IDR experts:
SDWAN is an overlay network arching over multiple types of networks. A SDWAN
edge node may need to map client traffic to different SDWAN network instances
(or segmentations).
It might not be feasible to use the AS number in the BGP message to
differentiate the SDWAN network instances as multiple SDWAN instances may share
the same AS number.
We would like to hear feedback from IDR group on using similar method as
Binding MPLS Labels to Address Prefixes [RFC8277] to bind SDWAN Instance ID to
prefixes.
When MPLS VPN SAFI (=128) is present, MPLS label is carried by NLRI [RFC8277]
as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Label |Rsrv |S|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix ~
~ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: NLRI with One Label
We would like to propose the SDWAN Instance ID being encoded in the Label
field as follows when SDWAN SAFI (=74 allocated by IANA) is used,:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | SDWAN Instance ID (Label) |Rsrv |S|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix ~
~ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NLRI with SDWAN Instance ID.
Greatly appreciate any comments or other suggestions.
Thank you,
Linda Dunbar
From: Huaimo Chen <[email protected]>
Sent: Monday, March 23, 2020 9:14 AM
To: Linda Dunbar <[email protected]>; [email protected]
Cc: [email protected]
Subject: Re: [Idr] FW: Is there any problem of using Private AS as "Identifier"
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
Hi Linda,
It seems that using another SAFI is a possible solution.
Best Regards,
Huaimo
________________________________
From: Linda Dunbar
<[email protected]<mailto:[email protected]>>
Sent: Friday, March 20, 2020 12:54 AM
To: Huaimo Chen <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>
Subject: RE: [Idr] FW: Is there any problem of using Private AS as "Identifier"
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
Huaimo,
Thank you very much for the suggestion.
Do you mean using the similar approach as VPN Label carried by NLRI Path
Attribute [RFC8277] for SDWAN Segmentation Identifier?
If yes, the UPDATE message should not use the MPLS VPN SAFI (=128) to avoid
confusion, right?
Linda
From: Huaimo Chen <[email protected]<mailto:[email protected]>>
Sent: Thursday, March 19, 2020 6:45 PM
To: Linda Dunbar
<[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>
Subject: Re: [Idr] FW: Is there any problem of using Private AS as "Identifier"
to differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
Hi Linda,
It seems that a label may be used as an "Identifier" to differentiate
SD-WAN Segmentation.
Best Regards,
Huaimo
________________________________
From: Idr <[email protected]<mailto:[email protected]>> on behalf of
Linda Dunbar <[email protected]<mailto:[email protected]>>
Sent: Thursday, March 19, 2020 1:22 PM
To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>
Subject: [Idr] FW: Is there any problem of using Private AS as "Identifier" to
differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
BGP Experts,
Do you know if there is any problem of using Private AS as "Identifier" to
differentiate SD-WAN Segmentation? Here is the discussion in BESS WG. Want to
get IDR WG feedbacks for this question.
Thank you.
Linda
From: Linda Dunbar
Sent: Thursday, March 19, 2020 11:54 AM
To: Najem, Basil <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: Is there any problem of using Private AS as "Identifier" to
differentiate SD-WAN Segmentation for draft-dunbar-bess-bgp-sdwan-usage?
Based on Basil's comment on needing an identifier to differentiate SDWAN
instances, I added a section to draft-dunbar-bess-bgp-sdwan-usage . Want to
hear people's feedback.
3.1 Requirements
3.1.1Supporting Multiple SDWAN Segmentations
The term "network segmentation" is used extensively in SDWAN deployment. In
general (and in this document), the "Network Segmentation" is referring to the
process of dividing the network into logical sub-networks using isolation
techniques on a forwarding device such as a switch, router, or firewall.. For a
homogeneous network, such as MPLS VPN or Layer 2 network, VRF or VLAN are used
to separate network segments.
As SDWAN is an overlay network arching over multiple types of networks, it is
important to have distinct identifiers to differentiate SDWAN network instances
(or segmentations). When different SDWAN network segments do not have their own
assigned AS numbers, a very easy way is to use Private AS numbers, in the range
of 64512 to 65535, to differentiate different SDWAN segmentations. When using
BGP to control the SDWAN networks, the Private AS numbers are carried by the
BGP UPDATE messages to their corresponding RRs.
Greatly appreciate any feedback on this description.
Is there any scenario that Private AS cannot be used?
Thank you very much.
Linda Dunbar
From: Najem, Basil <[email protected]<mailto:[email protected]>>
Sent: Friday, February 7, 2020 3:02 PM
To: Linda Dunbar
<[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation
Hi Linda;
The SD-WAN Segment is part of the SD-WAN fabric; in other words, there could be
more than one Segment over a single underlay depending on the design and the
business requirements.
Each Segment represents a single and an isolated L3 domain; therefore, I
suggested that we may need to include the Segment ID in the BGP update messages
in order to identify and build the routing the table for each Segment (based on
the Segment ID).
Hope this helps.
Regards;
Basil
From: Linda Dunbar
<[email protected]<mailto:[email protected]>>
Sent: February-03-20 10:40 AM
To: Najem, Basil <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: [EXT]RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage
description of using BGP UPDATE messages to achieve SD-WAN Application Based
Segmentation
Basil,
Thank you very much for the comments.
Your suggested wording change will be incorporated in the next revision.
As for your suggestion of Segment and Segment ID of a SDWAN node (to be
included in the BGP UPDATE), does the "Segment" mean the different Underlay?
In the figure below, C-PE1 has 3 WAN ports: 2 to MPLS network and 1 to Public
Internet.
Do you mean C-PE1 has 3 WAN "segments"?
If not, can you elaborate more?
[cid:[email protected]]
Thanks, Linda
From: Najem, Basil <[email protected]<mailto:[email protected]>>
Sent: Sunday, February 02, 2020 5:48 PM
To: Linda Dunbar
<[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: RE: solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation
Hello Linda;
I haven't gone through the entire document; however, I have the following quick
comments
1. Regarding the following paragraph:
1. Augment of transport, which refers to utilizing overlay paths over
different underlay networks. Very often there are multiple parallel overlay
paths between any two SDWAN edges, some of which are private networks over
which traffic can traverse without encryption, others require encryption, e.g.
over untrusted public networks.
The traffic that traverses the privet networks can be either encrypted or
unecrypted (in other words, the assumption that the traffic is NOT encrypted is
not always correct). I would change the parpagaph to the following (for
clarity):
1. Augment of transport, which refers to utilizing overlay paths over
different underlay networks. Very often there are multiple parallel overlay
paths between any two SDWAN edges, some of which are private networks over
which traffic can traverse with or without encryption, others require
encryption, e.g. over untrusted public networks.
1. Another thing that we need to discuss is the Segment ID; each Segment (at
the SD-WAN Edge) MUST have an ID. The SD-WAN Policy will map the Application
Flow to the Segment. Since the Segment is a "routing domain", the BGP update
will be exchanged with the memebers of a particular Segment.
As such: Should we include the Segment ID as an attribute in the BGP update
messages? Perhaps we need to further discuss this in details.
Any feedback is welcomed and it's highly appreciated.
Regards;
Basil
From: Linda Dunbar
<[email protected]<mailto:[email protected]>>
Sent: January-31-20 5:17 PM
To: [email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>
Subject: [EXT]solicit feedback on draft-dunbar-bess-bgp-sdwan-usage description
of using BGP UPDATE messages to achieve SD-WAN Application Based Segmentation
BESS participants:
"SDWAN" networks is characterized by:
1. Augment of transport, which refers to utilizing overlay paths over
different underlay networks. Very often there are multiple parallel overlay
paths between any two SDWAN edges, some of which are private networks over
which traffic can traverse without encryption, others require encryption, e.g.
over untrusted public networks.
2. Enable direct Internet access from remote sites, instead hauling all
traffic to Corporate HQ for centralized policy control.
3. Some traffic are routed based on application IDs instead of based on
destination IP addresses.
https://datatracker.ietf.org/doc/draft-dunbar-bess-bgp-sdwan-usage/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dunbar-bess-bgp-sdwan-usage%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C99acf950b82f4213da7f08d7cf34789d%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637205696587614498&sdata=0MdUmWEie3Fd4y3UCVJ4HBdY0oxiBY4xiTK5%2FiMaAkQ%3D&reserved=0>
describes examples of using BGP UPDATE messages to achieve the SDWAN
Application Based Segmentation, assuming that the applications are assigned
with unique IP addresses.
In the Figure below, the following BGP Updates can be advertised to ensure that
Payment Application only communicates with the Payment Gateway:
[cid:[email protected]]
BGP UPDATE #1 from C-PE2 to RR for the RED P2P topology (only propagated to
Payment GW node:
- MP-NLRI Path Attribute:
* 30.1.1.x/24
- Tunnel Encap Path Attribute
* IPsec Attributes for PaymentGW ->C-PE2
BGP UPDATE #2 from C-PE2 to RR for the routes to be reached by Purple:
- MP-NLRI Path Attribute:
* 10.1.x.x
* 12.4.x.x
- TunnelEncap Path Attribute:
* Any node to C-PE2
Your feedback is greatly appreciated.
Thank you very much.
Linda Dunbar
________________________________
External Email: Please use caution when opening links and attachments /
Courriel externe: Soyez prudent avec les liens et documents joints
________________________________
External Email: Please use caution when opening links and attachments /
Courriel externe: Soyez prudent avec les liens et documents joints
_______________________________________________
BESS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/bess
