Network Working Group L. Dunbar
Internet Draft H. Wang
Intended status: Standards Track W. Hao
Expires: January 2019 Huawei
November 7, 2018
BGP Extension for SDWAN Overlay Networks
draft-dunbar-idr-bgp-sdwan-overlay-ext-03
Abstract
The document defines a new BGP SAFI with a new NLRI in order to
advertise a SD-WAN node's properties with other SD-WAN nodes through
third party untrusted networks. The goal is for SD-WAN network to
scale; enabling SD-WAN overlay among large number of SD-WAN nodes
with minimal provisioning, and allow services to be carried by
different SD-WAN transport networks based on user specified
criteria.
A "SD-WAN" network consists of many segments of IPsec tunnels
between SD-WAN nodes. An "end-point" is referring to a port on a SD-
WAN node throughout this document.
This document specifies new sub-TLVs for the SD-WAN End Point's
Attributes.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to publish it
as an RFC and to translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
xxx, et al. Expires May 7, 2019 [Page 1]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on May 7, 2009.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction...................................................3
2. Conventions used in this document..............................3
3. Key Characteristics of SD-WAN Overlay Network..................4
4. Overview of the BGP Extension for SD-WAN.......................8
5. SD-WAN Over Tunnel NLRI Format................................10
6. SD-WAN Tunnel Encapsulation Attribute sub-TLV:................10
6.1. IPsec SA sub-TLV.........................................11
6.2. EncapsExt sub-TLV........................................13
7. SD-WAN Tunnel Advertisement Method:...........................14
8. Manageability Considerations..................................15
9. Security Considerations.......................................15
Dunbar, et al. Expires Jan 2019 [Page 2]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
10. IANA Considerations..........................................15
11. References...................................................16
11.1. Normative References....................................16
11.2. Informative References..................................16
12. Acknowledgments..............................................17
1. Introduction
The document defines a new BGP SAFI with a new NLRI in order to
advertise a SD-WAN node's properties with other SD-WAN nodes through
third party untrusted networks. The goal is for SD-WAN network to
scale; enabling SD-WAN overlay among large number of SD-WAN nodes
with few provisioning needed, and allow services to be carried by
different SD-WAN transport networks based on user specified
criteria.
A "SD-WAN" network consists of many segments of IPsec tunnels
between SD-WAN nodes. An "end-point" is referring to a port on a SD-
WAN node throughout this document.
[Net2Cloud-Problem] describes the problems that enterprises face
today in transitioning their IT infrastructure to support digital
economy, such as the need to connect enterprises' branch offices to
dynamic workloads in different Cloud DCs, or aggregating multiple
paths provided by different service providers to achieve better
experience.
Even though SD-WAN has been used as a flexible way to reach
workloads in dynamic third party data centers or aggregate multiple
underlay paths, scaling becomes a big issue when there are hundreds
or thousands of nodes to be interconnected by the SD-WAN overlay
paths.
BGP is widely used by underlay networks. This document expand the
BGP to make SD-WAN overlay network scale better.
2. Conventions used in this document
Cloud DC: Off-Premise Data Centers that usually host applications
and workload owned by different organizations or
tenants.
Dunbar, et al. Expires Jan 2019 [Page 3]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
Controller: Used interchangeably with SD-WAN controller to manage
SD-WAN overlay path creation/deletion and monitor the
path conditions between sites.
CPE-Based VPN: Virtual Private Secure network formed among CPEs.
This is to differentiate from most commonly used PE-
based VPNs a la RFC 4364.
OnPrem: On Premises data centers and branch offices
SD-WAN End-point: a port (logical or physical) of a SD-WAN node.
SD-WAN: Software Defined Wide Area Network, which can mean many
different things. In this document, "SD-WAN" refers to
the solutions specified by ONUG (Open Network User
Group), which build point-to-point IPsec overlay paths
between two end-points (or branch offices) that need to
intercommunicate.
SD-WAN Transport Network: One transport network between two SD-WAN
nodes. There could be multiple transport networks
between two SD-WAN nodes.
SD-WAN IPsec Tunnel: IPsec tunnel over a Transport Network.
3. Key Characteristics of SD-WAN Overlay Network
A SD-WAN Overlay consists of many SD-WAN nodes that are
interconnected by multiple untrusted underlay transport networks.
For a small sized SD-WAN network, traditional hub & spoke model
using NHRP or DSVPN/DMVPN with a hub node (or controller) managing
SD-WAN node end-points (e.g. local & public addresses and tunnel
identifiers mapping) can work reasonably well. However, for a large
SD-WAN network, say more than 100 nodes with different types of
topologies, the traditional approach becomes very messy, complex and
error prone.
Here are some characteristics of SD-WAN Overlay network:
Dunbar, et al. Expires Jan 2019 [Page 4]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
1. SD-WAN IPsec - Transport establishment needs to be separate
from Routes/services attached to each site.
2. Route distribution has to be independent from multiple
transport networks between sites
- Site based routes (instead of port based routes)
3. Transport selection between sites are local section. Same
service can use different Transport networks between sites.
- Different services, routes, or VLANs can be carried by
one SD-WAN Transport; same service/routes/VLAN can be
carried by different SD-WAN Transport at different time
depending on the policies specified by users.
4. Managing IPsec Keys and re-Keys are complicated, it does not
scale well if a SD-WAN end point has to manage many fine-
grained tunnels with its peers, such as per route, per VLAN
based SD-WAN IPsec tunnel.
In addition, hosts/applications attached to SD-WAN nodes can belong
to different tenants, requiring SD-WAN nodes to establish different
tunnels to different SD-WAN nodes. As shown in the figure below, C1
node alone has to establish following SD-WAN tunnels:
- two SD-WAN tunnels to C2: one for Tenant 1, another one for Tenant
2,
- One SD-WAN tunnel to C3 for Tenant 1, and
- two SD-WAN tunnels to C4: one for Tenant 1, another one for Tenant
2,
Dunbar, et al. Expires Jan 2019 [Page 5]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
+----------+
+--------+ Tenant 2 |
| +----------+
+--------+ | +--------+
| Tenant +--+ | +----| Tenant |
| 1 | | | | | 1 |
+--------+ | ................. | | +--------+
| +-+-+ +-+-+ |
+--|C1 |---+ +---|C2 |-----+ +---------+
+-+-+ | | +---+ /-----+ Tenant 1|
/ . +-----+ . / +---------+
/ . +--| RR |--+ . / +---------+
/ . | +-----+ \ . /------+ Tenant 3|
| . | Overlay \ . / +---------+
| . | untrusted +--+--+ +--------+
+--------+ | . | Networks | C4 | | Tenant |
| Tenant +--+ . | | |----| 2 |
| 2 | . \ +---+ +--+--+ +--------+
+--------+ .....+C3 +..........+
+---+
|
|
=====================
| |
+--------+ +--------+
| Tenant | | Tenant |
| 2 | | 3 |
+--------+ +--------+
This document proposes a method of using BGP for a SD-WAN node to
advertise its SD-WAN capabilities and SD-WAN end-point properties to
other SD-WAN nodes.
[Tunnel-Encaps] removed SAFI =7 (which was specified by RFC5512) for
distributing encapsulation tunnel information. [Tunnel-Encap]
require Tunnels being associated with routes.
The mechanisms described by [Tunnel-Encap] cannot be effectively
used for SD-WAN overlay network because:
- SD-WAN Tunnel needs to be established before data arrival because it
takes several rounds of negotiation between two end-points to agree
upon the encryption algorithms, exchange public keys, and be
authorized to communicate with each other. Unlike an EVPN PE, which
can always establish VxLAN tunnel to a another PE, an IPsec tunnel
Dunbar, et al. Expires Jan 2019 [Page 6]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
between two points might fail to be established due to no agreed
upon encryption mechanism.
- Different services, routes, or VLANs can be carried by one SD-WAN
tunnel; same service/routes/VLAN can be carried by different SD-WAN
tunnels at different time depending on the policies specified by
users. When one SD-WAN tunnel encounter more congestion or delay, a
subset of the services/routes/VLAN carried by the SD-WAN tunnel have
to be switched to a different SD-WAN tunnel.
- When a VLAN or a route is deleted/added from/to an SD-WAN node, the
SD-WAN Tunnel between this node and another node should not be
impacted.
- Managing IPsec Keys and re-Keys are complicated, it does not scale
well if a SD-WAN end point has to manage many fine-grained tunnels
with its peers, such as per route, per VLAN based SD-WAN IPsec
tunnel.
- Sometimes, a SD-WAN tunnel has to traverse a specific location due
to policies or running environment.
There is a suggestion on using a "Fake Route" for a SD-WAN node to
use [Tunnel-Encap] to advertise its SD-WAN tunnel end-points
properties. However, using "Fake Route" can create deployment
complexity for large SD-WAN networks with many tunnels. For example,
for a SD-WAN network with hundreds of nodes, with each node having
many ports & many end-points to establish SD-WAN tunnels to their
corresponding peers, the node would need many "fake addresses". For
large SD-WAN networks (such as has more than 10000 nodes), each node
might need 10's thousands of "fake addresses", which is very
difficult to manage and needs lots of configuration to get the nodes
provisioned.
Dunbar, et al. Expires Jan 2019 [Page 7]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
The key value proposition of SD-WAN is its dynamic nature. Most SD-
WAN deployment requires the following key properties:
- Zero Touch Provisioning: meaning a SD-WAN node needs to be plug and
play. The huge amount of "fake addresses" configurations required by
the [Tunnel-Encap] mechanism make it not possible to be used for SD-
WAN tunnels.
- The IP address of ports to a SD-WAN node can be dynamic (e.g.
assigned by DHCP); therefore, there is no fixed IP address that can
be used to uniquely to represent a SD-WAN tunnel end-point.
"System-ID + PortID" can usually uniquely identify a SD-WAN
end-point. That means the nexthop of a SD-WAN tunnel can be
"System-ID + Port ID". Sometimes, a SD-WAN tunnel end-point can
be associated with "private IP" + "public IP" (if NAT is used.)
Another very important reason for needing a specific SAFI for SD-WAN
Overlay is for many intermediate nodes that do not terminate SD-WAN
tunnels to ignore the NLRI SD-WAN Overlay SAFI update messages, to
avoid the extra processing incurred.
[Net2Cloud-gap] has more in-depth analysis of the gaps of available
protocols in support SD-WAN overlay networks.
4. Overview of the BGP Extension for SD-WAN
To avoid confusion of different interpretation of SD-WAN, the BGP
SD-WAN Overlay NLRI extension described in this document is for a
SD-WAN deployment with the following characteristics:
- There is a Central Controller, which can be reached by an SD-WAN node
upon power up, and a TLS or SSL secure channel can be established
between the SD-WAN node and the Central Controller.
- The Central Controller can designate a Local Controller in the
proximity of the SD-WAN node; the Local Controller and the SD-WAN
nodes might be connected by third party untrusted network. In the
context of using BGP to control the SD-WAN overlay network, Route
Reflector (RR, [RFC4456]) can act as a Local Controller. The SD-WAN
node can establish a secure connection (TLS, SSL, etc) to the Local
Controller (RR).
Dunbar, et al. Expires Jan 2019 [Page 8]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
The BGP SD-WAN Overlay NLRI extension described in this document is
for SD-WAN nodes to advertise their SD-WAN capabilities & tunnel
end-points attributes to peers belonging to the same tenant, such as
a. to advertise the identifiers of ports that support establishing SD-WAN
overlay tunnels to other peers,
b. to advertise ports private addresses (or dynamically assigned IP
addresses),
c. to advertise its supported IPsec capability, such as the supported
encryption algorithms, etc.
Since there are secure channels (TLS, SSL, etc.) established between
the Local Controller (i.e. RR) and SD-WAN nodes, the NLRI can be
advertised to their peers belonging to the same tenants via the
secure channel to/from the RR.
The BGP extension for the advertisement of SD-WAN tunnels includes
following components:
- A new Subsequent Address Family Identifier (SAFI=74) whose NLRI
identifies a (SD-WAN) overlay tunnel, the properties of the tunnel
end-points, and the associated policies.
- A new Route Type that defines the encoding of the rest of the SD-WAN
Overlay NLRI, and a set of sub-TLVs to specify the tunnel & its end-
point attributes, policies associated with the tunnel, etc. Here are
the sub-TLVs needed for SD-WAN tunnel:
o Tunnel IPsec configuration attributes, such as public keys, the
encryption algorithms, etc.
o Tunnel Encap Extension, which is for specify specific attributes
associated for SD-WAN tunnel end-points.
- Port Distinguisher: one (SD-WAN) node can have multiple ports, and
each port can support multiple SD-WAN tunnels to different peers. The
Port Distinguisher is used to describe port (or link identifier).
- SD-WAN Color: used to identify a common property shared by a set of
SD-WAN nodes, such as the property of a specific geographic location.
The property is used to steer an overlay route to traverse specific
geographic locations for various reasons, such as to comply
regulatory rules, to utilize specific value added services, or
others.
Dunbar, et al. Expires Jan 2019 [Page 9]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
5. SD-WAN Over Tunnel NLRI Format
The new SAFI=74, the SD-WAN Overlay SAFI, has been assigned by IANA,
from the "Subsequent Address Family Identifiers (SAFI) Parameters"
registry.
The SD-WAN Overlay SAFI (=74) uses a new NLRI defined as follows:
+------------------+
| NLRI Length | 1 octet
+------------------+
| Route-Type | 1 Octet
+------------------+
| Port-ID | 4 octets
+------------------+
| SD-WAN-color | 4 octets
+------------------+
| SD-WAN-Node-ID | 4 or 16 octets
+------------------+
where:
- NLRI Length: 1 octet of length expressed in bits as defined in
[RFC4760].
- Route-Type: to define the encoding of the rest of the SD-WAN Overlay
NLRI.
- Port ID: one (SD-WAN) node can have multiple ports, and each port can
support multiple SD-WAN tunnels to different peers. The Port ID is
used to identify the port, a.k.a. link identifier.
- SD-WAN-color: used to identify a common property shared by a set of
SD-WAN nodes, such as the property of a specific geographic location.
- SD-WAN Node ID: the SD-WAN NLRI advertisement is sent out by the SD-
WAN node to indicate all the available ports supporting SD-WAN
tunnels. The SD-WAN Node ID can be the node's system ID, such as the
loopback address of the SD-WAN node.
6. SD-WAN Tunnel Encapsulation Attribute sub-TLV:
The SD-WAN overlay tunnel end-points property is encoded in the
Tunnel Encapsulation Attribute originally defined in [Tunnel-
Encap]using a new Tunnel-Type TLV (SD-WAN Tunnel Type, with the code
point to be assigned by IANA) from the "BGP Tunnel Encapsulation
Attribute Tunnel Types".
The SD-WAN Tunnel End-Point Property Encoding structure is as
follows:
Dunbar, et al. Expires Jan 2019 [Page 10]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
Overlay SAFI (=74) NLRI: < Route-Type, Length, Port-ID, SD-WAN-color,
SD-WAN-Node-ID>
Attributes:
Tunnel Encaps Attribute
Tunnel Type: SD-WAN-Tunnel
EncapExt SubTLV
IPsec-SA Attribute SubTLV
Where
- Encap-Ext SubTLV is for describing additional information about the
SD-WAN tunnel end-points, such as NAT property.
- IPsec-SA SubTLV is for the node to establish IPsec SA with other
peers.
The Tunnel Encaps Attribute are defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel-Type(2 Octets) | Length (2 Octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Value |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: SD-WAN Tunnel Encapsulation TLV Value Field
Where:
Tunnel Type is SD-WAN (to be assigned by IANA).
6.1. IPsec SA sub-TLV
The IPsecSA sub-TLV is for the SD-WAN node to establish IPsec
security association with their peers:
0 8 16 24 32
+--------------+--------------+--------------+--------------+
|NextPayload | msg version | total length |
+--------------+--------------+--------------+--------------+
|exchange type | reserved |
+--------------+--------------+--------------+--------------+
| next type | reserved | length |
+--------------+--------------+--------------+--------------+
Dunbar, et al. Expires Jan 2019 [Page 11]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
| protocol id | reserved | proposal no | spi size |
+--------------+--------------+--------------+--------------+
| SPI |
+--------------+--------------+--------------+--------------+
| attribute(tv/tlv) 1 |
+--------------+--------------+--------------+--------------+
| attribute(tv/tlv) 2 |
+--------------+--------------+--------------+--------------+
| --- |
+--------------+--------------+--------------+--------------+
| attribute(tv/tlv) n |
+--------------+--------------+--------------+--------------+
| next type | reserved | length |
+--------------+--------------+--------------+--------------+
| dh group id | key state | reserved |
+--------------+--------------+--------------+--------------+
| key data |
+ +
| --- |
+--------------+--------------+--------------+--------------+
| next type | reserved | length |
+--------------+--------------+--------------+--------------+
| nonce |
+--------------+--------------+--------------+--------------+
Where:
o IPsec properties such as AH, ESP, or AH+ESP are encoded in the
"Attributes", such as
o Tunnel Mode or Transport mode
o AH authentication algorithms supported, which can be md5 |
sha1 | sha2-256 | sha2-384 | sha2-512 | sm3. Each SD-WAN
node can have multiple authentication algorithms; send to
its peers to negotiate the strongest one.
o ESP authentication algorithms supported, which can be md5
| sha1 | sha2-256 | sha2-384 | sha2-512 | sm3. Each SD-WAN
node can have multiple authentication algorithms; send to
its peers to negotiate the strongest one. Default
algorithm is AES-256.
o Duration: SA life span.
Dunbar, et al. Expires Jan 2019 [Page 12]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
6.2. EncapsExt sub-TLV
EncapsExt sub-TLV is for describing additional information about the
SD-WAN tunnel end-points, such as NAT property. A SD-WAN node can
inquire STUN (Session Traversal of UDP Through Network Address
Translation RFC 3489) Server to get the NAT property, the public IP
address and the Public Port number to pass to peers.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|EncapExt Type | EncapExt subTLV Length |I|O|R|R|R|R|R|R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT Type | Encap-Type |Trans networkID| RD ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Local IP Address |
32-bits for IPv4, 128-bits for Ipv6
~~~~~~~~~~~~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Local Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public IP |
32-bits for IPv4, 128-bits for Ipv6
~~~~~~~~~~~~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Where:
o EncapExt Type: indicate it is the EncapExt SubTLV.
o EncapExt subTLV Length: the length of the subTLVE.
o Flags:
- I bit (CPE port address or Inner address scheme)
If set to 0, indicate the inner (private) address is IPv4.
If set to 1, it indicates the inner address is IPv6.
- O bit (Outer address scheme):
If set to 0, indicate the public (outer) address is IPv4.
Dunbar, et al. Expires Jan 2019 [Page 13]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
If set to 1, it indicates the public (outer) address is
IPv6.
- R bits: reserved for future use. Must be set to 0 now.
o NAT Type.without NAT; 1:1 static NAT; Full Cone; Restricted
Cone; Port Restricted Cone; Symmetric; or Unknown (i.e. no
response from the STUN server).
o Encap Type.SD-WAN tunnel encapsulation types, such as
IPsec+GRE, IPsec+VxLAN, IPsec without GRE, GRE (when tunnel is
over secure underlay network)
o Transport Network ID.Central Controller assign a global unique
ID to each transport network.
o RD ID.Routing Domain ID.Need to be global unique.
o Local IP.The local (or private) IP address of the tunnel end-
point.
o Local Port.used by Remote SD-WAN node for establishing IPsec to
this specific port.
o Public IP.The IP address after the NAT.
o Public Port.The Port after the NAT.
7. SD-WAN Tunnel Advertisement Method:
+---+
Peer Group 1 |RR | Peer Group 2
+======+====+=+ +======+====+=====+
/ / | +---+ | \ \
/ / | | | \
+-+-+ +-+--+ +-+-+ +-+-+ +-+-+ +-+-+
|CPE| | CPE|--|CPE| |CPE| |CPE| |CPE|
| 1 | | 2 | | 3 | |4 | | 5 | | 6 |
+---+ +----+ +---+ +---+ +---+ +---+
Tenant 1 Tenant 2
For SD-WAN overlay network, the SD-WAN nodes (a.k.a. CPEs) belonging to the
same Tenant can be far apart and can be connected by third party untrusted
networks. Therefore, it is not appropriate for a SD-WAN node (CPE) to
advertise its SD-WAN tunnel properties to its immediate neighbors. Each CPE
Dunbar, et al. Expires Jan 2019 [Page 14]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
propagates its SD-WAN tunnel attributes via the secure channel established
with RR.
The processing steps on CPE1 are as follow:
- Report the SD-WAN tunnel information, such as IPsec property, NAT,
etc. to RR via the Overlay SAFI NLRI.
- RR propagate the information to CPE2 & CPE 3.
- CPE2 and CPE3 can establish IPsec SA with the CPE1 after receiving
the Overlay SAFI NLRI from RR.
Tenant separation is achieved by different SD-WAN nodes being added
to different Peer Group.
8. Manageability Considerations
TBD
9. Security Considerations
The intention of this draft is to identify the gaps in current and
proposed SD-WAN approaches that can address requirements
identified in [Net2Cloud-problem].
Several of these approaches have gaps in meeting enterprise
security requirements when tunneling their traffic over the
Internet, as is the general intention of SD-WAN. See the
individual sections above for further discussion of these security
gaps.
10. IANA Considerations
This document requires the following IANA actions.
o SD-WAN Overlay SAFI = 74 assigned by IANA
o SD-WAN Route Type
o SD-WAN Tunnel Type
o IPsec-SA Type
o EncapExt Type
Dunbar, et al. Expires Jan 2019 [Page 15]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
11.2. Informative References
[RFC8192] S. Hares, et al, "Interface to Network Security Functions
(I2NSF) Problem Statement and Use Cases", July 2017
[RFC5521] P. Mohapatra, E. Rosen, "The BGP Encapsulation Subsequent
Address Family Identifier (SAFI) and the BGP Tunnel
Encapsulation Attribute", April 2009.
[Tunnel-Encap]E. Rosen, et al, "The BGP Tunnel Encapsulation
Attribute", draft-ietf-idr-tunnel-encaps-09, Feb 2018.
[VPN-over-Internet] E. Rosen, "Provide Secure Layer L3VPNs over
Public Infrastructure", draft-rosen-bess-secure-l3vpn-00,
work-in-progress, July 2018
[DMVPN] Dynamic Multi-point VPN:
https://www.cisco.com/c/en/us/products/security/dynamic-
multipoint-vpn-dmvpn/index.html
[DSVPN] Dynamic Smart VPN:
http://forum.huawei.com/enterprise/en/thread-390771-1-
1.html
[ITU-T-X1036] ITU-T Recommendation X.1036, "Framework for creation,
storage, distribution and enforcement of policies for
network security", Nov 2007.
[Net2Cloud-Problem] L. Dunbar and A. Malis, "Seamless Interconnect
Underlay to Cloud Overlay Problem Statement", draft-dm-
net2cloud-problem-statement-02, June 2018
Dunbar, et al. Expires Jan 2019 [Page 16]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
[Net2Cloud-gap] L. Dunbar, A. Malis, and C. Jacquenet, "Gap Analysis
of Interconnecting Underlay with Cloud Overlay", draft-dm-
net2cloud-gap-analysis-02, work-in-progress, Aug 2018.
[Tunnel-Encap] E. Rosen, et al "The BGP Tunnel Encapsulation
Attribute", draft-ietf-idr-tunnel-encaps-10, Aug 2018.
12. Acknowledgments
Acknowledgements to Jim Guichard, John Scudder, Darren Dukes, Andy
Malis and Donald Eastlake for their review and contributions.
This document was prepared using 2-Word-v2.0.template.dot.
Dunbar, et al. Expires Jan 2019 [Page 17]
Internet-Draft BGP-SDWAN-Overlay-Ext November 2018
Authors' Addresses
Linda Dunbar
Huawei
Email: Linda.Dunbar@huawei.com
Haibo Wang
Huawei
Email: rainsword.wang@huawei.com
WeiGuo Hao
Huawei Technologies Co.,Ltd.
Email: haoweiguo@huawei.com
Dunbar, et al. Expires Jan 2019 [Page 18]