TLV
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Include-Transit| length |Transit_Type |I|Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Transit node ID |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8 Include-Transit Sub-TLV
Multiple Include-Transit Sub-TLVs can be included in one GENEVE header to
represent multiple nodes or regions to be included when the packet is
steered through the Cloud Backbone.
Transit_type:
TBD1: when Transit node ID is represented as a numeric number, such as a
Cloud Availability Region or Zone numeric identifier.
TBD2: when Transit node ID is represented as string, such as a Cloud
Availability Region or Zone name.
TBD3: when Transit node ID is represented as an IP address.
I-bit:
When set to 0: it indicates it needs best effort to steer through the
transit node ID.
When set to 1, it indicates that the Transit Node ID must be included
through the Cloud Backbone. If the Transit Node ID cannot be traversed, an
alert or alarm must be generated to the enterprise via an out-of-band
channel. It is out of the scope of this document to specify those alerts or
alarms.
[AF2] That is making progress. Thanks. I think you are still missing:
* Is this an ordered list or just a set?
[Linda2] No
[AF3] <snigger> "Is it an apple or an orange," he asked. "No," she replied.
[AF2]
* How is the string encoded?
[Linda2] strictly between the enterprise <-> Cloud Provider.
[AF3] So, is it a byte string or a character string? Is it printable? Is
internationalization supported? How does an implementation at the enterprise
manage to interwork with an implementation at the cloud provider?
[snip]
- [RTG-DIR] Rtgdir early review of draft-dmk-rtgwg-… Adrian Farrel via Datatracker
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Yingzhen Qu
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Adrian Farrel
- Re: [RTG-DIR] Rtgdir early review of draft-dmk-rt… Linda Dunbar