Robert,

Thank you very much for the feedback.

If using your suggested Route Target approach to represent the SDWAN Instance 
ID, does it mean that a SDWAN Edge has to use the same approach to configure 
the VRF for SDWAN instances?
If the edge node supports both traditional VPN and SDWAN, will it cause 
confusion for RT to represent both?

RT is encoded in the Extended_Communities Path Attribute, SAFI 128 is encoded 
in the MP_REACH_NLRI Path Attribute.

What do you mean by saying “different name to Route target(s) carried in the 
SAFI 128”?
Do you mean having a different name (say SDWAN_Target) in Extended_Communities 
Path Attribute, and have MP_REACH_NLRI Path Attribute including the SAFI 128?

SDWAN Instance ID is for the control Plane, not to be carried by the data 
packets. SAFI 128 for VPN has the Label encoded in the NLRI field that is to be 
carried by the data packets. But SDWAN Instance ID is not carried by the Data 
Packets. Is it correct?

Thank you.
Linda




From: Robert Raszuk <rob...@raszuk.net>
Sent: Monday, March 23, 2020 2:28 PM
To: Linda Dunbar <linda.dun...@futurewei.com>
Cc: Huaimo Chen <huaimo.c...@futurewei.com>; i...@ietf.org; bess@ietf.org
Subject: Re: [Idr] Seeking feedback of draft-dunbar-idr-sdwan-port-safi using 
SDWAN SAFI to encode SDWAN Instance ID in the NLRI

Hi Linda,

I think you are mixing data plane and control plane.

In SDWAN data plane is of no issue as you are interconnecting sites in a given 
VPN over mesh of secure tunnels.

You are asking how to keep control plane separate between VPN instances. This 
is precisely what RFC4364 does already and RT import/export is used to indicate 
the instance which given set of reachability belongs. Why to reinvent the wheel 
and do something new just for the heck of it :) ?

To be original you can at best invent a different name to Route target(s) 
carried in the SAFI 128 but let's keep the mechanism the same. That would be my 
suggestion.

Kind regards,
R.

PS. While this is obvious for some many folks are still confused. RFC4364 does 
not need to run over MPLS data plane. It can run over IPSec or over DTLS or 
over UDP/IP just fine.

On Mon, Mar 23, 2020 at 6:47 PM Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>> wrote:
IDR experts:

SDWAN is an overlay network arching over multiple types of networks. A SDWAN 
edge node may need to map client traffic to different SDWAN network instances 
(or segmentations).
It might not be feasible to use the AS number in the BGP message to 
differentiate the SDWAN network instances as multiple SDWAN instances may share 
the same AS number.

We would like to hear feedback from IDR group on using similar method as  
Binding MPLS Labels to Address Prefixes [RFC8277] to bind SDWAN Instance ID to  
prefixes.

When  MPLS VPN SAFI (=128) is present, MPLS label is carried by NLRI [RFC8277] 
as:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Length     |                 Label                 |Rsrv |S|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Prefix                               ~
     ~                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 2: NLRI with One Label

We would like to  propose the SDWAN Instance ID being encoded in the Label 
field as follows when SDWAN SAFI (=74 allocated by IANA) is used,:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Length     |      SDWAN Instance ID (Label)        |Rsrv |S|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Prefix                               ~
     ~                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                        NLRI with SDWAN Instance ID.

Greatly appreciate any comments or other suggestions..

Thank you,
Linda Dunbar

From: Huaimo Chen <huaimo.c...@futurewei.com<mailto:huaimo.c...@futurewei.com>>
Sent: Monday, March 23, 2020 9:14 AM
To: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>; 
i...@ietf.org<mailto:i...@ietf.org>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [Idr] FW: Is there any problem of using Private AS as "Identifier" 
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?

Hi Linda,

    It seems that using another SAFI is a possible solution.

Best Regards,
Huaimo
________________________________
From: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>
Sent: Friday, March 20, 2020 12:54 AM
To: Huaimo Chen <huaimo.c...@futurewei.com<mailto:huaimo.c...@futurewei.com>>; 
i...@ietf.org<mailto:i...@ietf.org> <i...@ietf.org<mailto:i...@ietf.org>>
Cc: bess@ietf.org<mailto:bess@ietf.org> <bess@ietf.org<mailto:bess@ietf.org>>
Subject: RE: [Idr] FW: Is there any problem of using Private AS as "Identifier" 
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?


Huaimo,



Thank you very much for the suggestion.

Do you mean using the similar approach as VPN Label carried by NLRI Path 
Attribute [RFC8277] for SDWAN Segmentation Identifier?

If yes, the UPDATE message should not use the MPLS VPN SAFI (=128) to avoid 
confusion, right?



Linda



From: Huaimo Chen <huaimo.c...@futurewei.com<mailto:huaimo.c...@futurewei.com>>
Sent: Thursday, March 19, 2020 6:45 PM
To: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>; 
i...@ietf.org<mailto:i...@ietf.org>
Cc: bess@ietf.org<mailto:bess@ietf.org>
Subject: Re: [Idr] FW: Is there any problem of using Private AS as "Identifier" 
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?



Hi Linda,



    It seems that a label may be used as an "Identifier" to differentiate 
SD-WAN Segmentation.



Best Regards,

Huaimo

________________________________

From: Idr <idr-boun...@ietf.org<mailto:idr-boun...@ietf.org>> on behalf of 
Linda Dunbar <linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>
Sent: Thursday, March 19, 2020 1:22 PM
To: i...@ietf.org<mailto:i...@ietf.org> <i...@ietf.org<mailto:i...@ietf.org>>
Cc: bess@ietf.org<mailto:bess@ietf.org> <bess@ietf.org<mailto:bess@ietf.org>>
Subject: [Idr] FW: Is there any problem of using Private AS as "Identifier" to 
differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?



BGP Experts,



Do you know if  there is any problem of using  Private AS as  "Identifier" to 
differentiate SD-WAN Segmentation? Here is the discussion in BESS WG. Want to 
get IDR WG feedbacks for this question.



Thank you.

Linda



From: Linda Dunbar
Sent: Thursday, March 19, 2020 11:54 AM
To: Najem, Basil <basil.na...@bell.ca<mailto:basil.na...@bell.ca>>; 
bess@ietf.org<mailto:bess@ietf.org>
Cc: 
draft-dunbar-bess-bgp-sdwan-us...@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-us...@ietf.org>
Subject: Is there any problem of using Private AS as "Identifier" to 
differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?



Based on Basil’s comment on needing an identifier to differentiate SDWAN 
instances, I added a section to  draft-dunbar-bess-bgp-sdwan-usage . Want to 
hear people’s feedback.



3.1    Requirements
3.1.1Supporting Multiple SDWAN Segmentations

The term “network segmentation” is used extensively in SDWAN deployment. In 
general (and in this document), the “Network Segmentation” is referring to the 
process of dividing the network into logical sub-networks using isolation 
techniques on a forwarding device such as a switch, router, or firewall. For a 
homogeneous network, such as MPLS VPN or Layer 2 network, VRF or VLAN are used 
to separate network segments.

As SDWAN is an overlay network arching over multiple types of networks, it is 
important to have distinct identifiers to differentiate SDWAN network instances 
(or segmentations). When different SDWAN network segments do not have their own 
assigned AS numbers, a very easy way is to use Private AS numbers, in the range 
of 64512 to 65535, to differentiate different SDWAN segmentations.. When using 
BGP to control the SDWAN networks, the Private AS numbers are carried by the 
BGP UPDATE messages to their corresponding RRs.



Greatly appreciate any feedback on this description.



Is there any scenario that Private AS cannot be used?



Thank you very much.



Linda Dunbar



From: Najem, Basil <basil.na...@bell.ca<mailto:basil.na...@bell.ca>>
Sent: Friday, February 7, 2020 3:02 PM
To: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>; 
bess@ietf.org<mailto:bess@ietf.org>
Cc: 
draft-dunbar-bess-bgp-sdwan-us...@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-us...@ietf.org>
Subject: RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description 
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation







Hi Linda;



The SD-WAN Segment is part of the SD-WAN fabric; in other words, there could be 
more than one Segment over a single underlay depending on the design and the 
business requirements.



Each Segment represents a single and an isolated L3 domain; therefore, I 
suggested that we may need to include the Segment ID in the BGP update messages 
in order to identify and build the routing the table for each Segment (based on 
the Segment ID).



Hope this helps.



Regards;



Basil





From: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>
Sent: February-03-20 10:40 AM
To: Najem, Basil <basil.na...@bell.ca<mailto:basil.na...@bell.ca>>; 
bess@ietf.org<mailto:bess@ietf.org>
Cc: 
draft-dunbar-bess-bgp-sdwan-us...@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-us...@ietf.org>
Subject: [EXT]RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage 
description of using BGP UPDATE messages to achieve SD-WAN Application Based 
Segmentation



Basil,



Thank you very much for the comments.

Your suggested wording change will be incorporated in the next revision.



As for your suggestion of Segment and Segment ID of a SDWAN node (to be 
included in the BGP UPDATE), does the “Segment” mean the different Underlay?

In the figure below, C-PE1 has 3 WAN ports: 2 to MPLS network and 1 to Public 
Internet.

Do you mean C-PE1 has 3 WAN “segments”?

If not, can you elaborate more?







Thanks, Linda



From: Najem, Basil <basil.na...@bell.ca<mailto:basil.na...@bell.ca>>
Sent: Sunday, February 02, 2020 5:48 PM
To: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>; 
bess@ietf.org<mailto:bess@ietf.org>
Cc: 
draft-dunbar-bess-bgp-sdwan-us...@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-us...@ietf.org>
Subject: RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description 
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation





Hello Linda;



I haven’t gone through the entire document; however, I have the following quick 
comments



  1.  Regarding the following paragraph:



1.       Augment of transport, which refers to utilizing overlay paths over 
different underlay networks. Very often there are multiple parallel overlay 
paths between any two SDWAN edges, some of which are private networks over 
which traffic can traverse without encryption, others require encryption, e.g. 
over untrusted public networks.



The traffic that traverses the privet networks can be either encrypted or 
unecrypted (in other words, the assumption that the traffic is NOT encrypted is 
not always correct). I would change the parpagaph to the following (for 
clarity):



1.       Augment of transport, which refers to utilizing overlay paths over 
different underlay networks. Very often there are multiple parallel overlay 
paths between any two SDWAN edges, some of which are private networks over 
which traffic can traverse with or without encryption, others require 
encryption, e.g. over untrusted public networks.





  1.  Another thing that we need to discuss is the Segment ID; each Segment (at 
the SD-WAN Edge) MUST have an ID. The SD-WAN Policy will map the Application 
Flow to the Segment. Since the Segment is a “routing domain”, the BGP update 
will be exchanged with the memebers of a particular Segment.



As such: Should we include the Segment ID as an attribute in the BGP update 
messages? Perhaps we need to further discuss this in details.



Any feedback is welcomed and it’s highly appreciated.



Regards;



Basil





From: Linda Dunbar 
<linda.dun...@futurewei.com<mailto:linda.dun...@futurewei.com>>
Sent: January-31-20 5:17 PM
To: bess@ietf.org<mailto:bess@ietf.org>
Cc: 
draft-dunbar-bess-bgp-sdwan-us...@ietf.org<mailto:draft-dunbar-bess-bgp-sdwan-us...@ietf.org>
Subject: [EXT]solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description 
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation



BESS participants:



“SDWAN” networks is characterized by:

1.       Augment of transport, which refers to utilizing overlay paths over 
different underlay networks. Very often there are multiple parallel overlay 
paths between any two SDWAN edges, some of which are private networks over 
which traffic can traverse without encryption, others require encryption, e.g. 
over untrusted public networks.

2.       Enable direct Internet access from remote sites, instead hauling all 
traffic to Corporate HQ for centralized policy control.

3.       Some traffic are routed based on application IDs instead of based on 
destination IP addresses.





https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C6fce142531214362ed4c08d7cf6044aa%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637205884697250108&sdata=SYcw4ORJcayiaqYuWRTUZi5zmv25X3b%2FBVm5TW0yhgg%3D&reserved=0>
 describes examples of using BGP UPDATE messages to achieve the SDWAN 
Application Based Segmentation,  assuming that the applications are assigned 
with unique IP addresses.

In the Figure below, the following BGP Updates can be advertised to ensure that 
Payment Application only communicates with the Payment Gateway:





BGP UPDATE #1 from C-PE2 to RR for the RED P2P topology (only propagated to 
Payment GW node:

-        MP-NLRI Path Attribute:

        *   30.1.1.x/24

-        Tunnel Encap Path Attribute

        *   IPsec Attributes for PaymentGW ->C-PE2



BGP UPDATE #2 from C-PE2 to RR for the routes to be reached by Purple:

-        MP-NLRI Path Attribute:

        *   10.1.x.x
        *   12.4.x.x

-        TunnelEncap Path Attribute:

        *   Any node to C-PE2





Your feedback is greatly appreciated.



Thank you very much.



Linda Dunbar

________________________________

External Email: Please use caution when opening links and attachments / 
Courriel externe: Soyez prudent avec les liens et documents joints

________________________________

External Email: Please use caution when opening links and attachments / 
Courriel externe: Soyez prudent avec les liens et documents joints
_______________________________________________
Idr mailing list
i...@ietf.org<mailto:i...@ietf.org>
https://www.ietf.org/mailman/listinfo/idr<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fidr&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C6fce142531214362ed4c08d7cf6044aa%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637205884697250108&sdata=xGo7v5SPCdHr9a6DW8cKuzTgzyCoWQ5VRTZ2ylvI8ns%3D&reserved=0>
_______________________________________________
BESS mailing list
BESS@ietf.org
https://www.ietf.org/mailman/listinfo/bess

Reply via email to