Internet Engineering Task Force 105, 24 Jul 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF105-IDR-20190724-1330

Description

IDR meeting session at IETF105
2019/07/24 1330

https://datatracker.ietf.org/meeting/105/proceedings/

A

B

Okay, it's 1:30, let's get started so as we've all seen again and again. This is our note. Well, please note it well, don't have anything funny to say about it. Sorry, do we have an agenda to project? Are we just going to dive right in.

B

What are we looking for? Just that, so you can just pull it up off this one scroll down to the hearing. I mean if you want to start yeah I'm talking about one side. Well, I'm pulling this up. You can do that.

A

Okay, so I'm gonna start because I'm gonna for my sins, I'm sharing the IPSec, related work, section and so John I think you need we're going to go through agenda bashing, which is right now, then we're going to go through my introduction to it, which will take about 15 minutes in that, if you're, an IDR person I've put a whole lot of detail. That gives you the tlvs but I'm, going to give the high level for the security people, because tlvs may not be as important as the general security.

A

Then Jun, who is going to give a remote presentation on the IP sick, singled tunnel configuration. Then Linda is going to give some more details on SD when courts, because I think use cases are as important and then Ally and they've are going to give a presentation on the secure methodology for evpn, at which point we're going to have a general discussion about the security methodology and issues relating to bgp, VPNs versus other things.

A

I know this has been talked about in sector and suffer some things in excuse me: set dispatch, not sector set dispatch earlier this week. So now you have to find my presentation.

B

A

One right here, that's okay: this is I an overview of IP links and VPNs for all of you who are IT are people.

A

You know I used to when I had young kids who've watched, certain TV shows, and there was two levels of presentation. One was for the parents, and one was for the kids and I liked it, because there was that sort of fun. Well, this you're all adults, but the I put in enough details that if you're an ITR person, you can read the details, but I'll be talking at the at the higher level. So we can interact with our security brethren.

A

The drafts we're considering our drafts agasi best secured evpn, dref who's, une idée, our bgp IPSec and Dunbar ID rs1. There are supporting drafts you have to realize. There are supporting drafts for the secure VPN from draft Carol IPSec controller. There are some core I work from I 2 and a SEF for an IPSec flow controller, and then there is supporting work in bgp from the tunnel and a usage case from dart andar, so we'll just sort of reference. These I'm expecting you to to read.

A

If your ID are to know how to navigate a draft and find it's supporting things, the rest of it, so why are this meeting? And you saw this in the best working group? We have multiple overlapping protocols on IPSec in best IDR and I, to NSF I to NSF is really looking at device controller, a security controller controlling many secure devices. So we got this in our 80s said. You know, let's go work it out. So the best an idea. Our chairs agreed that calm.

A

Until these four idea are tunnel and camp should be agreed upon in IDR, which means we need to agree in IDR that that's the right place, because the tunnel and caps draft belongs to us belongs to the IDR working group. The SI mechanisms need to be harmonized across the three drafts, but but the idea, the IDR on best chairs, admit full well, we are not security experts. I know.

A

You may find that's unusual from the security that we admit on unknowingness, but we are, and then we have to determine in a subsequent thing whether the NRI requests in draft unbar IDR Sdn port. So this is why you're here we're trying to do the second we're going to try to give you the various security mechanisms.

A

We do not ask for an immediate answer. We ask for you to give us a sort of opinion. If you think this is a longer discussion with the security people, we should let us know, but we're trying to get a scoping okay. Now this is mom and apple pie for all the IDR folks, but I thought I should throw in a few introductions. This is the basic topology. You have IPSec tunnels. Those are the things that they to go through goes through. You have bgp peering.

A

In some cases the BGP peers talk directly to one another and in many of the secure VPN and the sd1 case, they talk to an arc of BGP route. Effector BGP route. Effectors are our mechanism by which we scale I've.

A

We scale tremendously, so I think I've gone through the fact that that the sigasi graph is a secure VPN that the Dunbar Draft is the sd1 and that June, whose graph is trying to make management, provisioning and management of large numbers notice. All of these say large numbers, large numbers of BGP based secure VPNs with large numbers of IPSec mesh tunnels who believes he can do it with simpler tunnels and he can do it without a centralized controller. The question is: that's on a controller for BGP.

A

What about a controller for the security control, as i2 NSF has began, to specify one note, I have to have as I am co-author on one of these drafts, but in this session, I won't be answering that draft in order to keep it clean, I'm acting as a working group controller. So if you ask the question toward that draft, you have to ask my co-authors okay. So how do we look at this? We look at the use case, the architecture, the security issues, the hierarchy and the BGP mechanisms.

A

I need to give your security folks heads-up. We are replacing the BGP implement for tunnelling with the draft IDR tunnel attribute. It is essentially looking to replace the encapsulated extended communities, but BGP lives in an environment of deployment. We deploy things and we get implementations and that's when we finalize the standardization.

A

So a lot of these wonderful things it's described, secure VPNs have already been deployed, so in that case they may be going with the encapsulated in its extended community, but in the future we are hoping that people will transition to the draft IDR tunnel attribute. Why? Because there's some better security around the attribute? Okay, okay: this is a general architecture that comes from the secure VPN but seems to be followed.

A

There's a zero touch, bring up, there's a configuration management, there's an orchestration and signaling for PGP folks during the the the non security Association section. You can ask questions about that. There are two types of things: there is a one: administrative domain, IP security function that June who is proposing that's within a single administrative domain that may have multiple asses, but it is within one administrative domain and that's a definition. The secure a VPN and the Sdn goes through multiple, a SS and multiple domains. Okay, so there there's a range of these security issues.

A

So if you're reviewing one, you need to know whether what context you're in are you going across multiple administrative domains and administrative means. This guy owns it. He owns the security for all the boxes and he owns all the BGP stuff in the secure VPN and the SD LAN case they may be going between two places. Perhaps two carriers, perhaps two cloud providers- the security issues that I as a chair- and this is just my first stab in the dark- fall into two characteristics. You can have a controller two device.

A

You can sis and and- and there are some assumptions here- we assume that the route reflector, which is the thing I'll, show you that is like the controller, can securely identify the other node. We assume that that is part of the operation in these architectures. We assume that they're setting up traffic's selection policy- that's part of normal routing. We determine where you can send traffic, how we do it. A lot of the yang policy distribution, that's being worked on by the routing working group, is doing some policy.

A

Jeff wave your hand, he's the routing working group person, that's working on policy that policy distribution is being has configuration and yang and can be run over the yang, secure topology, just as if you had I to NSF he's got the policy language en description. That's not the type of capabilities that might come from I to NSF. Now, if you set up the security databases, they could be downloaded outside you, unions. A draft does suggest that, and but those are places you should look at us.

A

You should say: do we know what we're doing there do you think we can have it? Conflict also could occur between two mechanisms. You could have I + SF mechanisms, conflicting with yourself and there's a way to work on that you could have two bgp mechanisms that are singling these here give secure VPNs you could have one of each. The goal in all of this is to have non overlapping policy roles or rules.

A

If you have it that in in routing we call it preference if I got top reference and we have a conflict, I win, so the routing people are used to that and I think I went through the tunnel attribute, but in our attributes we do have some policy that we've been working on.

A

We have validation of origin ID, because these are tracked by a route and filtering as I just described or if you want to get into the BGP second vironment, you could signature various portions of the data by what I'm meaning to the security people is. This is the data portion of BGP. The links are secured via IP. Second, most of these proposals, you know whatever they're distributing it and the. But beyond that we have data securing for the packets that go through BGP, because the data is end-to-end and can be done.

A

Okay, just for fun, this I I. I, dr folks, I took a look at all the hierarchy and there's hierarchy in most all of it and I've laid it down there. That's my best reading of the drafts. Please tell me if you think they're wrong for the security folks notice. We have significant hierarchy because we have to scale in ib sec. We passed some data in bgp tlvs, we passed tunnel type. We pass port distinguisher in some repents nonce data.

A

We pass tree key, we do a key exchange and we have SI transforms those are actually being passed and the BGP PDUs that are being passed.

A

Okay, we have some open issues for the working group to deal with some of our because our ID, our tunneling caption, is being obsoleted. Some of these drafts are being revved. So if you have comments on some of this stuff, we could catch something in there, but our current tunnel types based on the change of ID our tunnel encapsulation. Some of them have to be read for IDR. Look at the number of drafts.

A

We have to now fix now that if we get tunnel and caption through bgp secure requirements, now this I'm going to stop and focus on I put a little later in the slides, because just before you see all the requirements, we have scalability issues. We have 10 K notes, they oftentimes, and these things have a hundred million links have a hundred thousand links. We have 10 million routes and maybe 20 million end customers. This is not the scale of a 1, even a small network. These are massive networks.

A

Our robustness is five nines in case you've never heard that term. It's 99.999 percent uptime. You have to have ready to go key management sa on-the-fly within milliseconds. That may not be possible. That sure is the desire of the customer. Reoccurring occurs. This is not a static drop and go. This is a dynamic, creaking, there's a separate path for control and data that is hard baked into the scalability of BGP route reflectors, and there is network topology with non directional links because of data throughput issues. This is this is a complex environment.

A

I've just said that ton of stuff there, if you're, a security person- and you want to ask me what all this means- it's scaling with the star- and it means that some of your assumptions on BGP the IPSec VPNs, has a different twist when we get to be chipiya. Vpns BGP is a control plan. This is again basics and respect for our our security brethren who have kindly come. The compelling reasons for using BGP is BGP is widely deployed. It has a reliable transport. It is a guaranteed order.

A

It could be run or mandated to be run over the best of TCP. We're not going to go into that. You can we're going to go into what happens after you have a secure link. The protocol runs on top of TCP. It has incremental updates that are, as I've mentioned several times, and I probably am repeating myself here. The routing reflector, which means routes go up to a central controller and then our distributed reduces the full flag, full mesh and the route table size.

A

So we have to have that and we have to have security built in route. Reflectors have the to apply policy to communication, that's part of our DNA already, and that last face it's not three hours. It's two hours, VG p, plus route reflectors support, many types of topologies hub spoke mesh. Anything else, I've met, missed our secure VPN folks will pick up. For me, the implementations are robust, widely accepted. They go from data centers to.

A

To corporate networks to mom-and-pop shops they're, it's flexible! Why are we asking you to help? You just probably got it. This is a longer conversation, some things of what I was trying to get us to get to you may have already, because the Carroll draft is specified it for secure VPN and Sdn leverages the Carroll draft. You may have an understanding of this in detail. They shortened it up, seeing that you'd seen it a few times, but these are the things.

A

I tried to look at what you were requiring if you had something more and you want us to work toward it, please do we're looking at generating IPSec essays, rekeying IV, sec database generation, both SPD security policy and s ad we're. Looking at peer author, author, a ssin database and policy distribution kudos to june, he filled out all of us for the domain.

A

There is the bgp security issues that when you have an implementation, you need to check the box, whether you're doing origin filtering that will require a link to the PKI or something nearby it. You need filters to string out attacks. Those have to be downloaded. Could that could be part of an i2 and s download as one of the capabilities and you have nested tunnels did I, say Nestor, tunnels, okay, so with the hierarchy, you should realize that nested tunnels are part of our life. They are nested, sometimes six and seven layers.

A

Deep I will take a quick, jetpack and notice. This hierarchy is about seven layers. You can have people going that far in thank you and I will be done. It is now jeans turn.

B

C

The slides yes.

B

We're projecting them off the meeting materials.

A

It's it's in the materials there in the Friday session Jim. Thank you, Jim yeah, really loud and clear. Okay, you can even back off a little oh.

D

Thank you guys, so my obsession is really about the draft I wrote regarding to signal the opposite, complete by bgp. So next slide, please so.

D

Basically, the draft defines a message bgp to second certain IPSec configuration along with the NRI that will be updates. It relies on the GP, tunneling cups is dropped for the IPSec confusion and HP is only used to you know. It's.

A

Projecting really loud try to back off on your voice. We can't seem to figure out how to back off the media. Quahog. Okay,.

A

D

So be here is in. This draft is only used to signal the config art of that music. The actual IPSec tunnel is still created by the acquittal particle between the routers that using EGP so really there's no change on how IPSec tano is credit. This is still using, I could be to and everything regarding our IP set work stays saying: there's no change on the IPSec part. The only thing I proposed in the draft is on how to use BCE to signal the conflicts at the convict of the IPSec.

D

So here the list of the sub theories I propose that we use two signals: IPSec complete. First, we can use the existing data type for the IPSec tile, which is a web form.

D

Yes, little amount, I did not accrue the ashtar, because it's hardly used in the deployments and plus IH does not provide the complete confidential protections.

D

So I only put yes Python, oh here in the draft, and also there are three new sub theories I proposed, underneath the Italian caption attribute. First, why is the public audiences? So this sub theory is basically is a rocking target to indicate where the encapsulated IPSec market before in because in the comments IPSec the public side of IPSec different from the public private side of the IPSec. This is a convenient way. Dumbo. You could follow I kiss effect in one of the VPNs, which.

A

Slightly you on.

D

Yeah, this is a slight the tree.

A

Did this area showing here yep, okay, we're fine yeah.

D

But your payload packet back home from the different total total different route instance. The second new tier II sub theory- is the remote address, prefix sub theory, which is from the receiver point of view. So basically, this is the IPSec traffic selector like TSI and then there's another one for the remote for the local traffic selector, which is a local car local address. Prefix. Suppose this to nutrients of theory is basically contain one or more IP prefix that we use for the basic traffic selector and there are some existing sub theory.

D

I propose to reuse for the IPSec config. So why is the tunnel in point? So basically, this is now the IPSec tunnel endpoint address and then there's a color, so color here in my draft is really aggregation for all other IPSec config, but not specifically mentioned here, because I do not want to introduce too much change on the beach P site and plus, in most case the like transform like lifetime.

D

They are all same on the all parties participating routers. They are all same config, so you have one stead of those co-efficient or you have a multiple set of this country, but typically you know we have same completion for every participating routers so which means I can actually simplify this by just using a color to signify that that's the collection of those configure configurations.

D

So there are two approach here: one is the using existing color sub theories.

D

Another approach that to just introduced a new color subcarrier, just 5p SEC, to avoid the confusion of using the existing subtly and then last part is the embedded label Henry so for the VPN browse ipv4 will be 6 ppm rafts, which has embedded labels in the BG update, which is used to identify in the data path, which not instance or which will appear in this packet, belongs to, but here 5e sec, encapsulation ab. Second, not really encapsulate that packet will be the labels.

D

Ip stack, the only only IP IP packet can be encapsulated inside ivy Sopranos, so here I proposed. We should ignore that label contains it in the European routes, because with IPSec the China's say could already identify which of the instance that packets allows to so you don't really need that additional label and update, so I propose to use that value to of the embedded label had enduring sub tier V to signal such process.

D

D

So here's a table I created two mapping between the needed IPSec config to the BGP signal config, so for the Ike for all the I conflict like as they transform like authentication Messer to render shows lifetimes, in cetera like the NDP D, those are all aggregated by the color sub TV, or we if we decide to music, use a new sub theory for this purpose for try. The same public forum is vital on it's a channel type field in the tano in cups, H cute for the child, as they transform.

D

That's also a group made by the color and for the traffic selector local remote, and this type of there should be one local in a one. Remote Travis Lecter address range, which signal Bibles. Those new sub theories mentioned in previous slide for these traps. Lecter protocol in the pot range it's not second out it's as soon as any so, which means the only only chopped selector favorite. We signal Y, which P is the address range or prefix for the entire play. Config is a degrade by the color ESL.

D

The config is also a delete by the color next slide. So here the table showed in the previous slides that I fear out. So the general of the initial every success ace is based on the routing lookup, so based on the you would rather neutral for the packet, he will do a rotten lookup and if we decide to using a particular bgp update and that update, has a IPSec can encapsulate suit, then he will use that confusion to create a tree sectional by a 3-2 and that penetration will created.

D

The initial I can say and try to stay and Ricky's Oh, psych, I, say and try to say Ricky we're down by a tree based on the config that we using in the tunnel creation time sticking on by the color some theory. So, basically, typically, you will use lifetime paste, ricky mechanism, so that lifetime use signal by the color also.

D

There's not much difference between single device Ricky and about device Ricky, because all the Ricky's here is that down while standard Acme to operations, the device weekly visits, tano Pierce, there's no involvement of any third party device. It really happened between these two ton appear for the different IPSec database for SPD is a Accenture signal by the NRI, which is routes, local prefix and the remote prefix sub theories. Why stay D SATs?

D

Actually the China says I, try to say that create a dynamic day when that could be to create a no or when the tried ASAP happens, and whenever, whenever a new, try to say or trying to say Ricky happens, the new set of keys mass SP are generally dynamically for the peering database PID. This is a signal by the talent points of theory for the policy policy distribution.

D

The advertising rouse signal, these IPSec config. It requires other to use when reaching the NI advice. So basically a router advise certain brows and, along with those little rough, it also advised what can I protect a no you need to use in order to reach this route.

D

This could be done with our without our ax, because it's just standard BGP updates the receiver use normal BGP routing lookup mechanism to decide which update to use. So in case, let's say: if there are multiple routes, a multiple router would advise the same routes, but with different IPSec config, then receiver, just using standard which pin mechanism elect with them, who pacing based on the preference to select one to use and use the corresponding I pista config in that update. So next slide for the security issues relate to this approach.

D

So all the standard BGP security makanda could be used to. He has the security of the BGP updates like origin verification filter, which we sack for the nested tunnels, just like at the top type tunnels that you signal by BGP. You have to pay attention to avoid looping, because in case there are multiple nested tunnels and there will be multiple BGP updates. You have to be careful not to make a loop out of it. So basically you have to either intentionally or intentionally misconfigurations that might cause the loop next slide.

D

So my draft is really focused on the single and is read to me, but for, if you want to have it work across the division to me, the only thing and if you make sure is that the mapping between the color and opposite configuration and read, and also I, didn't put it here, but it's also important. We have a common set of syndication framework and credentials policies. For example, let's say you if you're using certificate or syndication, you make sure this two organization trustees, charges, RCA's and it's seen issuing certificates.

D

As long as you can do those things I mean this draft could also work across administer to me. But typically you want to do the draft in the same and mr. Toomy, so the distribution of traffic selection policy is by the at fighting router.

D

Because again, the main use case of this draft is that if you don't have any central controller- and this is just like a normal routing like traditional route- inheriting works, each route Todd makes their own decisions and also make the whole decision of how what kind protection they want to have for this routes. They advise so the advisor outer will decide what kind of traffic selection policy is able to use and the they receive all those raw, rapidly rafts and need to.

D

You have to use those a piece, a config, but including that those big updates to reach those prefix those routes, because the receiver will enforce Authority advising a lot of reinforced the check of the receiving traffic that if the single traffic comply with that mister config, that it, the device. Individuals.

D

For the controller conflicts so again if Toros advice same NRA, but with different config in computers or by the normal BGP mechanisms for between and PE. So if there's such confliction between the this draft and another mechanism, for example, local provision or prison foreign controller I mean this is really local. Matters is up to the intubation to decide which one to prefer, and typically we would say, for example, if you have a local configured, a piece of configure the overlap with the beach be signaled mister config.

D

Typically, you would want favor the local config once and then for the last part, the day or touch setup. So the trust this drug does not actually actually address the attached provision, because it requires some pre provisions before this could work.

D

For example, you need to provision pretty provisions the color to IPSec config mappings, and also you need to pre provision, the IPSec authentication mechanism, its credentials, but it could be a facilitate the attachment provision, the only because you only we only require the relative static config, because the authentication, credential and color mapping it's it's typically is common for all the routers, and typically it won't change very frequently. So you could actually prepare users by other means. Other routers, but have this dynamic part like like the trophy selectors and those things still go by the BB.

A

For all those good pieces of information, folks for the security folks will give you a bit of a moment to investigate that. Unless you have a burning question, we'll take all questions at the end.

B

Clarifying questions yeah, if you have clarifying questions related to this draft, then now is a good time other, as will as sue said, take questions at the end.

B

No one approaching the mic, so thanks and we'll go on to who's our next one.

E

Okay, that's good! Thank you! So here I'm only going to talk about user scenarios, key requirements and I know we have some offline discussion. How do we encode the bits and information I'll leave that later we'll talk about later after at least dropped, so.

E

Okay, so the key things about sd1 I present this in the RTG working group. Briefly, on the problem statement, you're talking about mati players, you have service providers, have the VPNs, you have the ISPs for the internet connections and you have call provider offer connection from their gateway respective gateway to your virtual router, and you have your CPE device somewhere, maybe on your campus or maybe in a shopping mall, maybe in some remote office. So the sty itself is about the overlay.

E

As you can see here like, for example, the MPLS network itself has the UM PGP control. That's the one bgp version you can think about underlay BTP layer and this dotted line dotted purple line here is control the devices in very different geographic locations.

E

You could have one CPU located here in Montreal and you could have your virtual CPE located in some cloud data center in a different country, and you could have a controller using some kind of TLS or some kind of TTL s to be able to connect to those two devices and then distribute information, distribute IPSec configuration or IPSec key establishment.

E

So here, in this example, I only show just one cloud location, one CP, but in reality, as sue mentioned in the earlier slides, there could be many more than hundreds more than thousands and in the past, in our deployment we use an HR PE to read kind of resolve some of the addresses and tunnels. But once the network go beyond 100, it doesn't scale anymore. So we retreat to be GP because BGP has been proven, can scale to much larger number of nodes and sessions.

E

So that's some of the key characteristics of this sd-1. Here we call hybrid sd1 simply because for this virtual router they can have different ways to be connected. One is through secure network see if the traffic goes through MPLS network and through that they were connect to the virtual router. The traffic don't have to be encrypted in packet. Goes that way, then they can go natively to have better performance, and if traffic have to go through the internet, then that has to be encrypted.

E

So IPSec only apply to certain traffic going through certain paths and same same traffic, maybe at in the morning. It goes through the private networks through that they recollect to the virtual router that Inc doesn't have to be encrypted and then maybe later on, when the traffic condition in a private network at congested may be shifted to the public networks through IPSec, then that has to go through the encryption. So the policy is a local decision from like CPU one.

E

They have basically have different kind of monitoring system, which is beyond the scope of IDR to monitor the network, condition monitor the application status and then make local decisions on where to send, and for many many cloud a today's application and there'll be many components right, so application components can be instantiated at different locations and same application. They may have multiple versions of it. Much multiple instantiation of it and based on some policy, sometimes can be.

E

Regulatory requirement sometimes can be performance issues and the the connection can be site based, like say, for example, my traffic has goes through certain sites because of I have to comply to some regulatory requirement so and for the sd1, like the virtual pass, the BGP connection had to take the site into consideration.

E

On top of your note, ID, on top of your port ID, so there's another layer site, that's just another requirement that has to be considered for inter canal multi-cloud interconnections and, for example, in this example here I only show that from CPE to cloud data's in the one and then called a descender to the traffic between the two cloud, datacenter like VPN, virtual virtual router in datas in the one, the virtual call in data center to some kind need to be communicated and there will be pass among them as well, and the passed among them can be encrypted through the public network or can be through the trusted network.

E

So just in general, this one has been presented in the RTG working group is about here. Just summarize two different type of iced tea wine scenarios. One is I call homogeneous sd-1, meaning that oh traffic I encrypted you have a CPE like in a shopping mall. All the traffic from this particular device to my campus network or to my other places, are encrypted, and so it doesn't matter which one port you egress from another one. We call it hybrid network, hybrid sd1, meaning that someone ports need to be encryption to be encrypted.

E

Someone ports, you don't! So it's really from one point. One perspective from the client side: you have client attachment which can go through either port.

E

So the for the sd1 control playing the peer-to-peer model doesn't work very well simply because I have those kind of virtual edges. They actually can be instantiated in different places and in the overpass multiple domains, and so we need the dotted line route reflector, which he runs at the different layers from the underlay network, to connect them together, and it's very important that those devices when powered up be able to have burned address they can reach to an establish, secure channel. This is not just for IPSec attributes only.

E

This is for other purposes, like policies who you can talk to. For example, this are one being instantiated. He wants to send communicate with certain applications. He doesn't even know where the application is located because they may all have their own private addresses. So the the sequence is our one has to send those traffic requests to the to the controller which is I, call it raw reflector.

E

Simply because, when BGP used, a BGP itself has the mechanism to distribute controlling information, and so all the communication is not directly through each other through peers, and it's really through the controller. I know that in a security dispatch discussion, there are people debating on whether we should use controller or should be peer to peer. So just for your information, the controller is there, even if it's now for IPSec purpose or a piece, a key distribution, a management. It is there for other purposes and also form the route distribution like just like a VPN.

E

You may have attached routes. You need to Republic eight, that routes to other peers which in your domain and that's also so the wrong reflector, because the edge node don't know how to reach to the other peers and- and it's important that for the edge node to register his web port right. My one for today, I have three one ports and one is connect to the reconnect. Is the VLAN or is a secure connection? Another one is private address which need net another one.

E

Maybe it's public address public IP, reachable and that, but you can use that trees, establish them IPSec tunnel. So and then, on top of that for the ports which needs encryption, they need a pisac management, so so for the one-port propagation.

E

As I mentioned earlier, is through controller and see, for example, here I have CPU one in dollars: I have a CPU in Beijing CPE one need to communicate with their corresponding application and they need to go. Go to the controller, to figure out. Where is the CP to and how? What is the public address for CPE two, because they are open, they may have private addresses and then through that they can communicate, be able to establish channel. You have questions.

F

A

That's the last time: okay,.

E

So, in terms of how do we encode the information we have, discussions have lots of discussion with Ali and we all agreed that using tunnel in cap is the right way to move forward and the later on, I have a couple slides, showing different ways of doing it: the pros and cons of different ways. So we can defer that discussion to later on later time.

E

So today, because lots of people from security are here, our main purpose is to maybe convinced you guys that for the IPSec configuration it should be controller, facilitate it peer-to-peer doesn't scale well, did you have a.

A

Clarifying question.

F

Maybe you can expand a little bit on a need to signal, ran, puts across a a provider networks. I mean you brought up a brilliant case here, whether you may want to shunt traffic at over different ports at certain time of the day. Are you expecting to add that when you signal that, of course, through the wine ports to increase the chatter within BGP? Ok, ok, ok,.

E

So the one point self- actually it's not really when you need to send traffic- is really when a note powered up, because for the sd1 well, the important requirement is zero touch. Provisioning. You put a box, you ship, a box to your client to your customer. They power them supposedly, they were touch. Provisioning will require that box to be able to be up functioning so depending on this web box, where they are located see if they are behind a net right.

E

So they need to tell send a signal to the controller Rob reflector, here's my box, here's my port I have three ports functioning and the port one is actually is a private address, and but my net property is this: I can go using some kind of mechanism. I have detailed in the draft showing that a mechanism to detect Manette property, so I tell the controller. So in this example,.

A

Here, I want to make sure that you III heard the question slightly separately. Did you get the answer to what you have I think we'll have to delay the the detailed scenarios offline? But did you get the answer? No.

F

I did it would be good if you can send out an email on a mailing list explaining it? That would be also.

G

The interest of time you question.

A

F

The need to signal and if you're gonna signal it, because the other end really doesn't care, it works on the routing. So what's the need to signal and if you're gonna signal are you going to add? What's the indication on the charter of the right.

A

Bus, so the challenge on the creaking of the challenge or just to do it at all. Okay, we've got the question we'll pick that up later Thank You Linda for okay, good presentation. Thank.

E

You thank you very much.

A

The listing in the agenda is Ali, but Ali and Dave are gonna tag-team, maybe it'll be more entertaining that way.

H

H

Let me just think of easier, so we got the shortest presentation, but it takes two of us to present.

H

I'm not going to be presenting what is on the agenda, which is security VPN, because security pian is a solution, and it is talks about Harvey doing the point to multi-point signaling over bgp to set up the point-to-point IPSec essays and it talks about the details so before getting into the Harvey. Do it we need to talk about what we are doing it and why we are doing it, and given that this is Mike picking Ellie up everybody. Can you hear me all right?

H

Okay, thank you, and this is given that this is a joint session between the security and BGP team, I like to keep it at the high level, making sure everybody is on board with the what and boy and then later beginning to the half.

H

If I start with the architecture component, which is not also in this s, why it? Basically we are talking about the three four main components. One is zero touch for visioning such that when you have a edge device, you can just turn the power on and goes to. His ztp server gets the info where to get the configuration and then the next component is a configuration component.

H

That HD version gets a configuration component from it over the secure Channel and then third is a signaling component that deals with signaling the information we need to set up the IPSec si, as well as to do the keying, reeking and so forth, and these are the three main components and with the provisioning you know, we defer that to I to NSF with the gtp.

H

It is outside of the scope, and though- and so the signaling is what we're gonna emphasize in here- and we're going to talk about why we want to use BGP to set up these IPSec to set up these IPSec assays.

H

So, a little bit of the background that I started the EVP and about 13 14 years ago, and that goddess started as a research project and right now it is very prevalent in data center in SP and in Enterprise is basically the facto overlay controls for Oracle and solution. One of it has many reasons. One of the reason is btp. Okay, with respect to the capability, it has with respect to is proven.

H

Sql proven functionality, flexibility all that goodies okay, so that, with the same principle, we want to leverage that for the security aspects when we want to add the security feature and secure the tunnels. We currently use one signaling mechanism and this BGP, and there has been presidents before that.

H

In the last 15-20 years for the people who've been around okay, we solution had two signaling mechanism, such as for the multicast VPN. We did both PGP and we did PIM and we converge to BGP for the l2 VPN, with a targeted, LDP and BGP for discovery. Then we converge to the BGP and many other instances. This one. We have a BGP. We set up the use.

H

The BGP to set up many tunnels and for the IPSec tunnel is only one tunnel among many that we set up and we want to leverage the same signaling in here and some of the customers, basically not they're, not only asking using just the protocol, the signaling protocol to be BGP, but also even to use a single Hafiz a fee or, for example, a single solution within that. So that is basically the motivation to use BGP in here. Next, please.

A

C

So I came at this from the sty inside of our house. We've we developed st wan's, not using BGP, but with a really similar architecture. We've got a management station that would be very analogous to what a knight to NSF does. We've got our orchestrators that work very much like a route. Reflector does and we send around our are keying updates and our routing updates for the overlay network altogether.

C

It is entirely you know analogous to what we're proposing here with threw out reflectors, so we have a key exchange protocol for those who weren't insect dispatch or IPSec amia a year or so ago. There is a draft on our key exchange protocol that we've put out the the rationale, for this is keeping it controller based. We did this because of scalability as Olli was talking about that's kind of the primary functionality for it, everybody talks to a central controller, those are replicated, they communicate with each other.

C

They push the information down and we got the scale that we need it. There are other. There are other needs that we that this met we don't want to drop packets. Obviously, when something comes through and you need a session established, we don't have- we don't spend the time to do six round trips or three round trips or whatever we're going to do.

C

We want those packets to just go out, so we have sessions usually pre-established, if they're, not it's very quick to establish them, because we don't have to actually go off box to get the information. We found other issues that made the controller based model really nice. For us, we run control connections over typically provisioned quote/unquote, secure networks, customers. Certain of our customers, insist upon this. Data may go out over the public internet or a public network, but control goes over the provision of networks, and so I'll go really high-level into this key exchange. Thing. I!

C

Don't want to go into a lot of the details of it here because I think that's a task for later. If we decide to move forward with any of this, but the concept is actually really pretty simple: we send it's a different exchange, but it's done through a centralized controller. So an individual node will create a diffie-hellman pair. Send the public value up to the controller controller aggregates all the public values from the different nodes, and it sends out updates on regular on a regular basis. Now everybody knows everybody else's public number.

C

You can create a different pair. You know there's a little bit more to it. There are nonces and we try to do some good hygiene and some other stuff, but at a high level it's just a simple diffie-hellman.

C

Some some key misconceptions. People have thought this was long term static diffie-hellman. It is not we rekey in the lab when we're trying to thrash on the stuff we rekey every 15 minutes. Typically, that's not how often you're going to rekey in the real world, but it does thrash the stuff. Let me tell you we, but but things do rekey and honestly, the part of this protocol that makes it more interesting than just hey we're, exchanging diffing Hellman pairs is the synchronization over the rekey.

C

So if you imagine a network with ten thousand nodes, you need to keep that all synchronized when one of them decides to rekey he's going to send information to a controller. It's going to get to the different nodes at different times, and yet we can't drop packets. It's pretty complicated, if you think about that one node rekeying, when you think about all 10,000 nodes, randomly rekeying at their. You know at their offset of the key interval.

C

It gets pretty hairy if you, if you read the draft, it goes into a lot of detail of a slide in a moment. Talks about how that's synchronized.

C

Resynchronization yeah, as stated the route reflector or in our case you know in st LAN: it's not a route reflector, but it's the same device. It optimizes that distribution it waits for keys to come in knows when to send them out. I refer to this mechanism as kind of a lazy, synchronization lazy sounds like a negative term, but the key point of it is there are no hard timing.

C

Consideration I, don't have to get that key to another peer at a specific time, because I know I'm not going to, and the protocol is robust for letting them trickle in on different schedules to different peers.

H

All over the example, so before going over the example, let me put the example in perspective that imagine a reflector and they have a bunch of edge devices and the edge devices are connected to the rot reflector via they have BGP says each edge device has a bgp session to the ross. Reflector that goes over a secure channel of this secure channel can be, TLS can be IPSec itself or whatever. So the assumption is bgp signaling goes over secure channel, and then we use the bgp to set up these IP sa.

H

So in here I give an example a little bit I wanted to just. You know for the illustration that although I came up with a peers, okay, that can be hundred peers and each peer can have a hundred Tenon's and you're trying to set up the IP sake on a tenant basis. So you end up with again the full mesh of ten thousand.

H

So let me let me cover two more slides and then we are open to the and one more after this. So the reason I put these number they're a little bit. You know to.

H

For work, your thoughts and also to make the differentiation a little bit, you know clear. So if we talk about the let's say ten K peers and as I said, these 10 K peers can be just not another example with the hundred with a hundred edge devices with each with 110 and in it, and we want to set up IPSec tunnels among them. Basically, six IP SEC messages, IQ messages pair session, and we got ten ten thousand a square which is six hundred million, with rot reflector.

H

Basically, every year sends one message to the Ross reflector and rod reflector aggregates them, and it sends it on. We can do it on an interval basis to send it to push it to everybody else. So, depending on where you set the interval, the aggregation interval, if the Ricci interval is 60 minutes and aggregation interval is five minutes. Then you have you know you roughly.

H

You have about 100 K or 200 K. Actually, so so we are talking. You know this kind of the order of the magnitude differences between the two and the point in here is. We can use the reflector both to save messages on the ingre from the ingress PE, instead of being 10,000 messages, sent one message to the rot: reflector at and use the router afflict or mechanism to basically to do aggregation and packing and send a lot fewer messages to the egress piece.

H

So after this there is only one more slide and your open for questions. Okay, so.

C

I'm really not going to go into this slide much. This is from the draft. This was just a little bit of background. Information shows the synchronization and how it stepped through. It's, it's probably completely illegible up there on the screen and we'll kind of leave it at that last closing thought all we're going to say is: if you've read the draft or heard about it, it was named with a name fairly similar to another protocol common in the security area.

C

That seems to be a linchpin or our touchstone, and it is getting renamed. I spoke to the guy this morning, who originally named Ike Ike. He kept saying I stand by my report. Oh no wait that was Mueller, sorry um anyways.

C

He said it was okay.

I

Followed us from the IPSec working group I'm to just go back one two slides.

I

Yeah this one, alright, so there's six messages: it's not correct! That's for Ike v1! You will never use that you'll use Ike v2. So it means that it's at most two messages and if you already set up an I guess eight beforehand, so you only need to create a child, a safe for the traffic selector part. Then it's only one message to set up.

H

I

In each direction, yes,.

C

Yes, if you don't phase one and phase two.

I

That still only sending two messages and receiving two messages for messages. Okay, so.

C

Now we're at 400 million.

F

Drops very well-written all.

H

Right. Thank you.

F

You use route reflectors, yes,.

H

F

Bgp there is a notion where forwarding is preserved in some cases, but the TRO plane goes down what happens when the control plane goes down. I think the draft can help clarify few things as if are you gonna preserve the IDS or that keen parameters, and if so, how long? So that's first comment. You.

J

F

J

If you write when the second of valid points.

H

F

Second thing: is: you know we go beyond a s, so what happens when the King parameters are leaked beyond s? Maybe draft should where he explicitly hand explained that while you have route reflectors, your edge spoke nodes can leak this information out, and you can ask security guys out here. What are the security implicant implications of leaking it out? A.

A

Clarifying question to yours care: if you'd stay at the mic, that's.

H

For the inter is basically no.

F

I'm saying it could get leaked out anywhere within your domain, and so the draft should minimally say: how do you control that and then use policies to explicitly configure it? If you need to leak it out what.

H

Is information kayuu they're getting sand with associated rat targets, artis yeah.

I

H

So, based on the weather, based on the RT, you can control the distribution within your.

F

Remember they were routes. This is your security information a little different right, so you need a text they're totally.

A

F

Up all right, clarifying.

A

Question on yours: are you? Are you assuming in your discussion, the route, origin and filtering or bgp sick, or are you asking the gentleman to provide elucidation on that as well as what happens when it leaks I'm.

F

Actually asking him very indirectly and politely to add communities to not leak it out by default across the a s and then strip those communities at the policies are needed to explicitly lick it out. Some.

A

Good proposal, thank you.

K

I have a clarifying question: Anna.

A

Did you introduce yourself I'm, sorry, I'm, Ben,.

K

Caidic security area director so I have a clarifying question which is.

L

K

To the same confusion that we were having in Sec this patch but I'll.

L

K

Hopefully, I'll word it better at this time. Okay, so I understand correctly, you know, we've got the you know ten ten thousand peers and then we're gonna say your single message from each of them up to the controller and a single message from the controller down to each of them, but that single message down from the controller to each node or pure is supposed to include the nonce and the public key from all 10,000 nodes right.

L

K

How bigger there's not some other keys I've got 10,000 of them you're. This single message might end up being you know, megabytes and am I misunderstanding something here: no.

H

So it basically.

H

Based on the interval that the aggregation interval that you have, let's say you sent in K, okay, that 10 K. If the nonsan public key exceeds the single message length, then you're going to be sending multiple messages. But the key in here is you can do a lot of aggregation here. I mean we're increasing the decipher 64k sure.

K

Yeah I definitely believe, there's.

H

Maybe that can be factored in and instead of 100 K becomes 500 K or 600 K. But again this is not absolute. I just wanted to give a feel, because we had similar concerns or questions were ranged during the sex dispatch and I just wanted to that's. Why I put this example in there just to hide.

B

Here the feeling and rising that there's no no you're, not yeah yeah, so if I can jump the line, if, if I understand you right really the gist of this, isn't to get down into the weeds of the exact number exactly.

L

B

Saying that you know, without without a controller in the middle, its scales like N, squared no, the control.

H

B

Middle at skills then.

H

Exactly that, that's the gist of it. What the there was in securities fresh. There were a lot of confusion around these any school, reverses n and that's what I wanted to clarify via the example.

A

Then did you get your question answered, yeah.

K

I think so I mean I, don't know if I would say his skills exactly as I'm, but it's somewhere between a and square okay.

C

A

Okay, thank you defend.

L

From a range one general comment, people are always talking. This presentation about controller controller is supposing to have a kind of intelligence, but how deflectors, maybe the most stupid, BGP speaker in the network. So there is no intelligence, so I just want other confirmation that you are not breaking anything in the BGP machinery and what you are, what you want is just propagation yeah.

H

That's right, you control, yeah! That's why we are that's very good point and that's why, right from the beginning, I said we got these four components we have and we have ztp server and we have the four visioning server and then we have the signalling and the all. These are part of the big controller. Okay. Well, you call it as a controller, but the signaling part is what we are talking about. Our are with respect to what we are familiar. Ok,.

L

So, whatever the how to affect or design that I am using clusters or your article, how effective it does not break anything in your IP signal? Yes,.

H

Okay, actually, it helps okay, okay,.

L

And exactly the same command, ask you about what happens when the control plane is failing, so do we need to implement LLG on what are the side effects? Basically,.

H

In a short answer is, if that happens, and the control planning fails or isolated, then the rekeying aspects is gonna, be you know effect that you won't be able to rekey at the interval that you want.

I

I was still only on this document. Are we taking things in general? Anything yeah.

B

Yeah I think that and in fact I think we should invite the the other authors to you know come back up to. If we want to open the floor more, you know broader discussion so which.

I

I think we do, some of my cases like like will apply to the multiple solutions. Please.

A

Square into the discussion: okay, okay,.

I

So so the first thing is so.

H

Just a Linda, you want to also come in.

I

H

First question:.

I

Is do we have many more routes than notes, or how is this? How is this well.

H

That's a good question: okay,.

I

Because, depending on that, right, I'm like if you have many routes and fewer nodes or you could do an IPSec transport mode connection to the node and then run to your ear or something and then send oldy. So you don't have to have one IPSec as a per wrap right right, which might save you a little bit of MTU spaces.

L

I

It would save you a lot of negotiation. If a new packet comes in for a new route, you can just route it. You don't need to set up anything new at that point. So.

H

Very good, that's a good question and that has been I've described that in the some details in my in my draft secure VPN saying that we have a different level of hierarchy.

H

Okay, you can have in some scenarios you just have a secure tunnel between two peers: okay, at the PE level, I call it I got the parks level, okay and, however, for some tenants within that box, the tenant- those are special tenants and they want to have their own IPSec tunnels, okay, because they don't trust the general one and then- and you can go to the next level of the hierarchy that within that tenant, you can have a host. You know a sleepy host within that tenant.

H

That is a special and wants to have his own. So it is this. You don't have to have it for every route. Okay, but.

I

H

Gave me flexible, I.

I

Understand so now you gave me an additional problem because, because with IPSec you usually have one I guess a and you can have like thousands of child essays to from traffic, but they're still under one domain. So now you might accept a set of multiple I guess A's between these parties. If you think that they're in a different administrative domain based on which tenant they are.

I

Sorry so you're like okay, so so in your case you don't have an IKE essay, because you you, because we're.

C

I

A

Yes, they did and I wanted to take a pause. Did you June? Are you able to speak? Yes, okay, so Paul? You can also address the same question to June June. Did you get the question that Paul was asking yes.

D

So so is my draft I really don't change anything on the IPSec side because we continue to use my tour continues like v2 as way and signal protocol for that piece. Ak Tonto, the only thing I do with babies to signaled IPSec config. So whatever we do today with IPSec stay the same so.

I

I understand that part, but the part is more about re. Are you maybe not better off using an IPSec transport mode tunnel with a Giri encapsulation instead of setting up thousands of IPSec assets, yeah.

D

That for some use case that work, which means that, if you want to, for example, put all your traffic into a peacenik, somehow yeah- you could do that. But in some other case they want select Li selectively to increase chat for certain traffic. They want to use a busy person. Do not want unity SEC, then you have to go to different different destination for the different IPSec tunnel. In that case, you might need multiple IP sector knows: ok,.

I

So so, if that would be an option- and you would have some way of having to signal this yeah.

M

I

So so I'll go to my next question. That applies to all of the all of the proposals. So is IPSec optional or mandatory or either like like? Do you block sending the packets or do you do you actually.

H

Studying up the I setting up this secure tunnel is depends on the traffic. Some tenant traffic wants to go over the secure and some they don't and that gets determined by the policy and some and also there are cases that I think in Linda's use cases. You had a case of the public versus private network and for the public network for the private network. Often you don't use secure tunnel right.

I

So indicates where it is mandatory. Yes,.

J

I

Becomes what do you do when things fail like with the ike fails to establish or or if your so.

H

That depends on the policy that depends on the policy. The a policy might say: okay, I, don't trust internet, don't send anything. The other policy says. Oh, you know what I have these private tunnel and.

I

I

For instance, if IPSec is fully optional, you can load the policy into the kernel, but you can't do on-demand triggering of it, because the on demand trigger would actually then hold the packet, because it would assume it's mandated and cannot leak it back at the nuclear, for instance, all.

C

Right so I just want.

I

To make sure that people realize that next.

H

Item I have is so that's that's a good point. I mean this should be captured in the solution draft right. So.

I

The next item is empty you, so as soon as you start adding IPSec. Of course, there is just the reduced MTU of the data yeah.

L

I

Not sure if I didn't really see any of the proposals talk about this or how does affect the original data or that they think is not a problem but I think that needs to be given more thought. Absolutely.

H

So I like to ask these are good points. You're raising. Can you please send the email.

I

So the next item I, want to point out, is that there there's the issue of the RTT. So if you, if you set up an I, guess a already, we call it a childless essay where you just set up. Do you do that? The two round-trips to authenticate I? Guess a so that is not question for us all right in general, then you then you can later on on demand within one round-trip get get in child to say, and so that saves you from doing a two round-trip at that point.

I

So that saves you one round-trip, but it means that you have to set up these I guess A's in advance. So it's again it's a trade-off. You might want to think about in your desire. The next just.

H

A quick point: instead, this refers to the first option his comments: John I'll, get John. If you're on the call yeah.

D

So I mean whatever I provide. We use that we don't really change what act we do does, but.

I

But again you you might need to you. You will need to provision that whether or not all parties will do that or not yeah.

D

I mean the config part of that it could be 2nd of June.

A

This may be good for you to realize that it might be good to have usage or other details, whether that goes to IDR or that might be separated in a separate draft and and put out he's not necessarily specifying bgp tli, you've ease but operational stuff that usually goes to best, so that might be useful for you. Okay, thanks.

I

So next I'm going to cover is multicast traffic, so currently, IP 2 is in the process of supporting multicast negotiation and coupe essays. But it's not there yet v1 used to support it or actually, as I, grew unseal support its, but nobody should use it in IP 2.

I

We are working on, it's been a slow process, so it would actually be a welcome thing if we have some consumers of this go push the people that are doing this work and like for Ike v2, to put some momentum behind this and get this done and also want to mention, there's there's a session resumption and that you can also use to prevent doing it an expensive, diffie-hellman fusion. So so, maybe not for you guys, but for the other solutions.

I

If you can, instead of delete the session, you can get a session ticket resumption ticket, then you can later on much more quickly with less CPU power, re-establish a new I and our IPSec I say yes, yes, agree, and let me just go to my last bits of the part that I already sent to the mailing list, as some photos already answered in the in.

L

The first presentation.

I

You have anything so yeah just for the first rotation, the examples used or like AES CBC with 384. Please use some more modern things like ASTM.

I

Let's see I recovered that there's the there's, not an issue if, if a browser reboot, so if we have an IPSec tunnel and one of these endpoints fails, I'm, not sure what the mechanisms are where it's within IPSec that something needs to happen or whether there's a overlaying bgp security protocol. That will take that note out of commission and do something else. So.

H

One of the edge devices fail so if that edge device fails the routes to that route, reflector withdraws the route that failed device and all the other edge devices can tear down there IPSec tunnel to that. Okay.

I

So so so, basically saying an IPSec failure on on on on a node, no.

H

I thought you said: no failure, I thought you said: node failure, you're talking about the IPSec failure. Yes,.

I

Sir and talked about would just mean that something else takes that that that IPSec Gateway out of its misery and and and everything else gets rerouted around. That.

I

Innocent IPSec keep alive is there, but that's a really slow mechanism and I. Don't think you want to use that, and let me dad exactly at this warning. There is a thing called that peer detection or liveness, and right please be aware that the RFC said you should not use these probes for, like more than once, a minute all right. Some people like to send them multiple times per second, and that you get really strange things. If you try to do this, including shooting yourself, because your probes actually starting to fail so.

H

Ipsec tunnel is one of the tunnel kind. We got the MPLS tunnel, we excellent tunnel Geneva tunnel and all that the question I would expand it to to more general detection of the tunnel. Failure and IPSec would be one of.

I

It right now we just assume that IPSec is a service on a failing note and that note will just get out of rotation so that night beside point of view, you don't need to worry about that. Okay, okay,.

A

And I think it is.

L

A

Is worth considering whether notes online might be useful in your graph? Okay,.

F

A

I'm gonna ask a favor, could I ask you to let them next two guys who have signed up as security folks to go first in questioning and we'll take the rest of the folks as I can in time, in other words, step behind Ben and then I will be glad that'll. Be your turn. Thank you.

H

Okay, you're a little bit farther.

H

H

Can you know joke with him, because he is a good friend of mine.

G

So for this boss, can you go to this light with the comparison?

G

Yes scalability.

C

G

No on that presentation is called Billick examples that enormous number of messages, and so on.

N

G

Yes, yes, first of all, yes, there are some mistakes on the number of messages, as polarity said, but anyway, I think that this comparison is not completely fair, because why.

L

Not not sure not.

G

Not that I said that you compare the orange and apples, but it is you go to a bit extreme because in my case it's very case so.

H

I just wanted to make sure you don't mistake: the apple with the orange. That's why that.

G

Strong but but you just go to extreme and usually say in I case, usually I say I created on demand, and it is very rare that all ten thousands of people of beers will simultaneously create to nose with every every every p8. Yes, so it's it's some it's extreme well and then also.

H

Just like a you, have a power outage and then into the city and takes out the whole north and that the robber comes up and.

G

It will be within.

H

The within a window, but it's not going.

G

To happen anyway, 24 hours gone.

A

To the second comment,.

G

The other it's unfair for another reason: okay, these solution, I mean our like solution, and this kind of security control solution have it's like a different security properties, because in this case every node has a single public. Well you! So, for example, if you break this public wheeling this public key with some I can count quantum computer or something else, it will compromise all the essays it has with every bill and in IPS in like the classical solution, each kernel is using ephemeral difficult.

G

So if somebody breaks it, it will only compromise a single kernel and other.

G

9999 donors will become say so it is slightly difficult with different security purposes.

C

Person, yes, so so it is true, it is a shared diffie-hellman across all the nodes, though we do have Ricky along.

G

You say for messages for this reason, but you get security so that you lose some something.

B

They would very appropriately go in the security consideration section right.

C

Yeah I, don't want you to think it's not, then thought of and not addressed, but it is a. It is a limitation and there's countermeasures.

K

Thank You doc, so I tried to also be thinking you're, in addition to the the specific mechanisms proposed to try and come up with some general considerations that might apply it to all of them and so like in general. You need to consider if you're going to get your configuration through bgp or through your controller. You need to be thinking about. You know how much do you trust that configuration? What other information are you getting through the same mechanism?

K

And you know if that other information was wrong or corrupted, or you know an attacker control that? How would you break for that? And you know maybe, if you're gonna be horribly broken already, then you don't necessarily care if your configuration is also broken, and you also always want to make sure to think about. You know what properties do I want to get from IPSec like. Why am I doing this at all?

K

Do I need to protect the confidentiality confidentiality of my traffic from some other parties and there, so you know which other parties do I need to authenticate appear. You know, and you need to do sort of like a full system- analysis to make sure that you're actually getting that property.

K

For example, if you have a system where you do want to authenticate to peer, and instead of relying on a central asia' parinama, unlike some sort of certificate to authenticate, you know the key that you're gonna use your instead gonna say well, I got this key from a trusted. Central controller and I'm, just gonna trust that standard controller. To give me the properly authenticated mapping between keys and identifiers that might change a little bit what your authentication story is, and so you want to think about that.

K

It may not be a problem, but it is something you want to think about.

K

Another thing that's sort of important is, if you do want to have the confidentiality protection, it's important to remember that it's confidential, you know, confidentiality, protection from some entity or some class of entities, and so, if it's possible to end up with the wrong configuration, whether that's you know, traffic, selectors or or your keys or whatnot.

K

It may well be the case that you can end up with a connection that is using IPSec and providing you confidential confidentiality protection from the wrong people and is in fact connecting to the people that you didn't want to talk to. And so you know just because you have a successful IPSec association and you know you're encrypting, your data, you gotta, make sure you're encrypting it to the right people and I. Think in terms of the when we're adding multiple ways to distribute configuration, information just.

H

A quick note, the respective last point it is. It is important because you're gonna try to make the over try to make the connectivity over the van as secure as possible. But if you don't take care of the cross connect between your end user and the traffic that it is unencrypted, then all your effort is wasting yeah.

K

There's all sorts of ways things I think. My my last point is is just to say that you know if you do have the multiple mechanisms to get in configuration as long as everybody agrees to normal to use the normal type of human mechanisms, that's totally fine to use the tiebreaking mechanisms for like if you've got two different things that are trying to complain the same route in terms of what configuration to use as long as everybody knows what the tiebreak mechanism I think. That's that's generally,.

L

K

And sorry, I had one more point: there's a lot of these aspects that will be easily controlled using sort of local policy to make sure your your traffic selectors actually make sense in the broader scheme, and so you can like do sanity. Checking on some of the configuration you get. My guess is, must serve for the controller icon. The other two did.

A

You say just one more moment about the track: traffic. Selectors. Are you addressing that generally then, to both presentations, or did you have more for June's, freeze, tation and his color selector I.

K

Think that was both of the first two presentations. Thank.

A

You and thank you for taking and Paul and I didn't catch. The little gentleman.

K

Valerie's lot of something.

A

Thank you very much for taking the time to think through that and give us such detailed feedback. I I know this is being recorded, so I will go back and write myself. Watson notes based on it. If you would send any of it to the may list, we'd also appreciate it. Yeah I will try to do that and.

C

Just really quickly to address a little bit of the the authentication issues and you there's certainly a need for an edge to identify the controller, authoritative, Lea and Ann, and vice versa. Some of that is slightly discussed in in my draft, but it's kind of cursory there's an assumption that that has happened. When you look at the architecture there, it it's going back to starting with ztp and how does something connect to the network, but I very much agree.

C

It all has to be tied together that whole authentication chain, because obviously fundamentally nothing matters if I don't know who I'm talking to.

H

So actually, we were also planning to write our architecture, draft that talks about these different pieces and how they're glue together so that to make sure that the overall picture is clear.

H

A

We, the last presentation for the day that was invited on I'm warren jr you're off now, so we just have two more I do presentations you have about three or four minutes guys super.

F

Tell us two more points, sure I'm, echoing what Stefan said earlier. If you're going to do this using route reflectors, you may want to suggest implementers as end operators as to is there. A lot of message is not that BGP can't handle, but you will see a head of line blocking if you will start mixing up officer fees, so probably I don't have a good suggestion for you, but probably a separate route reflector or something that doesn't affect routes at all. The routes.

F

Second thing is: that was a draftee, an idea working group which actually tracked for labels. If the labels became inactive, they had a way to take the routes out or the next stalks out, because this is an IPSec tunnel and I think Paul mentioned it's. One second keep alive. You are more than welcome to reduce it to milliseconds. It's Paul's problem, not mine, but you wanna, give some suggestion in text to the implementers to say: should that tunnel become inactive, what I mean?

F

What are the means to detect that tell is inactive, and how do you go about doing it up here? Absolutely.

H

No, no, no that's important.

O

On the math actually does not change the picture, a big picture, but let's to make sure people to leave the leave the room with this big number. Yes, so 600, meaning that's not I- think the right number should be higher. Okay,.

C

O

C

O

Am tied it sings square knot and cubicle I. Think that's the type of x squared in Kos square would be a hundred K right. A hydro, K 10.

H

K is a hundred million, is 100 million.

P

L

Different from orange I wanted to go back to the pendulum, caps and phenotypes that we are acquiring, because I think we have plenty of different use case. So you have a simple one, which is a IPSec Turner, but but then we can use any kind of overlay with IPSec transport mode. So how do we do it? So today we have some of the combinations that are defined in our 5566, which may probably disappear. So we need to create something else. So then, are we keeping creating a combination of each overlay, + IP, SEC transport model?

L

Are we using something more flexible so telling, for example, that I'm using vague slang, type processor, TLV things that I'm doing IPSec transport well.

H

The current thinking that's a valid question and point. The current thinking is the IPSec attribute. The the the theory that gets carried in the tunneling cap is going to specify what kind of the IPSec we have and then we have this extended community to to define what kind of the over Libya. Is it VX LAN or is it Geneva or whatever? So we've done this kind of thing for the multicast as well, because in multicast we send pins, eternal attribute and the pins eternal attribute can be team or so forth.

H

So with the team question is what is inside the pin? Is it VX, an or Geneva or what so, what they want? That the trick that or not the trick? What we've done is we send the IP eternal attribute to say that this is a trim panel and then the extended community to say what is the type of the overlay that gets carried inside a tunnel but.

A

That particular piece, you need to think how you might do it with attributes. You know because you're now into tunnel attributes separate point I needed to as a chair as if we can close the line, because I've got 20 minutes and 20 minutes for the presentation. Did you have a quick one in Richmond.

M

L

I just want to finish with a Linda's draft and we turn around observation types where you are trying to define the kind of sd1 typist sd1 is not really enough. Affiliation, I.

E

Didn't get a chance to present them, how we encode the message into the tunneling cab and if, if I get chance next time to show details, you will see that the tunneling cab we need a different tunnel type. So for specifically for the overlay long reach over, like so I call it as do I can.

E

A

And that one folks, Stephan and Linda would be good on the list as well.

Q

Justin Sarah, so the graph implicitly suggests that relationship between endpoints and distribution point is ibgp other cases where it could be ebgp for.

H

The and, if you're, connecting if you're, connecting the SS together because ebgp within the network itself, typically is you know like a it use for your underlay, for the overlay goes I be GP, so the a BGP that I can think of is for the you know in case of the inter area, stuff or.

Q

Maybe actually there is a wanna true, but if there is probably you want to think about route servers and address the garden. Oh yeah.

A

Okay, folks, we're gonna close the line and go from the next presentation. I want to big thank.

L

A

The cruise endeavors and for the.

B

Alex before before you start I want to ask Alvaro to come up and say you know two words about charter. If that's okay, Alvaro, but only two words, please pick them well.

G

N

Okay, so you guys know because it's been on the mailing list- that we're looking to recharter ID are one of the reasons we try to write the ours, because the charter has much of items in it that have been completed, other items that we're not doing anymore, and it doesn't necessarily reflect everything that we're doing right now.

N

So no there's been discussion on the list about what the working group wants to do talking to the chairs earlier. What we think we want to do, the discussions are gonna happen on Friday, so don't even come and ask any questions when we think we want to do. Is we want to produce a general charter that talks about what the working group does in general? Who are the other work groups that we coordinate with bears gross eye, drops you know, etc.

N

All those other working groups, maybe a little bit of how that happens, maybe call out some specific things to clarify what ID are versus the other working groups are responsible for. If anyone can come up with something that should not be covered by IDR, maybe we want to put it there, but the specific work items so that we don't run into the same charter with half the items completed in half not and some that we're not going to do in another two years and have to reach our again we want to do.

N

Is we want to manage all the work items through the milestones? So what we hope that we'll do is we'll give the chairs a lot more manageability, the working group and a lot more flexibility. If there are things that come up, there are more interesting that, whatever we've been doing in the last six months, we can change some of the milestone orders or whatever, with the working group of personal senses, and we can move on that a lot quicker. We will hopefully avoid discussions about.

N

Well, that is not a charter or that is in the Charter or you know, etc, or things like that again, the other thing wants to avoid is to have to every couple of years go through the painful process of recharter in their working group, but instead we can just talk in the working group with the input of the other work groups that are close to where they are about what are the important things or the higher priority things everything's important the higher priority things that we should be working on at any given time so think about that and on Friday I think we're gonna have a larger discussion on those items, and hopefully some text on what the Charter is.

N

Gonna actually say. Thanks.

B

A

Folks, we will probably run two to three minutes over because we've, because we've run wrong I'd like to give each presenter about 10 minutes, just be warned we'll just let the next presenter go.

R

Okay, hello, I'm Marsha from Cisco today, I'm going to present the updates to the draft PGP PFT straight mode since last ITF. Since last ITF, we have a new Corsa Jeff has joined us from juniper.

R

All right, the drafter was presented at ITF 104 in Prague and since then main updates to this document, our PGP finest tape machine weighs the PFD 3d mode. We also propose the PFD Haute timer, both manageability and security considerations. Sections are revised. Those a.

R

Quick recap of the draft M, the BGP, the bgp PFD, capable sorry, the PGP PFD Street mode is a solution proposed the to address the PGP and the PFD interaction issues. The solution defines bgp PFD capability and enables the PFD capability negotiation operations are a bgp speaker which supports capabilities advertisement and has BFD street mode enabled must include the BGP PFD capability. With the a speed set in the BTB capabilities, it advertises a BGP speaker which support Beach, PFD capability and exams, the and exams the PFD capability received the from its peer okay.

R

If both the local and the remote, the BGP speakers have a PFD, Street mode enabled then bgp session established will be established after PFD such a yes up. If either BGP pier has not advertised the PFDs capability with 3d mode enabled, then the FD session state will not be required of order bgp session establishment. Ok, please note that this does not preclude usage of PFD and after the BGP session establishment.

R

The new updates BGP final state machine with PFD straight amount, if both the local and remote DTES speakers have BFD street model neighborhood the BGP. Finally, the Machine does not a transition to establish the state from open, sent or open confirm state until the PFD session is up.

R

Ok um in this state, no keep life messages are sent. Ok, the keepalive timer is not set.

R

If PFD session does not a transition to up state and negotiator hold on timer has non zero value, then BGP finite state machine. We are closed. Session of the BGP whole time expires.

R

In a case the negotiator hold on time. Value is zero, then PFD hold timer with the t4. The value of 30 seconds proposed is proposed, so after the PFD hold on time expires. Bgp finest a machine will closed the session.

R

If PFD session is in Adam in downstate, BGP finest animation will proceed normally without input from PFD. Okay, if PFD is disabled or deconflict from a BGP spear and BGP session is in is held in the opens, send or open come from state. Then BGP will close session and start a new TCP connection.

R

Updates to manageability and security consideration, a BGP notification messages, sub code indicating PFD hold on time. Expiration may be required for network management, and this will be discussed in next. The revision of the document, the security consideration of PFD, becomes considerations for BGP when it's used.

R

The use of PFD authentication mechanism defined in the IFC v h0 is recommended when used to protect the BGP.

R

The view comments are real calm and.

A

Folks, we're running that long. Then I'm gonna give her a bit of time time or asked us to go to the list and I think we'll slip in Alexander, so I'm. Sorry to trim your comments. If you will catch her afterwards, Alexander, why don't you go for about I've got enough time to why? Don't you give the brief two or three points you need before grow or do you need the full ten minutes.

A

Go you got it Ben. Thank you very much.

P

B

Ten minutes for small values of 10.

J

Hello, everybody, my name is Alexander azimuth I work for Yandex, and this will be very quick update for BGP rolls draft, so the core of the original design is BGP rolls BGP rolls is a proposed new configuration parameter that is negotiated in open BGP me in open messages, so there are 5 specified roles, customer provider, peer router and route server client. So the draft was already here for at least 3 years.

J

Originally it was a transit attribute to detent to detect and prevents networks from leaking. After that it was treated in to to IOT see for prevention, yo TC for detection. Then it was merged with another attribute from another draft. Then I see a merged and it's changed. They feel slightly because we need solution faster than reworks. We were thinking previously and that's why our LP attribute was transformed into do community and IOT C was nearly ready for working group.

J

Last call we had implementations, it now happens, modular design and I'm going to go through and explain why it's happening and why it's happening now. So please take a look at these rules. I will spend more time on this writer than on any other style, because it is important first rule. Is it a quote from leak prevention draft? It says if a route is received from provider, route, server or peer, it must not be sent to another provider appearing. In other words, it must be sent only to down streams only to customers. Second rule.

J

If a route is sent to customer beer or Andres client, it also must follow only down rule. So these rules are nearly the same, but represents the picture from different sides of BGP session, one rule for receiver and one rule for the sender button, but in general they are just the same. So we're getting OTC back. We are getting a transit attribute. That's is capable for both prevent networks from leaking and detect anomalies. So, and also it is improved, ought to see attribute. It has a different design from the original one.

J

It says that on ingress policy you must set. This attribute is not set, and if we are receiving a prefix from route server provider appear on the ingress policy. You are saying that if yo TC is not set, you are setting when sending its to customers and peers.

J

So in the picture, the picture of how it's working on the left side is provider. On the right hand, side is customer, no matter who is setting out to see the value will be the same, so we are getting a tool that has negotiated its configuration plus. We also have a double checked configuration of OTC attribute.

J

With this attribute, we have a very simple rules for a root leak, detection and prevention. So I will just drop the slide and go through the example here. I Swan is sending prefix to eyes to its customer again, no matter who is setting out to see it might be said, or by is one on egress on IRA's or by is to on ingress. The value will be the same.

J

The value value will be a a s1 and on the other side of our own system, it must be checked that ultc exists, so it if it is checked on egress, where we have leak prevention. If it's it is checked on ingress. We have leak detection. So we have rules that are negotiated on both sides. We have marking that is done on both sides and we we have a leak detection. That also is done on both sides.

J

So the interesting question is what we should do with route leaks, and it seems that the only policy that can be applicable for out the communication- you must drop them, but in certain situations you may want to pass them by, for example, just to learn the signal before applying this mass drop policy. So I will get to this equation in more detail after the coffee break during recession and job.

A

Will you tell us when the gold session is it's.

J

A

B

Session this room so.

A

Stay here and enjoy the next. Thank you and.

J

The last question that is must be highlighted for years during discussion related to root leak, detection question. We had an argument which one is better: should we go with community or should we go with attribute attribute? Is more native? It's more reliable signal. It's memory efficient, it's not over loud with different functions, but community here is easy to deploy. We can in selected papers, so we can deploy it tomorrow in Yandex.

J

We can deploy it tomorrow, so instead of arguing which- which one is better, we decided to do both, so they will be an OTC, a proper attribute that will be used for lick prevention and detection, and there will be also a community that will model OTC behavior just for same purpose. The difference is that OTC will be available in a couple of years. Communicator can be become available in a month, so there's some summary on the current status. So we transformed I OTC to a transit OTC. We have marking on both sides.

J

We have a configuration check on both sides. We have filtering on both sides. Rolls can provide automation for the for solution for bulls community in attribute. So, thank you for listening. I. Don't think we have a lot of time for Croatians, but you can grow.

A

Yes, yes, yes, um the other thing is, if the it's an attribute it has, you know, send it back the idea for that: okay, yeah.

J

So uh so, if we're changing the attributes that we and we need to ask for another allocation, am I right? Okay,.

B

Good thanks, everybody see you Friday.