Re: [bess] Questions about the ESP-Transport and ESP-in-UDP transport in SECURE-EVPN

Tue, 28 Jul 2020 06:16:22 -0700 

Linda,

Please see my responses inline marked with AS> …

From: Linda Dunbar <[email protected]>
Date: Tuesday, July 28, 2020 at 5:49 AM
To: Cisco Employee <[email protected]>, "[email protected]" <[email protected]>
Subject: Questions about the ESP-Transport and ESP-in-UDP transport in 
SECURE-EVPN

Ali,

Just follow up with my question in the BESS WG session.
Your draft introduced two Tunnel Types in 5.1: ESP-Transport and ESP-in-UDP 
Transport as below.


When standard IP Encapsulating Security Payload (ESP) is used
(without outer UDP header) for encryption of NVO packets, it is used
in transport mode as depicted below. When such encapsulation is used,
for BGP signaling, the Tunnel Type of Tunnel Encapsulation TLV is set
to ESP-Transport and the Tunnel Type of Encapsulation Extended
Community is set to NVO encapsulation type (e.g., VxLAN, GENEVE, GPE,
etc.). This implies that the customer packets are first encapsulated
using NVO encapsulation type and then it is further encapsulated &
encrypted using ESP-Transport mode.

Question 1:  Are you assuming that  using IPsec Transport mode? Instead of 
IPsec Tunnel mode?


AS> Not assuming but stating ☺ 1st line of section 5.1 says:

 “ … it is used in transport mode as depicted below”

Question 2: Your Figure 3 has two encodings, which one is “ESP-Transport”, 
which one is “ESP-in-UDP”?

AS> Figure 3 is for ESP-transport and Figure 4 is for ESP-in-UDP. Furthermore, 
section 5.1 is for ESP-transport and section 5.2 is for ESP-in-UDP.

Question 3: The NVO encapsulation (VxLAN, GENEVE, GRE) can also be inside the 
IPsec ESP tunnel. In that case, which type is used?

AS> The tunnel type of the attribute indicates what kind of underlay tunnel is 
used and the tunnel type of the extended community indicates what kind of 
overlay encap is used. Section 5.1 says:


       “the Tunnel Type of Tunnel Encapsulation TLV is set

   to ESP-Transport and the Tunnel Type of Encapsulation Extended

   Community is set to NVO encapsulation type (e.g., VxLAN, GENEVE, GPE,

   etc.).”

And section 5.2 says:

   “the Tunnel Type

   of Tunnel Encapsulation TLV is set to ESP-in-UDP-Transport and the

   Tunnel Type of Encapsulation Extended Community is set to NVO

   encapsulation type (e.g., VxLAN, GENEVE, GPE, etc.). “

Cheers,
Ali

Thanks, Linda


_______________________________________________
BESS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/bess

Reply via email to