Just finished reading your draft and I don’t think the two drafts are complimentary. Frankly, I don’t see any advantages for using a separate SAFI for this purpose but many disadvantages such as:
1. Resurrecting the approach in RFC 5512 that is being deprecated – i.e., send a separate route for the tunnel and then color the other routes to associated with the tunnel (using indirection) and opposed the current common practice in Tunnel Encap attribute that sends the attribute directly with the corresponding route. 2. When establishing IPsec tunnel at a more granular level (e.g., per pair of VPN MAC or IP addresses), you need to advertise twice as many routes !! 3. The overhead associated with a new SAFI as opposed to use exiting attribute 4. NAT can be handled without the new SAFI The secure tunnel between each PE and the RR (e.g., IPsec) for the BGP session is common between the two drafts as mentioned first by the controller-ike draft. This is needed because you want to make sure that the BGP session goes over a tunnel that is authenticated between the peers (and encrypted). Intuitively the use of tunnel encap attribute for IPsec should be clear as IPsec is another tunnel type and key exchange parameter, transfer function, DH groups, etc. are attributes/properties of such tunnel and thus to be advertised in this new tunnel type TLV. Let’s start with EVPN because that is the technology/solution being used predominately in DCs, DCIs, and enterprise inter-site connectivity. I listed the disadvantages of using a separate SAFI above, can you list the advantages of using a separate SAFI for EVPN? Cheers, Ali From: BESS <bess-boun...@ietf.org> on behalf of Linda Dunbar <linda.dun...@huawei.com> Date: Tuesday, October 30, 2018 at 9:19 AM To: "i...@ietf.org" <i...@ietf.org>, "bess@ietf.org" <bess@ietf.org> Subject: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00 IDR group, BESS group, https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/ specifies a new BGP SAFI (=74) in order to advertise a SD-WAN edge node’s capabilities in establishing SD-WAN overlay tunnels with other SD-WAN nodes through third party untrusted networks. draft-sajassi-bess-secure-evpn-00 describes an EVPN solution for PE nodes to exchange key and policy to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages. I think those two solutions are not conflicting with each other. Actually they are compliment to each other to some degree. For example, * the Re-key mechanism described by draft-sajassi-bess-secure-evpn-00 can be utilized by draft-dunbar-idr-bgp-sdwan-overlay-ext * The SD-WAN Overlay SAFI can be useful to simplify the process on RR to re-distribute the Tunnel End properties to authorized peers. * When SD-WAN edge nodes use private address, or no IP address, NAT properties for the end points distribution described draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary. * The secure channel between SD-WAN edge nodes and RR described by draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary. Any thoughts? Thank you very much. Linda Dunbar
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess
