►
From YouTube: IETF105-IDR-20190724-1330
Description
IDR meeting session at IETF105
2019/07/24 1330
https://datatracker.ietf.org/meeting/105/proceedings/
A
B
B
A
Okay,
so
I'm
gonna
start
because
I'm
gonna
for
my
sins,
I'm
sharing
the
IPSec,
related
work,
section
and
so
John
I
think
you
need
we're
going
to
go
through
agenda
bashing,
which
is
right
now,
then
we're
going
to
go
through
my
introduction
to
it,
which
will
take
about
15
minutes
in
that,
if
you're,
an
IDR
person
I've
put
a
whole
lot
of
detail.
That
gives
you
the
tlvs
but
I'm,
going
to
give
the
high
level
for
the
security
people,
because
tlvs
may
not
be
as
important
as
the
general
security.
A
Then
Jun,
who
is
going
to
give
a
remote
presentation
on
the
IP
sick,
singled
tunnel
configuration.
Then
Linda
is
going
to
give
some
more
details
on
SD
when
courts,
because
I
think
use
cases
are
as
important
and
then
Ally
and
they've
are
going
to
give
a
presentation
on
the
secure
methodology
for
evpn,
at
which
point
we're
going
to
have
a
general
discussion
about
the
security
methodology
and
issues
relating
to
bgp,
VPNs
versus
other
things.
A
B
A
You
know
I
used
to
when
I
had
young
kids
who've
watched,
certain
TV
shows,
and
there
was
two
levels
of
presentation.
One
was
for
the
parents,
and
one
was
for
the
kids
and
I
liked
it,
because
there
was
that
sort
of
fun.
Well,
this
you're
all
adults,
but
the
I
put
in
enough
details
that
if
you're
an
ITR
person,
you
can
read
the
details,
but
I'll
be
talking
at
the
at
the
higher
level.
So
we
can
interact
with
our
security
brethren.
A
The
drafts
we're
considering
our
drafts
agasi
best
secured
evpn,
dref
who's,
une
idée,
our
bgp
IPSec
and
Dunbar
ID
rs1.
There
are
supporting
drafts
you
have
to
realize.
There
are
supporting
drafts
for
the
secure
VPN
from
draft
Carol
IPSec
controller.
There
are
some
core
I
work
from
I
2
and
a
SEF
for
an
IPSec
flow
controller,
and
then
there
is
supporting
work
in
bgp
from
the
tunnel
and
a
usage
case
from
dart
andar,
so
we'll
just
sort
of
reference.
These
I'm
expecting
you
to
to
read.
A
If
your
ID
are
to
know
how
to
navigate
a
draft
and
find
it's
supporting
things,
the
rest
of
it,
so
why
are
this
meeting?
And
you
saw
this
in
the
best
working
group?
We
have
multiple
overlapping
protocols
on
IPSec
in
best
IDR
and
I,
to
NSF
I
to
NSF
is
really
looking
at
device
controller,
a
security
controller
controlling
many
secure
devices.
So
we
got
this
in
our
80s
said.
You
know,
let's
go
work
it
out.
So
the
best
an
idea.
Our
chairs
agreed
that
calm.
A
Until
these
four
idea
are
tunnel
and
camp
should
be
agreed
upon
in
IDR,
which
means
we
need
to
agree
in
IDR
that
that's
the
right
place,
because
the
tunnel
and
caps
draft
belongs
to
us
belongs
to
the
IDR
working
group.
The
SI
mechanisms
need
to
be
harmonized
across
the
three
drafts,
but
but
the
idea,
the
IDR
on
best
chairs,
admit
full
well,
we
are
not
security
experts.
I
know.
A
You
may
find
that's
unusual
from
the
security
that
we
admit
on
unknowingness,
but
we
are,
and
then
we
have
to
determine
in
a
subsequent
thing
whether
the
NRI
requests
in
draft
unbar
IDR
Sdn
port.
So
this
is
why
you're
here
we're
trying
to
do
the
second
we're
going
to
try
to
give
you
the
various
security
mechanisms.
A
We
do
not
ask
for
an
immediate
answer.
We
ask
for
you
to
give
us
a
sort
of
opinion.
If
you
think
this
is
a
longer
discussion
with
the
security
people,
we
should
let
us
know,
but
we're
trying
to
get
a
scoping
okay.
Now
this
is
mom
and
apple
pie
for
all
the
IDR
folks,
but
I
thought
I
should
throw
in
a
few
introductions.
This
is
the
basic
topology.
You
have
IPSec
tunnels.
Those
are
the
things
that
they
to
go
through
goes
through.
You
have
bgp
peering.
A
A
We
scale
tremendously,
so
I
think
I've
gone
through
the
fact
that
that
the
sigasi
graph
is
a
secure
VPN
that
the
Dunbar
Draft
is
the
sd1
and
that
June,
whose
graph
is
trying
to
make
management,
provisioning
and
management
of
large
numbers
notice.
All
of
these
say
large
numbers,
large
numbers
of
BGP
based
secure
VPNs
with
large
numbers
of
IPSec
mesh
tunnels
who
believes
he
can
do
it
with
simpler
tunnels
and
he
can
do
it
without
a
centralized
controller.
The
question
is:
that's
on
a
controller
for
BGP.
A
What
about
a
controller
for
the
security
control,
as
i2
NSF
has
began,
to
specify
one
note,
I
have
to
have
as
I
am
co-author
on
one
of
these
drafts,
but
in
this
session,
I
won't
be
answering
that
draft
in
order
to
keep
it
clean,
I'm
acting
as
a
working
group
controller.
So
if
you
ask
the
question
toward
that
draft,
you
have
to
ask
my
co-authors
okay.
So
how
do
we
look
at
this?
We
look
at
the
use
case,
the
architecture,
the
security
issues,
the
hierarchy
and
the
BGP
mechanisms.
A
I
need
to
give
your
security
folks
heads-up.
We
are
replacing
the
BGP
implement
for
tunnelling
with
the
draft
IDR
tunnel
attribute.
It
is
essentially
looking
to
replace
the
encapsulated
extended
communities,
but
BGP
lives
in
an
environment
of
deployment.
We
deploy
things
and
we
get
implementations
and
that's
when
we
finalize
the
standardization.
A
So
a
lot
of
these
wonderful
things
it's
described,
secure
VPNs
have
already
been
deployed,
so
in
that
case
they
may
be
going
with
the
encapsulated
in
its
extended
community,
but
in
the
future
we
are
hoping
that
people
will
transition
to
the
draft
IDR
tunnel
attribute.
Why?
Because
there's
some
better
security
around
the
attribute?
Okay,
okay:
this
is
a
general
architecture
that
comes
from
the
secure
VPN
but
seems
to
be
followed.
A
There's
a
zero
touch,
bring
up,
there's
a
configuration
management,
there's
an
orchestration
and
signaling
for
PGP
folks
during
the
the
the
non
security
Association
section.
You
can
ask
questions
about
that.
There
are
two
types
of
things:
there
is
a
one:
administrative
domain,
IP
security
function
that
June
who
is
proposing
that's
within
a
single
administrative
domain
that
may
have
multiple
asses,
but
it
is
within
one
administrative
domain
and
that's
a
definition.
The
secure
a
VPN
and
the
Sdn
goes
through
multiple,
a
SS
and
multiple
domains.
Okay,
so
there
there's
a
range
of
these
security
issues.
A
So
if
you're
reviewing
one,
you
need
to
know
whether
what
context
you're
in
are
you
going
across
multiple
administrative
domains
and
administrative
means.
This
guy
owns
it.
He
owns
the
security
for
all
the
boxes
and
he
owns
all
the
BGP
stuff
in
the
secure
VPN
and
the
SD
LAN
case
they
may
be
going
between
two
places.
Perhaps
two
carriers,
perhaps
two
cloud
providers-
the
security
issues
that
I
as
a
chair-
and
this
is
just
my
first
stab
in
the
dark-
fall
into
two
characteristics.
You
can
have
a
controller
two
device.
A
You
can
sis
and
and-
and
there
are
some
assumptions
here-
we
assume
that
the
route
reflector,
which
is
the
thing
I'll,
show
you
that
is
like
the
controller,
can
securely
identify
the
other
node.
We
assume
that
that
is
part
of
the
operation
in
these
architectures.
We
assume
that
they're
setting
up
traffic's
selection
policy-
that's
part
of
normal
routing.
We
determine
where
you
can
send
traffic,
how
we
do
it.
A
lot
of
the
yang
policy
distribution,
that's
being
worked
on
by
the
routing
working
group,
is
doing
some
policy.
A
Jeff
wave
your
hand,
he's
the
routing
working
group
person,
that's
working
on
policy
that
policy
distribution
is
being
has
configuration
and
yang
and
can
be
run
over
the
yang,
secure
topology,
just
as
if
you
had
I
to
NSF
he's
got
the
policy
language
en
description.
That's
not
the
type
of
capabilities
that
might
come
from
I
to
NSF.
Now,
if
you
set
up
the
security
databases,
they
could
be
downloaded
outside
you,
unions.
A
draft
does
suggest
that,
and
but
those
are
places
you
should
look
at
us.
A
You
should
say:
do
we
know
what
we're
doing
there
do
you
think
we
can
have
it?
Conflict
also
could
occur
between
two
mechanisms.
You
could
have
I
+
SF
mechanisms,
conflicting
with
yourself
and
there's
a
way
to
work
on
that
you
could
have
two
bgp
mechanisms
that
are
singling
these
here
give
secure
VPNs
you
could
have
one
of
each.
The
goal
in
all
of
this
is
to
have
non
overlapping
policy
roles
or
rules.
A
We
have
validation
of
origin
ID,
because
these
are
tracked
by
a
route
and
filtering
as
I
just
described
or
if
you
want
to
get
into
the
BGP
second
vironment,
you
could
signature
various
portions
of
the
data
by
what
I'm
meaning
to
the
security
people
is.
This
is
the
data
portion
of
BGP.
The
links
are
secured
via
IP.
Second,
most
of
these
proposals,
you
know
whatever
they're
distributing
it
and
the.
But
beyond
that
we
have
data
securing
for
the
packets
that
go
through
BGP,
because
the
data
is
end-to-end
and
can
be
done.
A
Okay,
just
for
fun,
this
I
I.
I,
dr
folks,
I
took
a
look
at
all
the
hierarchy
and
there's
hierarchy
in
most
all
of
it
and
I've
laid
it
down
there.
That's
my
best
reading
of
the
drafts.
Please
tell
me
if
you
think
they're
wrong
for
the
security
folks
notice.
We
have
significant
hierarchy
because
we
have
to
scale
in
ib
sec.
We
passed
some
data
in
bgp
tlvs,
we
passed
tunnel
type.
We
pass
port
distinguisher
in
some
repents
nonce
data.
A
Okay,
we
have
some
open
issues
for
the
working
group
to
deal
with
some
of
our
because
our
ID,
our
tunneling
caption,
is
being
obsoleted.
Some
of
these
drafts
are
being
revved.
So
if
you
have
comments
on
some
of
this
stuff,
we
could
catch
something
in
there,
but
our
current
tunnel
types
based
on
the
change
of
ID
our
tunnel
encapsulation.
Some
of
them
have
to
be
read
for
IDR.
Look
at
the
number
of
drafts.
A
We
have
to
now
fix
now
that
if
we
get
tunnel
and
caption
through
bgp
secure
requirements,
now
this
I'm
going
to
stop
and
focus
on
I
put
a
little
later
in
the
slides,
because
just
before
you
see
all
the
requirements,
we
have
scalability
issues.
We
have
10
K
notes,
they
oftentimes,
and
these
things
have
a
hundred
million
links
have
a
hundred
thousand
links.
We
have
10
million
routes
and
maybe
20
million
end
customers.
This
is
not
the
scale
of
a
1,
even
a
small
network.
These
are
massive
networks.
A
Our
robustness
is
five
nines
in
case
you've
never
heard
that
term.
It's
99.999
percent
uptime.
You
have
to
have
ready
to
go
key
management
sa
on-the-fly
within
milliseconds.
That
may
not
be
possible.
That
sure
is
the
desire
of
the
customer.
Reoccurring
occurs.
This
is
not
a
static
drop
and
go.
This
is
a
dynamic,
creaking,
there's
a
separate
path
for
control
and
data
that
is
hard
baked
into
the
scalability
of
BGP
route
reflectors,
and
there
is
network
topology
with
non
directional
links
because
of
data
throughput
issues.
This
is
this
is
a
complex
environment.
A
I've
just
said
that
ton
of
stuff
there,
if
you're,
a
security
person-
and
you
want
to
ask
me
what
all
this
means-
it's
scaling
with
the
star-
and
it
means
that
some
of
your
assumptions
on
BGP
the
IPSec
VPNs,
has
a
different
twist
when
we
get
to
be
chipiya.
Vpns
BGP
is
a
control
plan.
This
is
again
basics
and
respect
for
our
our
security
brethren
who
have
kindly
come.
The
compelling
reasons
for
using
BGP
is
BGP
is
widely
deployed.
It
has
a
reliable
transport.
It
is
a
guaranteed
order.
A
It
could
be
run
or
mandated
to
be
run
over
the
best
of
TCP.
We're
not
going
to
go
into
that.
You
can
we're
going
to
go
into
what
happens
after
you
have
a
secure
link.
The
protocol
runs
on
top
of
TCP.
It
has
incremental
updates
that
are,
as
I've
mentioned
several
times,
and
I
probably
am
repeating
myself
here.
The
routing
reflector,
which
means
routes
go
up
to
a
central
controller
and
then
our
distributed
reduces
the
full
flag,
full
mesh
and
the
route
table
size.
A
So
we
have
to
have
that
and
we
have
to
have
security
built
in
route.
Reflectors
have
the
to
apply
policy
to
communication,
that's
part
of
our
DNA
already,
and
that
last
face
it's
not
three
hours.
It's
two
hours,
VG
p,
plus
route
reflectors
support,
many
types
of
topologies
hub
spoke
mesh.
Anything
else,
I've
met,
missed
our
secure
VPN
folks
will
pick
up.
For
me,
the
implementations
are
robust,
widely
accepted.
They
go
from
data
centers
to.
A
To
corporate
networks
to
mom-and-pop
shops
they're,
it's
flexible!
Why
are
we
asking
you
to
help?
You
just
probably
got
it.
This
is
a
longer
conversation,
some
things
of
what
I
was
trying
to
get
us
to
get
to
you
may
have
already,
because
the
Carroll
draft
is
specified
it
for
secure
VPN
and
Sdn
leverages
the
Carroll
draft.
You
may
have
an
understanding
of
this
in
detail.
They
shortened
it
up,
seeing
that
you'd
seen
it
a
few
times,
but
these
are
the
things.
A
I
tried
to
look
at
what
you
were
requiring
if
you
had
something
more
and
you
want
us
to
work
toward
it,
please
do
we're
looking
at
generating
IPSec
essays,
rekeying
IV,
sec
database
generation,
both
SPD
security
policy
and
s
ad
we're.
Looking
at
peer
author,
author,
a
ssin
database
and
policy
distribution
kudos
to
june,
he
filled
out
all
of
us
for
the
domain.
A
There
is
the
bgp
security
issues
that
when
you
have
an
implementation,
you
need
to
check
the
box,
whether
you're
doing
origin
filtering
that
will
require
a
link
to
the
PKI
or
something
nearby
it.
You
need
filters
to
string
out
attacks.
Those
have
to
be
downloaded.
Could
that
could
be
part
of
an
i2
and
s
download
as
one
of
the
capabilities
and
you
have
nested
tunnels
did
I,
say
Nestor,
tunnels,
okay,
so
with
the
hierarchy,
you
should
realize
that
nested
tunnels
are
part
of
our
life.
They
are
nested,
sometimes
six
and
seven
layers.
A
B
A
D
D
A
A
D
So
be
here
is
in.
This
draft
is
only
used
to
signal
the
config
art
of
that
music.
The
actual
IPSec
tunnel
is
still
created
by
the
acquittal
particle
between
the
routers
that
using
EGP
so
really
there's
no
change
on
how
IPSec
tano
is
credit.
This
is
still
using,
I
could
be
to
and
everything
regarding
our
IP
set
work
stays
saying:
there's
no
change
on
the
IPSec
part.
The
only
thing
I
proposed
in
the
draft
is
on
how
to
use
BCE
to
signal
the
conflicts
at
the
convict
of
the
IPSec.
D
D
So
I
only
put
yes
Python,
oh
here
in
the
draft,
and
also
there
are
three
new
sub
theories
I
proposed,
underneath
the
Italian
caption
attribute.
First,
why
is
the
public
audiences?
So
this
sub
theory
is
basically
is
a
rocking
target
to
indicate
where
the
encapsulated
IPSec
market
before
in
because
in
the
comments
IPSec
the
public
side
of
IPSec
different
from
the
public
private
side
of
the
IPSec.
This
is
a
convenient
way.
Dumbo.
You
could
follow
I
kiss
effect
in
one
of
the
VPNs,
which.
D
But
your
payload
packet
back
home
from
the
different
total
total
different
route
instance.
The
second
new
tier
II
sub
theory-
is
the
remote
address,
prefix
sub
theory,
which
is
from
the
receiver
point
of
view.
So
basically,
this
is
the
IPSec
traffic
selector
like
TSI
and
then
there's
another
one
for
the
remote
for
the
local
traffic
selector,
which
is
a
local
car
local
address.
Prefix.
Suppose
this
to
nutrients
of
theory
is
basically
contain
one
or
more
IP
prefix
that
we
use
for
the
basic
traffic
selector
and
there
are
some
existing
sub
theory.
D
I
propose
to
reuse
for
the
IPSec
config.
So
why
is
the
tunnel
in
point?
So
basically,
this
is
now
the
IPSec
tunnel
endpoint
address
and
then
there's
a
color,
so
color
here
in
my
draft
is
really
aggregation
for
all
other
IPSec
config,
but
not
specifically
mentioned
here,
because
I
do
not
want
to
introduce
too
much
change
on
the
beach
P
site
and
plus,
in
most
case
the
like
transform
like
lifetime.
D
They
are
all
same
on
the
all
parties
participating
routers.
They
are
all
same
config,
so
you
have
one
stead
of
those
co-efficient
or
you
have
a
multiple
set
of
this
country,
but
typically
you
know
we
have
same
completion
for
every
participating
routers
so
which
means
I
can
actually
simplify
this
by
just
using
a
color
to
signify
that
that's
the
collection
of
those
configure
configurations.
D
Another
approach
that
to
just
introduced
a
new
color
subcarrier,
just
5p
SEC,
to
avoid
the
confusion
of
using
the
existing
subtly
and
then
last
part
is
the
embedded
label
Henry
so
for
the
VPN
browse
ipv4
will
be
6
ppm
rafts,
which
has
embedded
labels
in
the
BG
update,
which
is
used
to
identify
in
the
data
path,
which
not
instance
or
which
will
appear
in
this
packet,
belongs
to,
but
here
5e
sec,
encapsulation
ab.
Second,
not
really
encapsulate
that
packet
will
be
the
labels.
D
Ip
stack,
the
only
only
IP
IP
packet
can
be
encapsulated
inside
ivy
Sopranos,
so
here
I
proposed.
We
should
ignore
that
label
contains
it
in
the
European
routes,
because
with
IPSec
the
China's
say
could
already
identify
which
of
the
instance
that
packets
allows
to
so
you
don't
really
need
that
additional
label
and
update,
so
I
propose
to
use
that
value
to
of
the
embedded
label
had
enduring
sub
tier
V
to
signal
such
process.
D
So
here's
a
table
I
created
two
mapping
between
the
needed
IPSec
config
to
the
BGP
signal
config,
so
for
the
Ike
for
all
the
I
conflict
like
as
they
transform
like
authentication
Messer
to
render
shows
lifetimes,
in
cetera
like
the
NDP
D,
those
are
all
aggregated
by
the
color
sub
TV,
or
we
if
we
decide
to
music,
use
a
new
sub
theory
for
this
purpose
for
try.
The
same
public
forum
is
vital
on
it's
a
channel
type
field
in
the
tano
in
cups,
H
cute
for
the
child,
as
they
transform.
D
That's
also
a
group
made
by
the
color
and
for
the
traffic
selector
local
remote,
and
this
type
of
there
should
be
one
local
in
a
one.
Remote
Travis
Lecter
address
range,
which
signal
Bibles.
Those
new
sub
theories
mentioned
in
previous
slide
for
these
traps.
Lecter
protocol
in
the
pot
range
it's
not
second
out
it's
as
soon
as
any
so,
which
means
the
only
only
chopped
selector
favorite.
We
signal
Y,
which
P
is
the
address
range
or
prefix
for
the
entire
play.
Config
is
a
degrade
by
the
color
ESL.
D
The
config
is
also
a
delete
by
the
color
next
slide.
So
here
the
table
showed
in
the
previous
slides
that
I
fear
out.
So
the
general
of
the
initial
every
success
ace
is
based
on
the
routing
lookup,
so
based
on
the
you
would
rather
neutral
for
the
packet,
he
will
do
a
rotten
lookup
and
if
we
decide
to
using
a
particular
bgp
update
and
that
update,
has
a
IPSec
can
encapsulate
suit,
then
he
will
use
that
confusion
to
create
a
tree
sectional
by
a
3-2
and
that
penetration
will
created.
D
The
initial
I
can
say
and
try
to
stay
and
Ricky's
Oh,
psych,
I,
say
and
try
to
say
Ricky
we're
down
by
a
tree
based
on
the
config
that
we
using
in
the
tunnel
creation
time
sticking
on
by
the
color
some
theory.
So,
basically,
typically,
you
will
use
lifetime
paste,
ricky
mechanism,
so
that
lifetime
use
signal
by
the
color
also.
D
There's
not
much
difference
between
single
device
Ricky
and
about
device
Ricky,
because
all
the
Ricky's
here
is
that
down
while
standard
Acme
to
operations,
the
device
weekly
visits,
tano
Pierce,
there's
no
involvement
of
any
third
party
device.
It
really
happened
between
these
two
ton
appear
for
the
different
IPSec
database
for
SPD
is
a
Accenture
signal
by
the
NRI,
which
is
routes,
local
prefix
and
the
remote
prefix
sub
theories.
Why
stay
D
SATs?
D
Actually
the
China
says
I,
try
to
say
that
create
a
dynamic
day
when
that
could
be
to
create
a
no
or
when
the
tried
ASAP
happens,
and
whenever,
whenever
a
new,
try
to
say
or
trying
to
say
Ricky
happens,
the
new
set
of
keys
mass
SP
are
generally
dynamically
for
the
peering
database
PID.
This
is
a
signal
by
the
talent
points
of
theory
for
the
policy
policy
distribution.
D
D
This
could
be
done
with
our
without
our
ax,
because
it's
just
standard
BGP
updates
the
receiver
use
normal
BGP
routing
lookup
mechanism
to
decide
which
update
to
use.
So
in
case,
let's
say:
if
there
are
multiple
routes,
a
multiple
router
would
advise
the
same
routes,
but
with
different
IPSec
config,
then
receiver,
just
using
standard
which
pin
mechanism
elect
with
them,
who
pacing
based
on
the
preference
to
select
one
to
use
and
use
the
corresponding
I
pista
config
in
that
update.
So
next
slide
for
the
security
issues
relate
to
this
approach.
D
So
all
the
standard
BGP
security
makanda
could
be
used
to.
He
has
the
security
of
the
BGP
updates
like
origin
verification
filter,
which
we
sack
for
the
nested
tunnels,
just
like
at
the
top
type
tunnels
that
you
signal
by
BGP.
You
have
to
pay
attention
to
avoid
looping,
because
in
case
there
are
multiple
nested
tunnels
and
there
will
be
multiple
BGP
updates.
You
have
to
be
careful
not
to
make
a
loop
out
of
it.
So
basically
you
have
to
either
intentionally
or
intentionally
misconfigurations
that
might
cause
the
loop
next
slide.
D
So
my
draft
is
really
focused
on
the
single
and
is
read
to
me,
but
for,
if
you
want
to
have
it
work
across
the
division
to
me,
the
only
thing
and
if
you
make
sure
is
that
the
mapping
between
the
color
and
opposite
configuration
and
read,
and
also
I,
didn't
put
it
here,
but
it's
also
important.
We
have
a
common
set
of
syndication
framework
and
credentials
policies.
For
example,
let's
say
you
if
you're
using
certificate
or
syndication,
you
make
sure
this
two
organization
trustees,
charges,
RCA's
and
it's
seen
issuing
certificates.
D
D
Because
again,
the
main
use
case
of
this
draft
is
that
if
you
don't
have
any
central
controller-
and
this
is
just
like
a
normal
routing
like
traditional
route-
inheriting
works,
each
route
Todd
makes
their
own
decisions
and
also
make
the
whole
decision
of
how
what
kind
protection
they
want
to
have
for
this
routes.
They
advise
so
the
advisor
outer
will
decide
what
kind
of
traffic
selection
policy
is
able
to
use
and
the
they
receive
all
those
raw,
rapidly
rafts
and
need
to.
D
You
have
to
use
those
a
piece,
a
config,
but
including
that
those
big
updates
to
reach
those
prefix
those
routes,
because
the
receiver
will
enforce
Authority
advising
a
lot
of
reinforced
the
check
of
the
receiving
traffic
that
if
the
single
traffic
comply
with
that
mister
config,
that
it,
the
device.
Individuals.
D
For
the
controller
conflicts
so
again
if
Toros
advice
same
NRA,
but
with
different
config
in
computers
or
by
the
normal
BGP
mechanisms
for
between
and
PE.
So
if
there's
such
confliction
between
the
this
draft
and
another
mechanism,
for
example,
local
provision
or
prison
foreign
controller
I
mean
this
is
really
local.
Matters
is
up
to
the
intubation
to
decide
which
one
to
prefer,
and
typically
we
would
say,
for
example,
if
you
have
a
local
configured,
a
piece
of
configure
the
overlap
with
the
beach
be
signaled
mister
config.
D
D
For
example,
you
need
to
provision
pretty
provisions
the
color
to
IPSec
config
mappings,
and
also
you
need
to
pre
provision,
the
IPSec
authentication
mechanism,
its
credentials,
but
it
could
be
a
facilitate
the
attachment
provision,
the
only
because
you
only
we
only
require
the
relative
static
config,
because
the
authentication,
credential
and
color
mapping
it's
it's
typically
is
common
for
all
the
routers,
and
typically
it
won't
change
very
frequently.
So
you
could
actually
prepare
users
by
other
means.
Other
routers,
but
have
this
dynamic
part
like
like
the
trophy
selectors
and
those
things
still
go
by
the
BB.
A
E
E
Okay,
so
the
key
things
about
sd1
I
present
this
in
the
RTG
working
group.
Briefly,
on
the
problem
statement,
you're
talking
about
mati
players,
you
have
service
providers,
have
the
VPNs,
you
have
the
ISPs
for
the
internet
connections
and
you
have
call
provider
offer
connection
from
their
gateway
respective
gateway
to
your
virtual
router,
and
you
have
your
CPE
device
somewhere,
maybe
on
your
campus
or
maybe
in
a
shopping
mall,
maybe
in
some
remote
office.
So
the
sty
itself
is
about
the
overlay.
E
E
So
here,
in
this
example,
I
only
show
just
one
cloud
location,
one
CP,
but
in
reality,
as
sue
mentioned
in
the
earlier
slides,
there
could
be
many
more
than
hundreds
more
than
thousands
and
in
the
past,
in
our
deployment
we
use
an
HR
PE
to
read
kind
of
resolve
some
of
the
addresses
and
tunnels.
But
once
the
network
go
beyond
100,
it
doesn't
scale
anymore.
So
we
retreat
to
be
GP
because
BGP
has
been
proven,
can
scale
to
much
larger
number
of
nodes
and
sessions.
E
So
that's
some
of
the
key
characteristics
of
this
sd-1.
Here
we
call
hybrid
sd1
simply
because
for
this
virtual
router
they
can
have
different
ways
to
be
connected.
One
is
through
secure
network
see
if
the
traffic
goes
through
MPLS
network
and
through
that
they
were
connect
to
the
virtual
router.
The
traffic
don't
have
to
be
encrypted
in
packet.
Goes
that
way,
then
they
can
go
natively
to
have
better
performance,
and
if
traffic
have
to
go
through
the
internet,
then
that
has
to
be
encrypted.
E
So
IPSec
only
apply
to
certain
traffic
going
through
certain
paths
and
same
same
traffic,
maybe
at
in
the
morning.
It
goes
through
the
private
networks
through
that
they
recollect
to
the
virtual
router
that
Inc
doesn't
have
to
be
encrypted
and
then
maybe
later
on,
when
the
traffic
condition
in
a
private
network
at
congested
may
be
shifted
to
the
public
networks
through
IPSec,
then
that
has
to
go
through
the
encryption.
So
the
policy
is
a
local
decision
from
like
CPU
one.
E
They
have
basically
have
different
kind
of
monitoring
system,
which
is
beyond
the
scope
of
IDR
to
monitor
the
network,
condition
monitor
the
application
status
and
then
make
local
decisions
on
where
to
send,
and
for
many
many
cloud
a
today's
application
and
there'll
be
many
components
right,
so
application
components
can
be
instantiated
at
different
locations
and
same
application.
They
may
have
multiple
versions
of
it.
Much
multiple
instantiation
of
it
and
based
on
some
policy,
sometimes
can
be.
E
So
just
in
general,
this
one
has
been
presented
in
the
RTG
working
group
is
about
here.
Just
summarize
two
different
type
of
iced
tea
wine
scenarios.
One
is
I
call
homogeneous
sd-1,
meaning
that
oh
traffic
I
encrypted
you
have
a
CPE
like
in
a
shopping
mall.
All
the
traffic
from
this
particular
device
to
my
campus
network
or
to
my
other
places,
are
encrypted,
and
so
it
doesn't
matter
which
one
port
you
egress
from
another
one.
We
call
it
hybrid
network,
hybrid
sd1,
meaning
that
someone
ports
need
to
be
encryption
to
be
encrypted.
E
E
So
the
for
the
sd1
control
playing
the
peer-to-peer
model
doesn't
work
very
well
simply
because
I
have
those
kind
of
virtual
edges.
They
actually
can
be
instantiated
in
different
places
and
in
the
overpass
multiple
domains,
and
so
we
need
the
dotted
line
route
reflector,
which
he
runs
at
the
different
layers
from
the
underlay
network,
to
connect
them
together,
and
it's
very
important
that
those
devices
when
powered
up
be
able
to
have
burned
address
they
can
reach
to
an
establish,
secure
channel.
This
is
not
just
for
IPSec
attributes
only.
E
This
is
for
other
purposes,
like
policies
who
you
can
talk
to.
For
example,
this
are
one
being
instantiated.
He
wants
to
send
communicate
with
certain
applications.
He
doesn't
even
know
where
the
application
is
located
because
they
may
all
have
their
own
private
addresses.
So
the
the
sequence
is
our
one
has
to
send
those
traffic
requests
to
the
to
the
controller
which
is
I,
call
it
raw
reflector.
E
Simply
because,
when
BGP
used,
a
BGP
itself
has
the
mechanism
to
distribute
controlling
information,
and
so
all
the
communication
is
not
directly
through
each
other
through
peers,
and
it's
really
through
the
controller.
I
know
that
in
a
security
dispatch
discussion,
there
are
people
debating
on
whether
we
should
use
controller
or
should
be
peer
to
peer.
So
just
for
your
information,
the
controller
is
there,
even
if
it's
now
for
IPSec
purpose
or
a
piece,
a
key
distribution,
a
management.
It
is
there
for
other
purposes
and
also
form
the
route
distribution
like
just
like
a
VPN.
E
You
may
have
attached
routes.
You
need
to
Republic
eight,
that
routes
to
other
peers
which
in
your
domain
and
that's
also
so
the
wrong
reflector,
because
the
edge
node
don't
know
how
to
reach
to
the
other
peers
and-
and
it's
important
that
for
the
edge
node
to
register
his
web
port
right.
My
one
for
today,
I
have
three
one
ports
and
one
is
connect
to
the
reconnect.
Is
the
VLAN
or
is
a
secure
connection?
Another
one
is
private
address
which
need
net
another
one.
E
E
As
I
mentioned
earlier,
is
through
controller
and
see,
for
example,
here
I
have
CPU
one
in
dollars:
I
have
a
CPU
in
Beijing
CPE
one
need
to
communicate
with
their
corresponding
application
and
they
need
to
go.
Go
to
the
controller,
to
figure
out.
Where
is
the
CP
to
and
how?
What
is
the
public
address
for
CPE
two,
because
they
are
open,
they
may
have
private
addresses
and
then
through
that
they
can
communicate,
be
able
to
establish
channel.
You
have
questions.
F
E
So,
in
terms
of
how
do
we
encode
the
information
we
have,
discussions
have
lots
of
discussion
with
Ali
and
we
all
agreed
that
using
tunnel
in
cap
is
the
right
way
to
move
forward
and
the
later
on,
I
have
a
couple
slides,
showing
different
ways
of
doing
it:
the
pros
and
cons
of
different
ways.
So
we
can
defer
that
discussion
to
later
on
later
time.
F
Maybe
you
can
expand
a
little
bit
on
a
need
to
signal,
ran,
puts
across
a
a
provider
networks.
I
mean
you
brought
up
a
brilliant
case
here,
whether
you
may
want
to
shunt
traffic
at
over
different
ports
at
certain
time
of
the
day.
Are
you
expecting
to
add
that
when
you
signal
that,
of
course,
through
the
wine
ports
to
increase
the
chatter
within
BGP?
Ok,
ok,
ok,.
E
So
the
one
point
self-
actually
it's
not
really
when
you
need
to
send
traffic-
is
really
when
a
note
powered
up,
because
for
the
sd1
well,
the
important
requirement
is
zero
touch.
Provisioning.
You
put
a
box,
you
ship,
a
box
to
your
client
to
your
customer.
They
power
them
supposedly,
they
were
touch.
Provisioning
will
require
that
box
to
be
able
to
be
up
functioning
so
depending
on
this
web
box,
where
they
are
located
see
if
they
are
behind
a
net
right.
E
So
they
need
to
tell
send
a
signal
to
the
controller
Rob
reflector,
here's
my
box,
here's
my
port
I
have
three
ports
functioning
and
the
port
one
is
actually
is
a
private
address,
and
but
my
net
property
is
this:
I
can
go
using
some
kind
of
mechanism.
I
have
detailed
in
the
draft
showing
that
a
mechanism
to
detect
Manette
property,
so
I
tell
the
controller.
So
in
this
example,.
A
F
A
F
A
H
H
H
I'm
not
going
to
be
presenting
what
is
on
the
agenda,
which
is
security
VPN,
because
security
pian
is
a
solution,
and
it
is
talks
about
Harvey
doing
the
point
to
multi-point
signaling
over
bgp
to
set
up
the
point-to-point
IPSec
essays
and
it
talks
about
the
details
so
before
getting
into
the
Harvey.
Do
it
we
need
to
talk
about
what
we
are
doing
it
and
why
we
are
doing
it,
and
given
that
this
is
Mike
picking
Ellie
up
everybody.
Can
you
hear
me
all
right?
H
If
I
start
with
the
architecture
component,
which
is
not
also
in
this
s,
why
it?
Basically
we
are
talking
about
the
three
four
main
components.
One
is
zero
touch
for
visioning
such
that
when
you
have
a
edge
device,
you
can
just
turn
the
power
on
and
goes
to.
His
ztp
server
gets
the
info
where
to
get
the
configuration
and
then
the
next
component
is
a
configuration
component.
H
So,
a
little
bit
of
the
background
that
I
started
the
EVP
and
about
13
14
years
ago,
and
that
goddess
started
as
a
research
project
and
right
now
it
is
very
prevalent
in
data
center
in
SP
and
in
Enterprise
is
basically
the
facto
overlay
controls
for
Oracle
and
solution.
One
of
it
has
many
reasons.
One
of
the
reason
is
btp.
Okay,
with
respect
to
the
capability,
it
has
with
respect
to
is
proven.
H
Sql
proven
functionality,
flexibility
all
that
goodies
okay,
so
that,
with
the
same
principle,
we
want
to
leverage
that
for
the
security
aspects
when
we
want
to
add
the
security
feature
and
secure
the
tunnels.
We
currently
use
one
signaling
mechanism
and
this
BGP,
and
there
has
been
presidents
before
that.
H
In
the
last
15-20
years
for
the
people
who've
been
around
okay,
we
solution
had
two
signaling
mechanism,
such
as
for
the
multicast
VPN.
We
did
both
PGP
and
we
did
PIM
and
we
converge
to
BGP
for
the
l2
VPN,
with
a
targeted,
LDP
and
BGP
for
discovery.
Then
we
converge
to
the
BGP
and
many
other
instances.
This
one.
We
have
a
BGP.
We
set
up
the
use.
H
The
BGP
to
set
up
many
tunnels
and
for
the
IPSec
tunnel
is
only
one
tunnel
among
many
that
we
set
up
and
we
want
to
leverage
the
same
signaling
in
here
and
some
of
the
customers,
basically
not
they're,
not
only
asking
using
just
the
protocol,
the
signaling
protocol
to
be
BGP,
but
also
even
to
use
a
single
Hafiz
a
fee
or,
for
example,
a
single
solution
within
that.
So
that
is
basically
the
motivation
to
use
BGP
in
here.
Next,
please.
A
C
So
I
came
at
this
from
the
sty
inside
of
our
house.
We've
we
developed
st
wan's,
not
using
BGP,
but
with
a
really
similar
architecture.
We've
got
a
management
station
that
would
be
very
analogous
to
what
a
knight
to
NSF
does.
We've
got
our
orchestrators
that
work
very
much
like
a
route.
Reflector
does
and
we
send
around
our
are
keying
updates
and
our
routing
updates
for
the
overlay
network
altogether.
C
It
is
entirely
you
know
analogous
to
what
we're
proposing
here
with
threw
out
reflectors,
so
we
have
a
key
exchange
protocol
for
those
who
weren't
insect
dispatch
or
IPSec
amia
a
year
or
so
ago.
There
is
a
draft
on
our
key
exchange
protocol
that
we've
put
out
the
the
rationale,
for
this
is
keeping
it
controller
based.
We
did
this
because
of
scalability
as
Olli
was
talking
about
that's
kind
of
the
primary
functionality
for
it,
everybody
talks
to
a
central
controller,
those
are
replicated,
they
communicate
with
each
other.
C
They
push
the
information
down
and
we
got
the
scale
that
we
need
it.
There
are
other.
There
are
other
needs
that
we
that
this
met
we
don't
want
to
drop
packets.
Obviously,
when
something
comes
through
and
you
need
a
session
established,
we
don't
have-
we
don't
spend
the
time
to
do
six
round
trips
or
three
round
trips
or
whatever
we're
going
to
do.
C
We
want
those
packets
to
just
go
out,
so
we
have
sessions
usually
pre-established,
if
they're,
not
it's
very
quick
to
establish
them,
because
we
don't
have
to
actually
go
off
box
to
get
the
information.
We
found
other
issues
that
made
the
controller
based
model
really
nice.
For
us,
we
run
control
connections
over
typically
provisioned
quote/unquote,
secure
networks,
customers.
Certain
of
our
customers,
insist
upon
this.
Data
may
go
out
over
the
public
internet
or
a
public
network,
but
control
goes
over
the
provision
of
networks,
and
so
I'll
go
really
high-level
into
this
key
exchange.
Thing.
I!
C
Don't
want
to
go
into
a
lot
of
the
details
of
it
here
because
I
think
that's
a
task
for
later.
If
we
decide
to
move
forward
with
any
of
this,
but
the
concept
is
actually
really
pretty
simple:
we
send
it's
a
different
exchange,
but
it's
done
through
a
centralized
controller.
So
an
individual
node
will
create
a
diffie-hellman
pair.
Send
the
public
value
up
to
the
controller
controller
aggregates
all
the
public
values
from
the
different
nodes,
and
it
sends
out
updates
on
regular
on
a
regular
basis.
Now
everybody
knows
everybody
else's
public
number.
C
C
Some
some
key
misconceptions.
People
have
thought
this
was
long
term
static
diffie-hellman.
It
is
not
we
rekey
in
the
lab
when
we're
trying
to
thrash
on
the
stuff
we
rekey
every
15
minutes.
Typically,
that's
not
how
often
you're
going
to
rekey
in
the
real
world,
but
it
does
thrash
the
stuff.
Let
me
tell
you
we,
but
but
things
do
rekey
and
honestly,
the
part
of
this
protocol
that
makes
it
more
interesting
than
just
hey
we're,
exchanging
diffing
Hellman
pairs
is
the
synchronization
over
the
rekey.
C
So
if
you
imagine
a
network
with
ten
thousand
nodes,
you
need
to
keep
that
all
synchronized
when
one
of
them
decides
to
rekey
he's
going
to
send
information
to
a
controller.
It's
going
to
get
to
the
different
nodes
at
different
times,
and
yet
we
can't
drop
packets.
It's
pretty
complicated,
if
you
think
about
that
one
node
rekeying,
when
you
think
about
all
10,000
nodes,
randomly
rekeying
at
their.
You
know
at
their
offset
of
the
key
interval.
C
C
Resynchronization
yeah,
as
stated
the
route
reflector
or
in
our
case
you
know
in
st
LAN:
it's
not
a
route
reflector,
but
it's
the
same
device.
It
optimizes
that
distribution
it
waits
for
keys
to
come
in
knows
when
to
send
them
out.
I
refer
to
this
mechanism
as
kind
of
a
lazy,
synchronization
lazy
sounds
like
a
negative
term,
but
the
key
point
of
it
is
there
are
no
hard
timing.
H
All
over
the
example,
so
before
going
over
the
example,
let
me
put
the
example
in
perspective
that
imagine
a
reflector
and
they
have
a
bunch
of
edge
devices
and
the
edge
devices
are
connected
to
the
rot
reflector
via
they
have
BGP
says
each
edge
device
has
a
bgp
session
to
the
ross.
Reflector
that
goes
over
a
secure
channel
of
this
secure
channel
can
be,
TLS
can
be
IPSec
itself
or
whatever.
So
the
assumption
is
bgp
signaling
goes
over
secure
channel,
and
then
we
use
the
bgp
to
set
up
these
IP
sa.
H
So
in
here
I
give
an
example
a
little
bit
I
wanted
to
just.
You
know
for
the
illustration
that
although
I
came
up
with
a
peers,
okay,
that
can
be
hundred
peers
and
each
peer
can
have
a
hundred
Tenon's
and
you're
trying
to
set
up
the
IP
sake
on
a
tenant
basis.
So
you
end
up
with
again
the
full
mesh
of
ten
thousand.
H
H
For
work,
your
thoughts
and
also
to
make
the
differentiation
a
little
bit,
you
know
clear.
So
if
we
talk
about
the
let's
say
ten
K
peers
and
as
I
said,
these
10
K
peers
can
be
just
not
another
example
with
the
hundred
with
a
hundred
edge
devices
with
each
with
110
and
in
it,
and
we
want
to
set
up
IPSec
tunnels
among
them.
Basically,
six
IP
SEC
messages,
IQ
messages
pair
session,
and
we
got
ten
ten
thousand
a
square
which
is
six
hundred
million,
with
rot
reflector.
H
Basically,
every
year
sends
one
message
to
the
Ross
reflector
and
rod
reflector
aggregates
them,
and
it
sends
it
on.
We
can
do
it
on
an
interval
basis
to
send
it
to
push
it
to
everybody
else.
So,
depending
on
where
you
set
the
interval,
the
aggregation
interval,
if
the
Ricci
interval
is
60
minutes
and
aggregation
interval
is
five
minutes.
Then
you
have
you
know
you
roughly.
H
You
have
about
100
K
or
200
K.
Actually,
so
so
we
are
talking.
You
know
this
kind
of
the
order
of
the
magnitude
differences
between
the
two
and
the
point
in
here
is.
We
can
use
the
reflector
both
to
save
messages
on
the
ingre
from
the
ingress
PE,
instead
of
being
10,000
messages,
sent
one
message
to
the
rot:
reflector
at
and
use
the
router
afflict
or
mechanism
to
basically
to
do
aggregation
and
packing
and
send
a
lot
fewer
messages
to
the
egress
piece.
C
I'm
really
not
going
to
go
into
this
slide
much.
This
is
from
the
draft.
This
was
just
a
little
bit
of
background.
Information
shows
the
synchronization
and
how
it
stepped
through.
It's,
it's
probably
completely
illegible
up
there
on
the
screen
and
we'll
kind
of
leave
it
at
that
last
closing
thought
all
we're
going
to
say
is:
if
you've
read
the
draft
or
heard
about
it,
it
was
named
with
a
name
fairly
similar
to
another
protocol
common
in
the
security
area.
C
I
Yeah
this
one,
alright,
so
there's
six
messages:
it's
not
correct!
That's
for
Ike
v1!
You
will
never
use
that
you'll
use
Ike
v2.
So
it
means
that
it's
at
most
two
messages
and
if
you
already
set
up
an
I
guess
eight
beforehand,
so
you
only
need
to
create
a
child,
a
safe
for
the
traffic
selector
part.
Then
it's
only
one
message
to
set
up.
H
F
Bgp
there
is
a
notion
where
forwarding
is
preserved
in
some
cases,
but
the
TRO
plane
goes
down
what
happens
when
the
control
plane
goes
down.
I
think
the
draft
can
help
clarify
few
things
as
if
are
you
gonna
preserve
the
IDS
or
that
keen
parameters,
and
if
so,
how
long?
So
that's
first
comment.
You.
J
F
H
F
Second
thing:
is:
you
know
we
go
beyond
a
s,
so
what
happens
when
the
King
parameters
are
leaked
beyond
s?
Maybe
draft
should
where
he
explicitly
hand
explained
that
while
you
have
route
reflectors,
your
edge
spoke
nodes
can
leak
this
information
out,
and
you
can
ask
security
guys
out
here.
What
are
the
security
implicant
implications
of
leaking
it
out?
A.
F
I
F
A
F
L
K
Hopefully,
I'll
word
it
better
at
this
time.
Okay,
so
I
understand
correctly,
you
know,
we've
got
the
you
know
ten
ten
thousand
peers
and
then
we're
gonna
say
your
single
message
from
each
of
them
up
to
the
controller
and
a
single
message
from
the
controller
down
to
each
of
them,
but
that
single
message
down
from
the
controller
to
each
node
or
pure
is
supposed
to
include
the
nonce
and
the
public
key
from
all
10,000
nodes
right.
L
K
H
Based
on
the
interval
that
the
aggregation
interval
that
you
have,
let's
say
you
sent
in
K,
okay,
that
10
K.
If
the
nonsan
public
key
exceeds
the
single
message
length,
then
you're
going
to
be
sending
multiple
messages.
But
the
key
in
here
is
you
can
do
a
lot
of
aggregation
here.
I
mean
we're
increasing
the
decipher
64k
sure.
H
L
H
H
C
L
From
a
range
one
general
comment,
people
are
always
talking.
This
presentation
about
controller
controller
is
supposing
to
have
a
kind
of
intelligence,
but
how
deflectors,
maybe
the
most
stupid,
BGP
speaker
in
the
network.
So
there
is
no
intelligence,
so
I
just
want
other
confirmation
that
you
are
not
breaking
anything
in
the
BGP
machinery
and
what
you
are,
what
you
want
is
just
propagation
yeah.
H
That's
right,
you
control,
yeah!
That's
why
we
are
that's
very
good
point
and
that's
why,
right
from
the
beginning,
I
said
we
got
these
four
components
we
have
and
we
have
ztp
server
and
we
have
the
four
visioning
server
and
then
we
have
the
signalling
and
the
all.
These
are
part
of
the
big
controller.
Okay.
Well,
you
call
it
as
a
controller,
but
the
signaling
part
is
what
we
are
talking
about.
Our
are
with
respect
to
what
we
are
familiar.
Ok,.
L
L
B
I
I
Because,
depending
on
that,
right,
I'm
like
if
you
have
many
routes
and
fewer
nodes
or
you
could
do
an
IPSec
transport
mode
connection
to
the
node
and
then
run
to
your
ear
or
something
and
then
send
oldy.
So
you
don't
have
to
have
one
IPSec
as
a
per
wrap
right
right,
which
might
save
you
a
little
bit
of
MTU
spaces.
I
H
Okay,
you
can
have
in
some
scenarios
you
just
have
a
secure
tunnel
between
two
peers:
okay,
at
the
PE
level,
I
call
it
I
got
the
parks
level,
okay
and,
however,
for
some
tenants
within
that
box,
the
tenant-
those
are
special
tenants
and
they
want
to
have
their
own
IPSec
tunnels,
okay,
because
they
don't
trust
the
general
one
and
then-
and
you
can
go
to
the
next
level
of
the
hierarchy
that
within
that
tenant,
you
can
have
a
host.
You
know
a
sleepy
host
within
that
tenant.
H
I
I
Understand
so
now
you
gave
me
an
additional
problem
because,
because
with
IPSec
you
usually
have
one
I
guess
a
and
you
can
have
like
thousands
of
child
essays
to
from
traffic,
but
they're
still
under
one
domain.
So
now
you
might
accept
a
set
of
multiple
I
guess
A's
between
these
parties.
If
you
think
that
they're
in
a
different
administrative
domain
based
on
which
tenant
they
are.
A
D
I
D
That
for
some
use
case
that
work,
which
means
that,
if
you
want
to,
for
example,
put
all
your
traffic
into
a
peacenik,
somehow
yeah-
you
could
do
that.
But
in
some
other
case
they
want
select
Li
selectively
to
increase
chat
for
certain
traffic.
They
want
to
use
a
busy
person.
Do
not
want
unity
SEC,
then
you
have
to
go
to
different
different
destination
for
the
different
IPSec
tunnel.
In
that
case,
you
might
need
multiple
IP
sector
knows:
ok,.
M
I
H
Studying
up
the
I
setting
up
this
secure
tunnel
is
depends
on
the
traffic.
Some
tenant
traffic
wants
to
go
over
the
secure
and
some
they
don't
and
that
gets
determined
by
the
policy
and
some
and
also
there
are
cases
that
I
think
in
Linda's
use
cases.
You
had
a
case
of
the
public
versus
private
network
and
for
the
public
network
for
the
private
network.
Often
you
don't
use
secure
tunnel
right.
H
H
I
L
I
I
So
the
next
item
I,
want
to
point
out,
is
that
there
there's
the
issue
of
the
RTT.
So
if
you,
if
you
set
up
an
I,
guess
a
already,
we
call
it
a
childless
essay
where
you
just
set
up.
Do
you
do
that?
The
two
round-trips
to
authenticate
I?
Guess
a
so
that
is
not
question
for
us
all
right
in
general,
then
you
then
you
can
later
on
on
demand
within
one
round-trip
get
get
in
child
to
say,
and
so
that
saves
you
from
doing
a
two
round-trip
at
that
point.
I
H
I
A
This
may
be
good
for
you
to
realize
that
it
might
be
good
to
have
usage
or
other
details,
whether
that
goes
to
IDR
or
that
might
be
separated
in
a
separate
draft
and
and
put
out
he's
not
necessarily
specifying
bgp
tli,
you've
ease
but
operational
stuff
that
usually
goes
to
best,
so
that
might
be
useful
for
you.
Okay,
thanks.
I
I
We
are
working
on,
it's
been
a
slow
process,
so
it
would
actually
be
a
welcome
thing
if
we
have
some
consumers
of
this
go
push
the
people
that
are
doing
this
work
and
like
for
Ike
v2,
to
put
some
momentum
behind
this
and
get
this
done
and
also
want
to
mention,
there's
there's
a
session
resumption
and
that
you
can
also
use
to
prevent
doing
it
an
expensive,
diffie-hellman
fusion.
So
so,
maybe
not
for
you
guys,
but
for
the
other
solutions.
I
I
Let's
see
I
recovered
that
there's
the
there's,
not
an
issue
if,
if
a
browser
reboot,
so
if
we
have
an
IPSec
tunnel
and
one
of
these
endpoints
fails,
I'm,
not
sure
what
the
mechanisms
are
where
it's
within
IPSec
that
something
needs
to
happen
or
whether
there's
a
overlaying
bgp
security
protocol.
That
will
take
that
note
out
of
commission
and
do
something
else.
So.
H
H
I
I
Innocent
IPSec
keep
alive
is
there,
but
that's
a
really
slow
mechanism
and
I.
Don't
think
you
want
to
use
that,
and
let
me
dad
exactly
at
this
warning.
There
is
a
thing
called
that
peer
detection
or
liveness,
and
right
please
be
aware
that
the
RFC
said
you
should
not
use
these
probes
for,
like
more
than
once,
a
minute
all
right.
Some
people
like
to
send
them
multiple
times
per
second,
and
that
you
get
really
strange
things.
If
you
try
to
do
this,
including
shooting
yourself,
because
your
probes
actually
starting
to
fail
so.
H
I
L
F
A
H
C
N
G
G
The
other
it's
unfair
for
another
reason:
okay,
these
solution,
I
mean
our
like
solution,
and
this
kind
of
security
control
solution
have
it's
like
a
different
security
properties,
because
in
this
case
every
node
has
a
single
public.
Well
you!
So,
for
example,
if
you
break
this
public
wheeling
this
public
key
with
some
I
can
count
quantum
computer
or
something
else,
it
will
compromise
all
the
essays
it
has
with
every
bill
and
in
IPS
in
like
the
classical
solution,
each
kernel
is
using
ephemeral
difficult.
C
K
Thank
You
doc,
so
I
tried
to
also
be
thinking
you're,
in
addition
to
the
the
specific
mechanisms
proposed
to
try
and
come
up
with
some
general
considerations
that
might
apply
it
to
all
of
them
and
so
like
in
general.
You
need
to
consider
if
you're
going
to
get
your
configuration
through
bgp
or
through
your
controller.
You
need
to
be
thinking
about.
You
know
how
much
do
you
trust
that
configuration?
What
other
information
are
you
getting
through
the
same
mechanism?
K
And
you
know
if
that
other
information
was
wrong
or
corrupted,
or
you
know
an
attacker
control
that?
How
would
you
break
for
that?
And
you
know
maybe,
if
you're
gonna
be
horribly
broken
already,
then
you
don't
necessarily
care
if
your
configuration
is
also
broken,
and
you
also
always
want
to
make
sure
to
think
about.
You
know
what
properties
do
I
want
to
get
from
IPSec
like.
Why
am
I
doing
this
at
all?
K
K
For
example,
if
you
have
a
system
where
you
do
want
to
authenticate
to
peer,
and
instead
of
relying
on
a
central
asia'
parinama,
unlike
some
sort
of
certificate
to
authenticate,
you
know
the
key
that
you're
gonna
use
your
instead
gonna
say
well,
I
got
this
key
from
a
trusted.
Central
controller
and
I'm,
just
gonna
trust
that
standard
controller.
To
give
me
the
properly
authenticated
mapping
between
keys
and
identifiers
that
might
change
a
little
bit
what
your
authentication
story
is,
and
so
you
want
to
think
about
that.
K
It
may
well
be
the
case
that
you
can
end
up
with
a
connection
that
is
using
IPSec
and
providing
you
confidential
confidentiality
protection
from
the
wrong
people
and
is
in
fact
connecting
to
the
people
that
you
didn't
want
to
talk
to.
And
so
you
know
just
because
you
have
a
successful
IPSec
association
and
you
know
you're
encrypting,
your
data,
you
gotta,
make
sure
you're
encrypting
it
to
the
right
people
and
I.
Think
in
terms
of
the
when
we're
adding
multiple
ways
to
distribute
configuration,
information
just.
H
A
quick
note,
the
respective
last
point
it
is.
It
is
important
because
you're
gonna
try
to
make
the
over
try
to
make
the
connectivity
over
the
van
as
secure
as
possible.
But
if
you
don't
take
care
of
the
cross
connect
between
your
end
user
and
the
traffic
that
it
is
unencrypted,
then
all
your
effort
is
wasting
yeah.
K
There's
all
sorts
of
ways
things
I
think.
My
my
last
point
is
is
just
to
say
that
you
know
if
you
do
have
the
multiple
mechanisms
to
get
in
configuration
as
long
as
everybody
agrees
to
normal
to
use
the
normal
type
of
human
mechanisms,
that's
totally
fine
to
use
the
tiebreaking
mechanisms
for
like
if
you've
got
two
different
things
that
are
trying
to
complain
the
same
route
in
terms
of
what
configuration
to
use
as
long
as
everybody
knows
what
the
tiebreak
mechanism
I
think.
That's
that's
generally,.
L
K
And
sorry,
I
had
one
more
point:
there's
a
lot
of
these
aspects
that
will
be
easily
controlled
using
sort
of
local
policy
to
make
sure
your
your
traffic
selectors
actually
make
sense
in
the
broader
scheme,
and
so
you
can
like
do
sanity.
Checking
on
some
of
the
configuration
you
get.
My
guess
is,
must
serve
for
the
controller
icon.
The
other
two
did.
A
A
C
Just
really
quickly
to
address
a
little
bit
of
the
the
authentication
issues
and
you
there's
certainly
a
need
for
an
edge
to
identify
the
controller,
authoritative,
Lea
and
Ann,
and
vice
versa.
Some
of
that
is
slightly
discussed
in
in
my
draft,
but
it's
kind
of
cursory
there's
an
assumption
that
that
has
happened.
When
you
look
at
the
architecture
there,
it
it's
going
back
to
starting
with
ztp
and
how
does
something
connect
to
the
network,
but
I
very
much
agree.
F
Tell
us
two
more
points,
sure
I'm,
echoing
what
Stefan
said
earlier.
If
you're
going
to
do
this
using
route
reflectors,
you
may
want
to
suggest
implementers
as
end
operators
as
to
is
there.
A
lot
of
message
is
not
that
BGP
can't
handle,
but
you
will
see
a
head
of
line
blocking
if
you
will
start
mixing
up
officer
fees,
so
probably
I
don't
have
a
good
suggestion
for
you,
but
probably
a
separate
route
reflector
or
something
that
doesn't
affect
routes
at
all.
The
routes.
F
Second
thing
is:
that
was
a
draftee,
an
idea
working
group
which
actually
tracked
for
labels.
If
the
labels
became
inactive,
they
had
a
way
to
take
the
routes
out
or
the
next
stalks
out,
because
this
is
an
IPSec
tunnel
and
I
think
Paul
mentioned
it's.
One
second
keep
alive.
You
are
more
than
welcome
to
reduce
it
to
milliseconds.
It's
Paul's
problem,
not
mine,
but
you
wanna,
give
some
suggestion
in
text
to
the
implementers
to
say:
should
that
tunnel
become
inactive,
what
I
mean?
F
O
C
O
C
O
P
L
Different
from
orange
I
wanted
to
go
back
to
the
pendulum,
caps
and
phenotypes
that
we
are
acquiring,
because
I
think
we
have
plenty
of
different
use
case.
So
you
have
a
simple
one,
which
is
a
IPSec
Turner,
but
but
then
we
can
use
any
kind
of
overlay
with
IPSec
transport
mode.
So
how
do
we
do
it?
So
today
we
have
some
of
the
combinations
that
are
defined
in
our
5566,
which
may
probably
disappear.
So
we
need
to
create
something
else.
So
then,
are
we
keeping
creating
a
combination
of
each
overlay,
+
IP,
SEC
transport
model?
H
The
current
thinking
that's
a
valid
question
and
point.
The
current
thinking
is
the
IPSec
attribute.
The
the
the
theory
that
gets
carried
in
the
tunneling
cap
is
going
to
specify
what
kind
of
the
IPSec
we
have
and
then
we
have
this
extended
community
to
to
define
what
kind
of
the
over
Libya.
Is
it
VX
LAN
or
is
it
Geneva
or
whatever?
So
we've
done
this
kind
of
thing
for
the
multicast
as
well,
because
in
multicast
we
send
pins,
eternal
attribute
and
the
pins
eternal
attribute
can
be
team
or
so
forth.
H
So
with
the
team
question
is
what
is
inside
the
pin?
Is
it
VX,
an
or
Geneva
or
what
so,
what
they
want?
That
the
trick
that
or
not
the
trick?
What
we've
done
is
we
send
the
IP
eternal
attribute
to
say
that
this
is
a
trim
panel
and
then
the
extended
community
to
say
what
is
the
type
of
the
overlay
that
gets
carried
inside
a
tunnel
but.
A
M
L
E
E
Q
B
G
N
So
no
there's
been
discussion
on
the
list
about
what
the
working
group
wants
to
do
talking
to
the
chairs
earlier.
What
we
think
we
want
to
do,
the
discussions
are
gonna
happen
on
Friday,
so
don't
even
come
and
ask
any
questions
when
we
think
we
want
to
do.
Is
we
want
to
produce
a
general
charter
that
talks
about
what
the
working
group
does
in
general?
Who
are
the
other
work
groups
that
we
coordinate
with
bears
gross
eye,
drops
you
know,
etc.
N
All
those
other
working
groups,
maybe
a
little
bit
of
how
that
happens,
maybe
call
out
some
specific
things
to
clarify
what
ID
are
versus
the
other
working
groups
are
responsible
for.
If
anyone
can
come
up
with
something
that
should
not
be
covered
by
IDR,
maybe
we
want
to
put
it
there,
but
the
specific
work
items
so
that
we
don't
run
into
the
same
charter
with
half
the
items
completed
in
half
not
and
some
that
we're
not
going
to
do
in
another
two
years
and
have
to
reach
our
again
we
want
to
do.
N
Is
we
want
to
manage
all
the
work
items
through
the
milestones?
So
what
we
hope
that
we'll
do
is
we'll
give
the
chairs
a
lot
more
manageability,
the
working
group
and
a
lot
more
flexibility.
If
there
are
things
that
come
up,
there
are
more
interesting
that,
whatever
we've
been
doing
in
the
last
six
months,
we
can
change
some
of
the
milestone
orders
or
whatever,
with
the
working
group
of
personal
senses,
and
we
can
move
on
that
a
lot
quicker.
We
will
hopefully
avoid
discussions
about.
B
R
R
R
Quick
recap
of
the
draft
M,
the
BGP,
the
bgp
PFD,
capable
sorry,
the
PGP
PFD
Street
mode
is
a
solution
proposed
the
to
address
the
PGP
and
the
PFD
interaction
issues.
The
solution
defines
bgp
PFD
capability
and
enables
the
PFD
capability
negotiation
operations
are
a
bgp
speaker
which
supports
capabilities
advertisement
and
has
BFD
street
mode
enabled
must
include
the
BGP
PFD
capability.
With
the
a
speed
set
in
the
BTB
capabilities,
it
advertises
a
BGP
speaker
which
support
Beach,
PFD
capability
and
exams,
the
and
exams
the
PFD
capability
received
the
from
its
peer
okay.
R
If
both
the
local
and
the
remote,
the
BGP
speakers
have
a
PFD,
Street
mode
enabled
then
bgp
session
established
will
be
established
after
PFD
such
a
yes
up.
If
either
BGP
pier
has
not
advertised
the
PFDs
capability
with
3d
mode
enabled,
then
the
FD
session
state
will
not
be
required
of
order
bgp
session
establishment.
Ok,
please
note
that
this
does
not
preclude
usage
of
PFD
and
after
the
BGP
session
establishment.
R
R
Ok
in
this
state,
no
keep
life
messages
are
sent.
Ok,
the
keepalive
timer
is
not
set.
R
R
R
R
Updates
to
manageability
and
security
consideration,
a
BGP
notification
messages,
sub
code
indicating
PFD
hold
on
time.
Expiration
may
be
required
for
network
management,
and
this
will
be
discussed
in
next.
The
revision
of
the
document,
the
security
consideration
of
PFD,
becomes
considerations
for
BGP
when
it's
used.
A
Folks,
we're
running
that
long.
Then
I'm
gonna
give
her
a
bit
of
time
time
or
asked
us
to
go
to
the
list
and
I
think
we'll
slip
in
Alexander,
so
I'm.
Sorry
to
trim
your
comments.
If
you
will
catch
her
afterwards,
Alexander,
why
don't
you
go
for
about
I've
got
enough
time
to
why?
Don't
you
give
the
brief
two
or
three
points
you
need
before
grow
or
do
you
need
the
full
ten
minutes.
P
J
Hello,
everybody,
my
name
is
Alexander
azimuth
I
work
for
Yandex,
and
this
will
be
very
quick
update
for
BGP
rolls
draft,
so
the
core
of
the
original
design
is
BGP
rolls
BGP
rolls
is
a
proposed
new
configuration
parameter
that
is
negotiated
in
open
BGP
me
in
open
messages,
so
there
are
5
specified
roles,
customer
provider,
peer
router
and
route
server
client.
So
the
draft
was
already
here
for
at
least
3
years.
J
Originally
it
was
a
transit
attribute
to
detent
to
detect
and
prevents
networks
from
leaking.
After
that
it
was
treated
in
to
to
IOT
see
for
prevention,
yo
TC
for
detection.
Then
it
was
merged
with
another
attribute
from
another
draft.
Then
I
see
a
merged
and
it's
changed.
They
feel
slightly
because
we
need
solution
faster
than
reworks.
We
were
thinking
previously
and
that's
why
our
LP
attribute
was
transformed
into
do
community
and
IOT
C
was
nearly
ready
for
working
group.
J
Last
call
we
had
implementations,
it
now
happens,
modular
design
and
I'm
going
to
go
through
and
explain
why
it's
happening
and
why
it's
happening
now.
So
please
take
a
look
at
these
rules.
I
will
spend
more
time
on
this
writer
than
on
any
other
style,
because
it
is
important
first
rule.
Is
it
a
quote
from
leak
prevention
draft?
It
says
if
a
route
is
received
from
provider,
route,
server
or
peer,
it
must
not
be
sent
to
another
provider
appearing.
In
other
words,
it
must
be
sent
only
to
down
streams
only
to
customers.
Second
rule.
J
If
a
route
is
sent
to
customer
beer
or
Andres
client,
it
also
must
follow
only
down
rule.
So
these
rules
are
nearly
the
same,
but
represents
the
picture
from
different
sides
of
BGP
session,
one
rule
for
receiver
and
one
rule
for
the
sender
button,
but
in
general
they
are
just
the
same.
So
we're
getting
OTC
back.
We
are
getting
a
transit
attribute.
That's
is
capable
for
both
prevent
networks
from
leaking
and
detect
anomalies.
So,
and
also
it
is
improved,
ought
to
see
attribute.
It
has
a
different
design
from
the
original
one.
J
J
So
in
the
picture,
the
picture
of
how
it's
working
on
the
left
side
is
provider.
On
the
right
hand,
side
is
customer,
no
matter
who
is
setting
out
to
see
the
value
will
be
the
same,
so
we
are
getting
a
tool
that
has
negotiated
its
configuration
plus.
We
also
have
a
double
checked
configuration
of
OTC
attribute.
J
With
this
attribute,
we
have
a
very
simple
rules
for
a
root
leak,
detection
and
prevention.
So
I
will
just
drop
the
slide
and
go
through
the
example
here.
I
Swan
is
sending
prefix
to
eyes
to
its
customer
again,
no
matter
who
is
setting
out
to
see
it
might
be
said,
or
by
is
one
on
egress
on
IRA's
or
by
is
to
on
ingress.
The
value
will
be
the
same.
J
The
value
value
will
be
a
a
s1
and
on
the
other
side
of
our
own
system,
it
must
be
checked
that
ultc
exists,
so
it
if
it
is
checked
on
egress,
where
we
have
leak
prevention.
If
it's
it
is
checked
on
ingress.
We
have
leak
detection.
So
we
have
rules
that
are
negotiated
on
both
sides.
We
have
marking
that
is
done
on
both
sides
and
we
we
have
a
leak
detection.
That
also
is
done
on
both
sides.
J
So
the
interesting
question
is
what
we
should
do
with
route
leaks,
and
it
seems
that
the
only
policy
that
can
be
applicable
for
out
the
communication-
you
must
drop
them,
but
in
certain
situations
you
may
want
to
pass
them
by,
for
example,
just
to
learn
the
signal
before
applying
this
mass
drop
policy.
So
I
will
get
to
this
equation
in
more
detail
after
the
coffee
break
during
recession
and
job.
J
A
J
The
last
question
that
is
must
be
highlighted
for
years
during
discussion
related
to
root
leak,
detection
question.
We
had
an
argument
which
one
is
better:
should
we
go
with
community
or
should
we
go
with
attribute
attribute?
Is
more
native?
It's
more
reliable
signal.
It's
memory
efficient,
it's
not
over
loud
with
different
functions,
but
community
here
is
easy
to
deploy.
We
can
in
selected
papers,
so
we
can
deploy
it
tomorrow
in
Yandex.
J
We
can
deploy
it
tomorrow,
so
instead
of
arguing
which-
which
one
is
better,
we
decided
to
do
both,
so
they
will
be
an
OTC,
a
proper
attribute
that
will
be
used
for
lick
prevention
and
detection,
and
there
will
be
also
a
community
that
will
model
OTC
behavior
just
for
same
purpose.
The
difference
is
that
OTC
will
be
available
in
a
couple
of
years.
Communicator
can
be
become
available
in
a
month,
so
there's
some
summary
on
the
current
status.
So
we
transformed
I
OTC
to
a
transit
OTC.
We
have
marking
on
both
sides.
J
A
Yes,
yes,
yes,
the
other
thing
is,
if
the
it's
an
attribute
it
has,
you
know,
send
it
back
the
idea
for
that:
okay,
yeah.