Re: AW: [Teas] 答复: VPN security vs SD-WAN security

[Stewart Bryant]

Ruediger

The work I am doing on VPN+ is not targetted at the big I Internet. It is
targetted at mobile edge, access and the core of the mobile provider. These
are the customers that are asking for the service, and that in turn is
based on the output of SDOs that they are more comfortable associating
with (3GPP and ITU-R).

However, as we all know, a lot of traffic that users consider to go across
the big I internet is between them and the PoP of the CDN provider
supporting the service they are accessing. That is the model
that the mobile operators want to propagate by pulling compute resources
closer to the edge of their network than is currently the case.

I am sure there are commercial reasons why they want that to happen
but there are also application reasons that drive architecture reasons, and
if they align with commercial reasons it is more likely to get deployed.

- Stewart


On 02/08/2018 13:06, ruediger.g...@telekom.de wrote:

Stewart,

I'd appreciate a discussion based on operational experience. In which Diffserv 
supported network did which application fail due to a lack of suitable 
scheduling or due to a lack of codepoints, which would have been working 
properly on the same network with Detnet and more codepoints? I'd be happy, if 
you were able to provide a link to a presentation.

I've started my QoS career with ATM, a technology offering dedicated QoS 
network resources. Spare capacities with a network-fully-booked indication were 
the first lesson I learned, and this combination turned out to be bad whenever 
I encountered it from then on. My take on Diffserv is, that it is useful to 
protect certain traffic in the case of not foreseen networking conditions. That 
means, in 99,....% of the time, todays Diffserv isn't required, because there's 
no congestion.

You seem to head for generic solutions, applicable in all parts of the 
Internet. I don't understand what the benefit of dedicated resources would be, 
given they are required end-to-end. I excuse if I missed a statement that the 
approach you propose is limited to specific instances or sections of the 
Internet.

Regards,

Ruediger


-----Ursprüngliche Nachricht-----
Von: rtgwg [mailto:rtgwg-boun...@ietf.org] Im Auftrag von Stewart Bryant
Gesendet: Donnerstag, 2. August 2018 13:19
An: Joel M. Halpern <j...@joelhalpern.com>; Dongjie (Jimmy) 
<jie.d...@huawei.com>
Cc: TEAS WG (t...@ietf.org) <t...@ietf.org>; rtgwg@ietf.org
Betreff: Re: [Teas] 答复: VPN security vs SD-WAN security



On 01/08/2018 16:26, Joel M. Halpern wrote:

I am not disagreeing with a view that network resource allocation
requires some visibility to those resources.
It is the assertion of a "deep integration" that seems to lack grounding.

We know that one can use our existing VPN technologies and tools like
diffserv, with suitable admission control and path computation, to
provide strong service guarantees to meet SLAs. As others have noted
in other presentations, when it comes to the data plane this seems to
meet the articulated needs from various fora.

Hi Joel,

We can certainly get a long way with those tools for "conventional"
applications.

However, as we support the sort of applications that look for a deterministic 
networking class of SLA, then I am concerned that we need to map the traffic to 
dedicated resources in more detail than we currently do through the diffserv 
mechanism.

What we do at the moment with diffserv is a mapping of packets to resources, 
but in practise we limit those resources to ingress and egress queues with the 
queue management algorithm out of scope. I am not convinced this is adequate 
for the future, and think that we need to start to consider CPU/NPU cores, 
queue algorithms, and maybe other resources.

I am also concerned that the number of diffserv code points available in MPLS 
is going to be insufficient.

Of course what we know today from experience is based on the applications that 
can run on the network infrastructure that we have today. That is a self 
limiting situation. We are designing DETNET because this model is inadequate 
for some classes of application that would like to run over a more general 
network. What we are doing with
VPN+ is to integrate DETNET into a VPN structure alongside classic VPNs.

- Stewart

Yours,
Joel

On 8/1/18 11:22 AM, Dongjie (Jimmy) wrote:

This statement is based on the comparison between overlay VPNs and
network slices. The resource here refers to various data plane
resources that can be allocated to a particular slice (queues,
buffer, etc.). Some level of resource isolation is necessary to
ensure that service in one slice never interferes with service in
another slice.

May I know what are the requirements you've got?

Best regards,
Jie

-----邮件原件-----
发件人: Joel M. Halpern [mailto:j...@joelhalpern.com]
发送时间: 2018年7月30日 23:05
收件人: Dongjie (Jimmy) <jie.d...@huawei.com>
抄送: TEAS WG (t...@ietf.org) <t...@ietf.org>; rtgwg@ietf.org
主题: Re: VPN security vs SD-WAN security

Actually, assuming I understand the statement properly, "deep
integration with the underlay resource would be necessary" does not
appear to be an accurate statement derivable from the requirements
that I have seen.

Yours,
Joel

On 7/30/18 8:23 AM, Dongjie (Jimmy) wrote:

(Adding TEAS as it is where the VPN+ framework draft is discussed)

Hi Robert and Greg,

As discussed during the VPN+ presentation in TEAS at IETF 102, the
scope is not the internet, as we know it would quite difficult or
even impossible to achieve the required guarantee at the scope of internet.

And clearly the VPN overlays cannot provide the required guarantee,
deep integration with the underlay resource would be necessary.

Another aspect we may take into consideration is the factor of
overprovisioning. The current network only has one overprovisioning
factor, which may not meet the requirement of different
services/customers. With network slicing, it is possible to have
different overprovisioning policy and factor in different slices.

Best regards,

Jie

*From:*rras...@gmail.com [mailto:rras...@gmail.com] *On Behalf Of
*Robert Raszuk
*Sent:* Sunday, July 29, 2018 6:11 AM
*To:* Greg Mirsky <gregimir...@gmail.com>
*Cc:* Dongjie (Jimmy) <jie.d...@huawei.com>; rtgwg@ietf.org
*Subject:* Re: VPN security vs SD-WAN security

Hey Greg,

would not require global transit and likely be contained within
access or, at most, metro domains.

That's news to me, but perhaps on the positive side :) I always
think WAN .. really wide one !

The separation on "soft" vs "hard" guarantees is eventually all
about amount of network robustness and level of over provisioning.
I sincerely hope it will not be yet another EVPN overlay over IP
network just painted with different marketing colors.

Besides if any customer is serious and actually counts on those
guarantees he better purchase two of such services coming from
independent operators. That means that to be attractive financially
cost of such premium service must not be higher then half of the
p2p local fiber or cost of local access to closest IX ports + port
subscription in a given MAN where non blocking IX fabric spans
given

geography.

It seems to me that at the end of the day the space for those
operators wishing to offer hard network slicing is actually pretty
narrow, but time will tell ...

Rgs,

r.

On Sat, Jul 28, 2018 at 9:34 PM, Greg Mirsky <gregimir...@gmail.com
<mailto:gregimir...@gmail.com>> wrote:

      Hi Robert,

      very much agree with all you're saying and find us in violent
      agreement on "C". Proactive performance monitoring, in my view
as
      well, is the reasonable path to provide "soft" SLA and, to a
degree,
      prevent oversubscription of the network. And that, as you've
said,
      is one way to "assured/guaranteed global IP transit".

      But I think that there will be demand for "hard" guarantees
for
      URLLC applications. But these, in my view,

      would not require global transit and likely be contained
within
      access or, at most, metro domains. Because of the limited size
of
      the domain, IntServ may work, though that may be not the most
      efficient technique. We shall find out.

      Hence my view on slicing:

        * different applications will have different requirements
and use
          different degrees of isolation and guarantees;
        * "soft" slices may not need much of additional
standardization
          and use available VPN technologies in combination with PM
OAM
          for SLA monitoring and assurance;
        * "hard" slices would span within a single access and/or
metro
          domain. Networking solutions likely will be coupled with
          architecture and interfaces developed in Multi-access Edge
          Computing (MEC).

      Regards,

      Greg

      On Sat, Jul 28, 2018 at 6:02 AM, Robert Raszuk
<rob...@raszuk.net
      <mailto:rob...@raszuk.net>> wrote:

          Hi Jie,

          > (network slicing) is to provide the demanding services
with guaranteed performance in a converged network,

          Foundation of converged IP network is based on statistical
          multiplexing of traffic demands. As such it is in its
principle
          quite contradictory to "guaranteed" characteristics
          (performance, delays, jitter, drops -- you name it).

          Application layers usually deal very well with all of the
above
          I would state - normal characteristics of IP networks..

          No doubt there will be those trying to offer some network
          slicing with guarantees and even those who will buy it.
Just
          like today there are those who offer you L2 circuit
between
          endpoints except such L2 circuit is an emulated one with
zero
          OEM visibility to the IP infrastructure underneath.

          Now the network slicing is clearly aiming for even more
          complexity under the hood. And that is not the only
problem. The
          issue is cost. When SP is building the IP network the goal
is to
          mux as many services on it as it simply results in given's
SP
          revenue. Network slicing is promising as potentially just
by
          configuration of few knobs they will be claiming
guarantees as
          RFC says - except RFC will not likely tell you to stop
          over-provisioning.

          Unless the idea is to use strict policing with dedicated
queuing
          on active and back paths or do something like RSVP IntServ
also
          on active and backup paths per customer - I really don't
think
          you can really guarantee much. And if you do that the cost
would
          likely grow really steep.

          So what is IMO the solution for assured/guaranteed global
IP
          transit:

          *A*  get diversely routed  dark fiber paths between your
POPs
          (can be unprotected) which btw today do not cost that much
anymore

          *B* get diversely routed  optical channels alsol between
your
          POPs (can be unprotected)

          *C*  use N disjoined by design (single AS Internet
providers
          between your end-points) + proper SD-WAN with active SLA
monitoring

          Clearly I am big supporter of *C* model for reasons
discussed on
          this and few other recent threads.

          I assume network slicing will try to get into be something
          between A/B & C but it is bounded up front with the cost
of the
          two.

          Many thx,

          Robert.

          On Sat, Jul 28, 2018 at 9:51 AM, Dongjie (Jimmy)
          <jie.d...@huawei.com <mailto:jie.d...@huawei.com>> wrote:

              Hi Robert,

              IMO the two approaches are targeting at different use
cases
              and customers.

              The former (network slicing) is to provide the
demanding
              services with guaranteed performance in a converged

network,

              while the latter (switching between multiple
paralleled
              networks) provides the customer with the best
performance
              that is available among those candidates. To me the
latter
              is still some kind of best effort, and as Toerless
said, it
              depends on the diversity you can have in the multiple

networks.

              And I agree with Stewart on “you always pay a price
for
              better than best effort.”

              Best regards,

              Jie

              *From:*rtgwg [mailto:rtgwg-boun...@ietf.org
              <mailto:rtgwg-boun...@ietf.org>] *On Behalf Of *Robert

Raszuk

              *Sent:* Wednesday, July 25, 2018 8:24 PM
              *To:* Acee Lindem (acee) <a...@cisco.com
              <mailto:a...@cisco.com>>
              *Cc:* rtgwg@ietf.org <mailto:rtgwg@ietf.org>


              *Subject:* Re: VPN security vs SD-WAN security

              True network slicing for IP networks means either
waist of
              resources or very strict multi-level queuing at each
hop and
              100% ingress traffic policing. Yet while this has a
chance
              to work during normal operation at the time of even
regular
              failures this all pretty much melts like cheese on a
good
              sandwich.

              It is going to be very interesting to compare how
single
              complex sliced network compares for any end to end
robust
              transport from N normal simple IP backbones and end to

end

              SLA based millisecond switch over between one and
another

on

              a per flow basis. Also let's note then while the
former is
              still to the best of my knowledge a draft the latter
is
              already deployed globally in 100s of networks.

              Best,
              R.

              On Wed, Jul 25, 2018 at 1:21 PM, Acee Lindem (acee)
              <a...@cisco.com <mailto:a...@cisco.com>> wrote:

                  *From: *rtgwg <rtgwg-boun...@ietf.org
                  <mailto:rtgwg-boun...@ietf.org>> on behalf of
Stewart
                  Bryant <stewart.bry...@gmail.com
                  <mailto:stewart.bry...@gmail.com>>
                  *Date: *Wednesday, July 25, 2018 at 5:55 AM
                  *To: *Robert Raszuk <rob...@raszuk.net
                  <mailto:rob...@raszuk.net>>
                  *Cc: *Routing WG <rtgwg@ietf.org

<mailto:rtgwg@ietf.org>>

                  *Subject: *Re: VPN security vs SD-WAN security

                  On 25/07/2018 10:40, Robert Raszuk wrote:

                      /* Adjusting the subject ... */

                      Hello

                      Stewart,

                      You have made the below comment in the other

thread

                      we are having:

                          Indeed, I would have expected this to be
on a
                          secure network of some sort either purely
                          private or some form of VPN. However, I am

sure

                          I read in your text that you were
                          considering using the Public Internet much
in
                          the way of SD-WAN.

                      Would you mind as extensively as you can
expand

on

                      the above statement ?

                      Specifically on what basis do you treat say
L2VPN

or

                      L3VPN of naked unencrypted packets often

traveling

                      on the very same links as this "bad" Internet
                      traffic to be even slightly more secure then
IPSEC
                      or DTLS encrypted SD-WAN carried data with

endpoints

                      being terminated in private systems ?

                      Thx,

                      Robert


                  Robert, I think that you have to take it as read
that an
                  air traffic control SoF system is encrypting its
                  packets. If it is not, then it is clearly not fit
for
                  purpose.

                  What concerns me is that an air traffic system is
one of
                  the most, if not the most, high profile targets in
civil
                  society. You get reminded of this each time you
travel
                  to IETF.

                  The thing about safety of flight traffic is that a
                  sustained and effective DDoS attack has global
impact in
                  a way that few other such attacks have.

                  A VPN system ought to sustain resistance to such
an
                  attack better than the proposed system which
treats

the

                  SoF traffic the same as regular traffic.

                  I guess you are making a case for your network
slicing
                  work 😉

                  Acee



                  - Stewart

          _______________________________________________
          rtgwg mailing list
          rtgwg@ietf.org <mailto:rtgwg@ietf.org>
          https://www.ietf.org/mailman/listinfo/rtgwg



_______________________________________________
rtgwg mailing list
rtgwg@ietf.org
https://www.ietf.org/mailman/listinfo/rtgwg

_______________________________________________
Teas mailing list
t...@ietf.org
https://www.ietf.org/mailman/listinfo/teas

_______________________________________________
rtgwg mailing list
rtgwg@ietf.org
https://www.ietf.org/mailman/listinfo/rtgwg

_______________________________________________
rtgwg mailing list
rtgwg@ietf.org
https://www.ietf.org/mailman/listinfo/rtgwg