Re: [bess] comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Fri, 06 Jul 2018 11:25:11 -0700 

Hi Linda,

I'm not sure that I understand what you mean when you say, "aggregate CPE-based 
VPN routes with internet routes that interconnect the CPEs". Could you 
elaborate?

                                                            Ron


From: Linda Dunbar <[email protected]>
Sent: Thursday, July 5, 2018 11:53 AM
To: Eric Rosen <[email protected]>; Ron Bonica <[email protected]>; 
[email protected]
Subject: comments and suggestions to draft-rosen-bess-secure-l3vpn-01

Eric and Ron,

We think that the method described in your draft is useful for CPE based EVPN, 
especially for SD-WAN between CPEs.
But, it misses some aspects to aggregate CPE-based VPN routes with internet 
routes that interconnect the CPEs.

Question to you: Would you like to expand your draft to cover the scenario of 
aggregating CPE-based VPN routes with internet routes that interconnect the 
CPEs?

If yes, we think the following areas are needed:


*      For RR communication with CPE, this draft only mentioned IPSEC. Are 
there any reasons that TLS/DTLS are not added?

*      The draft assumes that C-PE "register" with the RR. But it doesn't say 
how. Should "NHRP" (modified version) be considered?

*      It assumes that C-PE and RR are connected by IPsec tunnel. With zero 
touch provisioning, we need an automatic way to synchronize the IPSec SA 
between C-PE and RR. The draft assumes:

p A C-PE must also be provisioned with whatever additional information is 
needed in order to set up an IPsec SA with each of the red RRs

*      IPsec requires periodic refreshment of the keys. How to synchronize the 
refreshment among multiple nodes?

*      IPsec usually only send configuration parameters to two end points and 
let the two end points to negotiate the KEY. Now we assume that RR is 
responsible for creating the KEY for all end points. When one end point is 
confiscated, all other connections are impacted.

If you are open to expand your draft to cover SD-WAN, we can help providing the 
sections to address the bullets mentioned above.

We have a draft analyzing the technological gaps when using SD-WAN to 
interconnect workloads & apps hosted in various locations: 
https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=zU9RrstHx08_qwVE-_wbaPcJUwA0Cx7W9wg4K6cDAOs&s=1SH5CDBkEFKTyKPWRpPpy-dfxkl19-hrgXiR7nRkq50&e=>
Appreciate your comments and suggestions to our gap analysis.


Thanks, Linda Dunbar


_______________________________________________
BESS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/bess

Reply via email to