RE: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

"UTTARO, JAMES" <ju1738@att.com> Tue, 10 July 2018 12:22 UTC

Return-Path: <ju1738@att.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0923F130E8F; Tue, 10 Jul 2018 05:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.61
X-Spam-Level:
X-Spam-Status: No, score=-0.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3oeOfNUmD2q; Tue, 10 Jul 2018 05:22:19 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30CB112785F; Tue, 10 Jul 2018 05:22:19 -0700 (PDT)
Received: from pps.filterd (m0049463.ppops.net [127.0.0.1]) by m0049463.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id w6ACF6Xh043172; Tue, 10 Jul 2018 08:22:11 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049463.ppops.net-00191d01. with ESMTP id 2k4rntkxdk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Jul 2018 08:22:10 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w6ACM9YH030203; Tue, 10 Jul 2018 08:22:10 -0400
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [135.66.87.50]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w6ACM2Yj030077; Tue, 10 Jul 2018 08:22:02 -0400
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [127.0.0.1]) by zlp27128.vci.att.com (Service) with ESMTP id 025D140006B6; Tue, 10 Jul 2018 12:22:02 +0000 (GMT)
Received: from MISOUT7MSGHUBAB.ITServices.sbc.com (unknown [130.9.129.146]) by zlp27128.vci.att.com (Service) with ESMTPS id DAD6440006A1; Tue, 10 Jul 2018 12:22:01 +0000 (GMT)
Received: from MISOUT7MSGUSRCD.ITServices.sbc.com ([169.254.4.177]) by MISOUT7MSGHUBAB.ITServices.sbc.com ([130.9.129.146]) with mapi id 14.03.0399.000; Tue, 10 Jul 2018 08:22:00 -0400
From: "UTTARO, JAMES" <ju1738@att.com>
To: Jeff Tantsura <jefftant.ietf@gmail.com>, Ron Bonica <rbonica@juniper.net>
CC: "bess@ietf.org" <bess@ietf.org>, RTGWG <rtgwg@ietf.org>, Eric Rosen <erosen@juniper.net>, Robert Raszuk <robert@raszuk.net>, Linda Dunbar <linda.dunbar@huawei.com>
Subject: RE: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
Thread-Topic: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01
Thread-Index: AdQUd6UGClvRk5FQRUGF9YyejctT/AA3qsZwAAIU+0AACiU3AAAAP8cAAAB6CoAAAb8JgAAGAtgAAKfFA1A=
Date: Tue, 10 Jul 2018 12:22:00 +0000
Message-ID: <B17A6910EEDD1F45980687268941550F3676A366@MISOUT7MSGUSRCD.ITServices.sbc.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B07E161@sjceml521-mbs.china.huawei.com> <DM2PR05MB4485047CBE1ABF17FBE7083AE470@DM2PR05MB448.namprd05.prod.outlook.com> <4A95BA014132FF49AE685FAB4B9F17F66B07EB23@sjceml521-mbs.china.huawei.com> <CA+b+ERnwvYF4JdoiHhPPBYds-Tm9EPyZm6vPLdscjNtKhqTY4A@mail.gmail.com> <49131D01-708D-4A17-9521-F0DEA6891FC9@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B07EDB4@sjceml521-mbs.china.huawei.com> <DM2PR05MB448D2B060B09D4275A9BC6AAE470@DM2PR05MB448.namprd05.prod.outlook.com> <14EDAB4B-1023-4084-93CC-C1C6AA36C081@gmail.com>
In-Reply-To: <14EDAB4B-1023-4084-93CC-C1C6AA36C081@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.10.130.254]
Content-Type: multipart/alternative; boundary="_000_B17A6910EEDD1F45980687268941550F3676A366MISOUT7MSGUSRCD_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-10_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807100134
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/qZZ-gJ_Sl2MfvNXGaT3-8Vbqjxc>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 12:22:24 -0000

Jeff,

                Comments In-Line..

Thanks,
                Jim Uttaro

From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of Jeff Tantsura
Sent: Friday, July 06, 2018 8:16 PM
To: Ron Bonica <rbonica@juniper.net>
Cc: bess@ietf.org; RTGWG <rtgwg@ietf.org>; Eric Rosen <erosen@juniper.net>; Robert Raszuk <robert@raszuk.net>; Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

There are also many companies using EVPN as the control plane.
It is important to find a “golden middle” where on one side we achieve interoperability but on another don’t hinder the innovation in that, fast growing space.
[Jim U>] Is this specific to inter-operability with secure-l3vpn-01 or intended as a general statement in re interoperability with the 2547 ?
Data planes are a jungle and would not be standardized any time soon.
However - an abstraction on top would be very useful.

Regards,
Jeff

On Jul 6, 2018, at 14:23, Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
+1

Let’s follow up on this discussion in Montreal.

From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Sent: Friday, July 6, 2018 4:33 PM
To: Jeff Tantsura <jefftant.ietf@gmail.com<mailto:jefftant.ietf@gmail.com>>; Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Cc: Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>>; RTGWG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>>; Eric Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; bess@ietf.org<mailto:bess@ietf.org>
Subject: RE: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Jess,

Great Action! There are much more than the Data modeling.
A lot to be done in Control Plane. Many SD-WAN deployment (ours included) use NHRP/DMVPN/DSPVN to manage routes via internet. But NHRP being developed decades ago (for ATM) just doesn’t scale to support Managed Overlay network of 100s or 1000s CPEs.

Linda

From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of Jeff Tantsura
Sent: Friday, July 06, 2018 3:20 PM
To: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Cc: Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>>; RTGWG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>>; Eric Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; bess@ietf.org<mailto:bess@ietf.org>; Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Subject: Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Robert/Linda,

RTGWG chairs have been thinking of starting SD-WAN discussion in RTGWG.
Service data modeling(data modeling in general)is an obvious candidate (at ONUG we started, there’s some early effort, but IETF help is needed).
Control plane interworking is another interesting topic.
Please bring your ideas, I’m still working on agenda

Regards,
Jeff

On Jul 6, 2018, at 13:12, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:
Hi Linda,

What you are expressing is very clear and in fact happens today on any good SD-WAN controller.

But in the context of this discussion are you bringing it here to suggest that draft-rosen-bess-secure-l3vpn should have such functionality build in ?

Personally I don't think it really belongs in this draft as perfect sweet spot for it still IMHO resides on a SD-WAN controller. Pushing all that logic into BGP may be a bit excessive ...

Many thx,
R.


On Fri, Jul 6, 2018 at 9:32 PM, Linda Dunbar <linda.dunbar@huawei..com<mailto:linda.dunbar@huawei.com>> wrote:
Ron,

This is referring to a Managed Overlay WAN services with many CPEs (large scale SD-WAN) and where

-        there are many CPEs at each location and multiple WAN ports on each CPE

-        SD-WAN Controller needs to detour a path between Site -A-&  Site-B via another site (e.g. Site-C) for reasons like Performance, Regulatory,  or others. Instead of designating to specific CPE of the site-C.

It is preferable to partition CPEs to clusters, as shown in the figure below:

[cid:image001..png@01D41536.30DC7AC0]

Do I explain well? If not, can we talk face to face in Montreal?

Thanks, Linda Dunbar

From: Ron Bonica [mailto:rbonica@juniper.net<mailto:rbonica@juniper.net>]
Sent: Friday, July 06, 2018 1:25 PM
To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>; Eric Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; bess@ietf.org<mailto:bess@ietf.org>
Subject: RE: comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Hi Linda,

I’m not sure that I understand what you mean when you say, “aggregate CPE-based VPN routes with internet routes that interconnect the CPEs”. Could you elaborate?

                                                            Ron


From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda..dunbar@huawei..com>>
Sent: Thursday, July 5, 2018 11:53 AM
To: Eric Rosen <erosen@juniper.net<mailto:erosen@juniper.net>>; Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>>; bess@ietf.org<mailto:bess@ietf.org>
Subject: comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Eric and Ron,

We think that the method described in your draft is useful for CPE based EVPN, especially for SD-WAN between CPEs.
But, it misses some aspects to aggregate CPE-based VPN routes with internet routes that interconnect the CPEs.

Question to you: Would you like to expand your draft to cover the scenario of aggregating CPE-based VPN routes with internet routes that interconnect the CPEs?

If yes, we think the following areas are needed:


•        For RR communication with CPE, this draft only mentioned IPSEC. Are there any reasons that TLS/DTLS are not added?

•        The draft assumes that C-PE “register” with the RR. But it doesn’t say how. Should “NHRP” (modified version) be considered?

•        It assumes that C-PE and RR are connected by IPsec tunnel. With zero touch provisioning, we need an automatic way to synchronize the IPSec SA between C-PE and RR. The draft assumes:

•  A C-PE must also be provisioned with whatever additional information is needed in order to set up an IPsec SA with each of the red RRs

•        IPsec requires periodic refreshment of the keys. How to synchronize the refreshment among multiple nodes?

•        IPsec usually only send configuration parameters to two end points and let the two end points to negotiate the KEY. Now we assume that RR is responsible for creating the KEY for all end points. When one end point is confiscated, all other connections are impacted.

If you are open to expand your draft to cover SD-WAN, we can help providing the sections to address the bullets mentioned above.

We have a draft analyzing the technological gaps when using SD-WAN to interconnect workloads & apps hosted in various locations: https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=zU9RrstHx08_qwVE-_wbaPcJUwA0Cx7W9wg4K6cDAOs&s=1SH5CDBkEFKTyKPWRpPpy-dfxkl19-hrgXiR7nRkq50&e=>
Appreciate your comments and suggestions to our gap analysis.


Thanks, Linda Dunbar


_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_bess&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=-YF-QCTv5uEfMyt2Wc0PmtR67-K6YA_3N6rtLgrOn8s&s=SriB9BByrX7UeyUS1mlwSgHjqLf0roIqfTnM8SdQA7E&e=>

_______________________________________________
BESS mailing list
BESS@ietf.org<mailto:BESS@ietf.org>
https://www.ietf.org/mailman/listinfo/bess<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_bess&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=-YF-QCTv5uEfMyt2Wc0PmtR67-K6YA_3N6rtLgrOn8s&s=SriB9BByrX7UeyUS1mlwSgHjqLf0roIqfTnM8SdQA7E&e=>