Linda, You should read my draft again as it explains IPsec tunnels needed at different level of granularity and how this can be achieved with existing routes. The traffic does not get sent till the IPsec tunnel is established between a pair of endpoints and the draft specifies 6 different types of endpoints for different level of granularity – i.e., per PE, per tenant, per subnet, per IP, per MAC, and per AC.
Cheers, Ali From: Linda Dunbar <linda.dun...@huawei.com> Date: Sunday, November 4, 2018 at 7:00 AM To: Cisco Employee <saja...@cisco.com>, "i...@ietf.org" <i...@ietf.org>, "bess@ietf.org" <bess@ietf.org> Subject: RE: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00 Ali, Your draft-sajassi-bess-secure-evpn-00 defines two new Tunnel Types along with its associated sub-TLVs for The Tunnel Encapsulation Attribute [TUNNEL-ENCAP]. [Tunnel-Encap] cannot be effectively used for SD-WAN overlay network because a SD-WAN Tunnel needs to be established before data arrival. There is no routes to be associated with the SD-WAN Tunnel. How do you address those issues? Linda From: Ali Sajassi (sajassi) [mailto:saja...@cisco.com] Sent: Wednesday, October 31, 2018 12:04 PM To: Linda Dunbar <linda.dun...@huawei.com>; i...@ietf.org; bess@ietf.org Subject: Re: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00 Hi Linda, I haven’t read your draft yet. I am traveling now but will plan to read your draft over next couple of days and respond to your questions. Cheers, Ali From: BESS <bess-boun...@ietf.org<mailto:bess-boun...@ietf.org>> on behalf of Linda Dunbar <linda.dun...@huawei.com<mailto:linda.dun...@huawei.com>> Date: Tuesday, October 30, 2018 at 9:19 AM To: "i...@ietf.org<mailto:i...@ietf.org>" <i...@ietf.org<mailto:i...@ietf.org>>, "bess@ietf.org<mailto:bess@ietf.org>" <bess@ietf.org<mailto:bess@ietf.org>> Subject: [bess] Comparing using the SD-WAN Overlay SAFI specified by draft-dunbar-idr-bgp-sdwan-overlay-ext with the EVPN approach described by draft-sajassi-bess-secure-evpn-00 IDR group, BESS group, https://datatracker.ietf.org/doc/draft-dunbar-idr-bgp-sdwan-overlay-ext/ specifies a new BGP SAFI (=74) in order to advertise a SD-WAN edge node’s capabilities in establishing SD-WAN overlay tunnels with other SD-WAN nodes through third party untrusted networks. draft-sajassi-bess-secure-evpn-00 describes an EVPN solution for PE nodes to exchange key and policy to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages. I think those two solutions are not conflicting with each other. Actually they are compliment to each other to some degree. For example, * the Re-key mechanism described by draft-sajassi-bess-secure-evpn-00 can be utilized by draft-dunbar-idr-bgp-sdwan-overlay-ext * The SD-WAN Overlay SAFI can be useful to simplify the process on RR to re-distribute the Tunnel End properties to authorized peers. * When SD-WAN edge nodes use private address, or no IP address, NAT properties for the end points distribution described draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary. * The secure channel between SD-WAN edge nodes and RR described by draft-dunbar-idr-bgp-sdwan-overlay-ext is necessary. Any thoughts? Thank you very much. Linda Dunbar
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess