draft-ietf-rtgwg-net2cloud-gap-analysis-00.txt   draft-ietf-rtgwg-net2cloud-gap-analysis-01.txt 
Network Working Group L. Dunbar Network Working Group L. Dunbar
Internet Draft A. Malis Internet Draft A. Malis
Intended status: Informational Huawei Intended status: Informational Huawei
Expires: August 6, 2019 C. Jacquenet Expires: September 25, 2019 C.
Jacquenet
Orange Orange
February 12, 2019 March 25, 2019
Gap Analysis of Interconnecting Underlay with Cloud Overlay Gap Analysis of Interconnecting Underlay with Cloud Overlay
draft-ietf-rtgwg-net2cloud-gap-analysis-00 draft-ietf-rtgwg-net2cloud-gap-analysis-01
Abstract Abstract
This document analyzes the technological gaps when using SD-WAN to This document analyzes the technological gaps when using SD-WAN to
interconnect workloads & apps hosted in various locations, interconnect workloads & apps hosted in various locations,
especially cloud data centers when the network service providers do especially cloud data centers when the network service providers do
not have or have limited physical infrastructure to reach the not have or have limited physical infrastructure to reach the
locations [Net2Cloud-problem]. locations [Net2Cloud-problem].
Status of this Memo Status of this Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 42
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 6, 2019. This Internet-Draft will expire on September 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Conventions used in this document..............................3 2. Conventions used in this document..............................3
3. Gap Analysis of C-PEs Registration Protocol....................4 3. Gap Analysis of C-PEs WAN Ports Registration...................4
4. Gap Analysis in aggregating VPN paths and Internet paths.......5 4. Gap Analysis in aggregating VPN paths and Internet paths.......5
4.1. Gap analysis of Using BGP to cover SD-WAN paths...........6 4.1. Gap analysis of Using BGP for SD-WAN......................6
4.2. Gaps in preventing attacks from Internet facing ports.....9 4.2. Gaps in preventing attacks from Internet-facing ports.....9
5. Gap analysis of CPEs not directly connected to VPN PEs........10 5. Gap analysis of CPEs not directly connected to VPN PEs........10
5.1. Gap Analysis of Floating PEs to connect to Remote CPEs...11 5.1. Gap Analysis of Floating PEs to connect to Remote CPEs...12
5.2. NAT Traversal............................................12 5.2. NAT Traversal............................................12
5.3. Complication of using BGP between PEs and remote CPEs via 5.3. Complication of using BGP between PEs and remote CPEs via
Internet......................................................12 Internet......................................................12
5.4. Designated Forwarder to the remote edges.................13 5.4. Designated Forwarder to the remote edges.................13
5.5. Traffic Path Management..................................13 5.5. Traffic Path Management..................................14
6. Manageability Considerations..................................14 6. Manageability Considerations..................................14
7. Security Considerations.......................................14 7. Security Considerations.......................................14
8. IANA Considerations...........................................14 8. IANA Considerations...........................................15
9. References....................................................14 9. References....................................................15
9.1. Normative References.....................................15 9.1. Normative References.....................................15
9.2. Informative References...................................15 9.2. Informative References...................................15
10. Acknowledgments..............................................16 10. Acknowledgments..............................................16
1. Introduction 1. Introduction
[Net2Cloud-Problem] describes the problems that enterprises face [Net2Cloud-Problem] describes the problems that enterprises face
today in transitioning their IT infrastructure to support digital today in transitioning their IT infrastructure to support digital
economy, such as connecting enterprises' branch offices to dynamic economy, such as connecting enterprises' branch offices to dynamic
workloads in different Cloud DCs. workloads in different Cloud DCs.
This document analyzes the technological gaps to interconnect This document analyzes the technological gaps to interconnect
dynamic workloads & apps hosted in various locations and in Cloud dynamic workloads & apps hosted in various locations and in Cloud
DCs that the enterprise existing VPN service provider might not have DCs that the enterprise's VPN service provider may not own/operate
or have limited the physical infrastructure to reach. When or may be unable to provide the required connectivity to access
enterprise' VPN service providers do not have or have insufficient these locations. When enterprise' VPN service providers have
bandwidth to reach a location, SD-WAN is emerged as way to aggregate insufficient bandwidth to reach a location, SD-WAN techniques can be
bandwidth of multiple networks, such as MPLS VPN, Public Internet, used to aggregate bandwidth of multiple networks, such as MPLS VPNs,
etc. This document primarily focuses on the technological gaps of the Public Internet, to achieve better performance and visibility.
SD-WAN. This document primarily focuses on the technological gaps of SD-WAN.
For ease of description, SD-WAN edge, SD-WAN end points, C-PE, or For ease of description, a SD-WAN edge, a SD-WAN end-point, C-PE, or
CPE are used interchangeably throughout this document. CPE are used interchangeably throughout this document.
2. Conventions used in this document 2. Conventions used in this document
Cloud DC: Third party Data Centers that usually host applications Cloud DC: Third party Data Centers that usually host applications
and workload owned by different organizations or and workload owned by different organizations or
tenants. tenants.
Controller: Used interchangeably with SD-WAN controller to manage Controller: Used interchangeably with SD-WAN controller to manage
SD-WAN overlay path creation/deletion and monitor the SD-WAN overlay path creation/deletion and monitor the
path conditions between sites. path conditions between sites.
CPE-Based VPN: Virtual Private Secure network formed among CPEs. CPE-Based VPN: Virtual Private Network designed and deployed from
This is to differentiate from most commonly used PE- CPEs. This is to differentiate from most commonly used
based VPNs a la RFC 4364. PE-based VPNs a la RFC 4364.
OnPrem: On Premises data centers and branch offices OnPrem: On Premises data centers and branch offices
SD-WAN: Software Defined Wide Area Network. In this document, SD-WAN: Software Defined Wide Area Network, "SDWAN" refers to
"SD-WAN" refers to the solutions specified by ONUG (Open the solutions of pooling WAN bandwidth from multiple
Network User Group), https://www.onug.net/software- underlay networks to get better WAN bandwidth
defined-wide-area-network-sd-wan/, which is about management, visibility & control. When the underlay is
pooling WAN bandwidth from multiple underlay networks to private network, traffic can traverse without additional
get better WAN bandwidth management, visibility &
control. When the underlay networks are private
networks, traffic can traverse without additional
encryption; when the underlay networks are public, such encryption; when the underlay networks are public, such
as Internet, some traffic needs to be encrypted when as the Internet, some traffic needs to be encrypted when
traversing through (depending on user provided traversing through (depending on user-provided
policies). policies).
3. Gap Analysis of C-PEs Registration Protocol 3. Gap Analysis of C-PEs WAN Ports Registration
SD-WAN, conceived in ONUG (Open Network User Group) a few years ago The SD-WAN WG stemmed out from ONUG (Open Network User Group) in
as a means to aggregate multiple connections between any two points, 2014 and was the placeholder to define SD-WAN as a means to
has emerged as an on-demand technology to securely interconnect the aggregate multiple underlay networks between any two points. SD-WAN
OnPrem branches with the workloads instantiated in Cloud DCs that do technology has emerged as an on-demand technology to securely
not connect to BGP/MPLS VPN PEs or have very limited bandwidth. interconnect the OnPrem branches with the workloads instantiated in
Cloud DCs that do not connect to BGP/MPLS VPN PEs or have very
limited bandwidth.
Some SD-WAN networks use the NHRP protocol [RFC2332] to register SD- Some SD-WAN networks use the NHRP protocol [RFC2332] to register WAN
WAN edges with a "Controller" (or NHRP server), which then has the ports of SD-WAN edges with a "Controller" (or NHRP server), which
ability to map a private VPN address to a public IP address of the then has the ability to map a private VPN address to a public IP
destination node. DSVPN [DSVPN] or DMVPN [DMVPN] are used to address of the destination node. DSVPN [DSVPN] or DMVPN [DMVPN] are
establish tunnels among SD-WAN edge nodes. used to establish tunnels between WAN ports of SD-WAN edge nodes.
NHRP was originally intended for ATM address resolution, and as a NHRP was originally intended for ATM address resolution, and as a
result, it misses many attributes that are necessary for dynamic result, it misses many attributes that are necessary for dynamic
endpoint C-PE registration to controller, such as: endpoint C-PE registration to controller, such as:
- Interworking with MPLS VPN control plane. A SD-WAN edge can have - Interworking with MPLS VPN control plane. A SD-WAN edge can have
some ports facing MPLS VPN network and some ports facing public some ports facing MPLS VPN network over which packets can be sent
Internet that requires encryption for some sensitive data to natively without encryption and some ports facing the public
traverse. Internet over which sensitive traffic needs to be encrypted before
- Scalability. NHRP/DSVPN/DMVPN works fine with small number of edge being sent.
nodes. When a network has more than 100 nodes, the protocol does - Scalability. NHRP/DSVPN/DMVPN works fine with small numbers of
not work well. edge nodes. When a network has more than 100 nodes, the protocol
- NHRP does not have the IPsec attributes, which are needed for peers to does not work well.
build Security Associations over public internet. - NHRP does not have the IPsec attributes, which are needed for
- NHRP does not have field to indicate C-PE supported encapsulation types, peers to build Security Associations over public internet.
such as IPsec-GRE, IPsec-VxLAN, or others. - NHRP messages do not have any field to encode the C-PE supported
- NHRP does not have field to indicate C-PE Location identifier, such as encapsulation types, such as IPsec-GRE or IPsec-VxLAN,.
Site Identifier, System ID, and/or Port ID. - NHRP messages do not have any field to encode C-PE Location
- NHRP does not have field to describe the gateway to which the C-PE identifiers, such as Site Identifier, System ID, and/or Port ID.
is attached. When a C-PE is instantiated in a Cloud DC, to - NHRP messages do not have any field to describe the gateway(s) to
establish connection to the C-PE, it is necessary to know the which the C-PE is attached. When a C-PE is instantiated in a Cloud
Cloud DC operator's Gateway to which the CPE is attached. DC, to establish connection to the C-PE, it is necessary to know
- NHRP does not have field to describe C-PE's NAT properties if the the Cloud DC operator's Gateway to which the CPE is attached.
C-PE is using private addresses, such as the NAT type, Private - NHRP messages do not have any field to describe C-PE's NAT
address, Public address, Private port, Public port, etc. properties if the C-PE is using private addresses, such as the NAT
type, Private address, Public address, Private port, Public port,
etc.
[BGP-SDWAN-EXT] describes how to use BGP for SD-WAN edge nodes to [BGP-SDWAN-PORT] describes how to use BGP for SD-WAN edge nodes to
register its properties to SD-WAN controller, which then register their WAN ports properties to the SD-WAN controller, which
disseminates the information to other SD-WAN edge nodes that are then disseminates the information to other SD-WAN edge nodes that
authenticated to communicate. are authenticated before the SD-WAN controller and the other SD-WAN
edge nodes can communicate with them.
4. Gap Analysis in aggregating VPN paths and Internet paths 4. Gap Analysis in aggregating VPN paths and Internet paths
Most likely, enterprises especially large ones already have their Most likely, enterprises (especially the largest ones) already have
CPEs interconnected by providers' VPNs, such as EVPN, L2VPN, or their CPEs interconnected by providers' VPNs, based upon VPN
L3VPN. The VPN can be PE based or CPE based as shown in the techniques such as EVPN, L2VPN, or L3VPN. The VPN can be PE-based or
following diagram. The commonly used CPE-based VPNs have CPE CPE-based. The commonly used PE-based VPNs have CPE directly
directly attached to PEs, therefore the communication is considered attached to PEs, therefore the communication between CPEs & PEs is
as secure. BGP are used to distribute routes among CPEs, even though considered as secure. MP-BGP is used to learn & distribute routes
sometimes routes among CPEs are statically configured. among CPEs, even though sometimes routes among CPEs are statically
+---+ EVPN MAC/IP BGP updates configured.
+======+RR +===========+
// +---+ \\
// \\
// <-----EVPN-VxLAN------> \\
+-+--+ ++-+ ++-+ +--+-+
| CPE|--|PE| |PE+----+ CPE|
| 1 | |1 | |x | | x |
+-+--+ ++-+ ++-+ +----+
| |
| VPN +-+---+ +----+
| Network | PE3 | |CPE |
| | |- --| 3 |
+--------+ +--+--+ +-+---+ +----+
| CPE +----+ PE4 |--------+
| 4 | +---+-+
+--------+
=== or \\ indicates control plane communications
Figure 1: L2 or L3 VPNs over IP WAN
To use SD-WAN to aggregate Internet routes with the VPN routes, the To aggregate paths over the Internet and paths over the VPN, the C-
C-PEs need to have some ports connected to PEs and other ports PEs need to have some WAN ports connected to the PEs of the VPNs and
connected to the Internet. It is necessary to have a registration other WAN ports connected to the Internet. It is necessary for the
protocol for C-PEs to register with their SD-WAN Controllers to CPEs to use a protocol so that they can register the WAN port
establish secure tunnels among relevant C-PEs. properties with their SD-WAN Controller(s): this information
conditions the establishment and the maintenance of IPsec SA
associations among relevant C-PEs.
If using NHRP for registration, C-PEs need to participate in two If using NHRP for registration purposes, C-PEs need to participate
separate control planes: EVPN&BGP for CPE-based VPNs via links in two separate control planes: EVPN&BGP for CPE-based VPNs and NHRP
directly attached to PEs and NHRP & DSVPN/DMVPN for ports connected & DSVPN/DMVPN for ports connected to the Internet. Two separate
to internet. Two separate control planes not only add complexity to control planes not only add complexity to C-PEs, but also increase
C-PEs, but also increase operational cost. operational cost.
+---------Internet paths--------------+ +---+
| | +--------------|RR |----------+
| +---+ | / Untrusted +-+-+ \
| |RR | | / \
| +======+---+===========+ | / \
| // \\ | +----+ +---------+ packets encrypted over +------+ +----+
| // <-----EVPN-VxLAN----> \\ | | TN3|--| A1-----+ Untrusted +------ B1 |--| TN1|
| +-+--+ ++-+ ++-+ +--+-+ (|) +----+ | C-PE A2-\ | C-PE | +----+
| | CPE|--|PE| |PE+--+ CPE| (|) +----+ | A A3--+--+ +---+---B2 B | +----+
+--| 1 | |1 | |x | | c |---+ | TN2|--| | |PE+--------------+PE |---B3 |--| TN3|
+-+--+ ++-+ ++-+ +----+ +----+ +---------+ +--+ trusted +---+ +------+ +----+
| | | WAN |
| VPN +-+---+ +----+ +----+ +---------+ +--+ packets +---+ +------+ +----+
+--------+ | Network | PE3 | |CPE | | TN1|--| C1--|PE| go natively |PE |-- D1 |--| TN1|
| CPE | | | |- --| 3 | +----+ | C-PE C2--+--+ without encry+---+ | C-PE | +----+
| c | +-----+ +-+---+ +----+ | C | +--------------+ | D |
+------+-+-------+ PE4 |-----+ | | | |
+---+-+ +----+ | C3--| without encrypt over | | +----+
Figure 2: CPEs interconnected by VPN paths and Internet Paths | TN2|--| C4--+---- Untrusted --+------D2 |--| TN2|
+----+ +---------+ +------+ +----+
Figure 1: CPEs interconnected by VPN paths and Internet Paths
4.1. Gap analysis of Using BGP to cover SD-WAN paths 4.1. Gap analysis of Using BGP for SD-WAN
Since C-PE already supports BGP, it is desirable to consider using
BGP to control the SD-WAN instead of two separate control planes.
This section analyzes the gaps of using BGP to control SD-WAN. This section analyzes the gaps of using BGP to control SD-WAN.
As described [BGP-SDWAN-Usage], SD-WAN Overlay Control Plane has As described in [BGP-SDWAN-Usage], SD-WAN Overlay Control Plane has
three distinct functional tiers: three distinct aspects:
- SD-WAN node's private address and WAN Ports/Addresses
registration to the SD-WAN Controller.
o It is for informing the SD-WAN controller and potential - SD-WAN node's WAN Ports Property registration to the SD-WAN
peers of the underlay networks to which the C-PE is Controller.
connected. o It is to inform the SD-WAN controller and potential peers
of the WAN ports property of the C-PE [SDWAN-Port]. When
the WAN ports are using private addresses, this step can
register the type of NAT that translate private addresses
into public ones.
- Controller Facilitated IPsec SA management and NAT information - Controller Facilitated IPsec SA management and NAT information
distribution distribution
o It is for SD-WAN controller to facilitate or manage the o It is for SD-WAN controller to facilitate or manage the
IPsec configurations and peer authentications for all IPsec configuration and peer authentication for all IPsec
IPsec tunnels terminated at the SDWAN nodes. For some tunnels terminated at the SDWAN nodes.
scenarios where the WAN ports are private addresses, this
step is for informing the type of NAT translating the
private addresses to public ones.
- Establishing and Managing the topology and reachability for - Establishing and Managing the topology and reachability for
services attached to the client ports of SD-WAN nodes. services attached to the client ports of SD-WAN nodes.
o This is for the overlay layer's routes distribution, so o This is for the overlay layer's route distribution, so
that a C-PE can establish the overlay routing table that that a C-PE can populate its overlay routing table with
identifies the next hop for reaching a specific entries that identify the next hop for reaching a specific
route/service attached to remote nodes. [SECURE-EVPN] route/service attached to remote nodes. [SECURE-EVPN]
describes EVPN and other options. describes EVPN and other options.
RFC5512 and [Tunnel-Encap] describe methods for endpoints to RFC5512 and [Tunnel-Encap] describe methods for endpoints to
advertise tunnel information and to trigger tunnel establishment. advertise tunnel information and trigger tunnel establishment.
RFC5512 & [Tunnel-Encap] have the Endpoint Address to indicate IPv4 RFC5512 & [Tunnel-Encap] use the Endpoint Address that indicates an
or IPv6 address format, the Tunnel Encapsulation attribute to IPv4 or an IPv6 address, and the Tunnel Encapsulation attribute to
indicate different encapsulation formats, such as L2TPv3, GRE, indicate different encapsulation formats, such as L2TPv3, GRE,
VxLAN, IP-in-IP, etc. There are sub-TLVs to describe the detailed VxLAN, IP-in-IP, etc. There are sub-TLVs to describe the detailed
tunnel information for each of the encapsulations. tunnel information for each of the encapsulation types.
[Tunnel-Encap] removed SAFI =7 (which was specified by RFC5512) for [Tunnel-Encap] removed SAFI =7 (which was specified by RFC5512) for
distributing encapsulation tunnel information. [Tunnel-Encap] distributing encapsulation tunnel information. [Tunnel-Encap]
require Tunnels being associated with routes. requires that tunnels need to be associated with routes.
There is also the Color sub-TLV to describe customer-specified There is also the Color sub-TLV to describe customer-specified
information about the tunnels (which can be creatively used for SD- information about the tunnels (which can be creatively used for SD-
WAN) WAN).
Here are some of the gaps using [Tunnel-Encap] to control SD-WAN: Here are some of the gaps using [Tunnel-Encap] to control SD-WAN:
- Lacking C-PE Registration functionality - Lacking C-PE WAN Port Property Registration functionality
- Lacking IPsec Tunnel type - Lacking IPsec Tunnel type
- [Tunnel-Encap] has Remote Address SubTLV, but does not have any - [Tunnel-Encap] has Remote Address SubTLV, but does not have any
field to indicate the Tunnel originating interface, which was in field to indicate the Tunnel originating interface, as defined in
RFC5512. RFC5512.
- The mechanisms described by [Tunnel-Encap] cannot be effectively - The mechanisms described by [Tunnel-Encap] cannot be effectively
used for SD-WAN overlay network because a SD-WAN Tunnel can be used for SD-WAN overlay network because a SD-WAN Tunnel can be
between Internet facing WAN ports of two C-PEs and needs to be established between Internet-facing WAN ports of two C-Pes. This
established before data arrival because the tunnel establishment tunnel needs to be established before data arrival because the
can fail, e.g. two end points supporting different encryption tunnel establishment can fail, e.g., in case the two end-points
algorithms. support different encryption algorithms.
- Client traffic (e.g. an EVPN route) can have option of going - Client traffic can either be forwarded through the MPLS network
through MPLS network natively without encryption, or going through natively without any encryption for better performance, or through
the IPsec tunnels between the internet facing WAN ports of two C- the Internet-facing ports with IPsec encryption.
PEs. - There can be many client routes associated with the SD-WAN IPsec
- There is no routes to be associated with the SD-WAN Tunnel between tunnel between two C-PE's Internet-facing WAN ports, but the
two C-PE's internet facing WAN ports, unless consider using the corresponding destination prefixes (as announced by the
interface facing WAN Port addresses assigned by ISP (Internet aforementioned routes) can also be reached over the VPN underlay
Service Providers) as the route for the Tunnel. natively without encryption. A more realistic approach to separate
IPsec SA management from client routes association with IPsec.
There is a suggestion on using a "Fake Route" for a SD-WAN node to There is a suggestion on using a "Fake Route" for a SD-WAN node to
use [Tunnel-Encap] to advertise its SD-WAN tunnel end-points use [Tunnel-Encap] to advertise its SD-WAN tunnel end-points
properties. However, using "Fake Route" can create deployment properties. However, using "Fake Route" can raise some design
complexity for large SD-WAN networks with many tunnels. For complexity for large SD-WAN networks with many tunnels. For
example, for a SD-WAN network with hundreds of nodes, with each example, for a SD-WAN network with hundreds of nodes, with each
node having many ports & many end-points to establish SD-WAN node having many ports & many end-points to establish SD-WAN
tunnels to their corresponding peers, the node would need many tunnels with their corresponding peers, the node would need as
"fake addresses". For large SD-WAN networks (such as has more than many "fake addresses". For large SD-WAN networks (such as those
10000 nodes), each node might need 10's thousands of "fake comprised of more than 10000 nodes), each node might need 10's
addresses", which is very difficult to manage and needs lots of thousands of "fake addresses", which is very difficult to manage
configuration to get the nodes provisioned. and needs lots of configuration to get the nodes provisioned.
- Does not have fields to carry detailed information of the remote - Does not have any field to carry detailed information about the
C-PE: such as Site-ID, System-ID, Port-ID remote C-PE, such as Site-ID, System-ID, Port-ID
- Does not have the proper field to express IPsec attributes among - Does not have any field to express IPsec attributes for the SD-WAN
the SD-WAN edge nodes to establish proper IPsec Security edge nodes to establish IPsec Security Associations with others.
Associations. - Does not have any proper way for two peer CPEs to negotiate IPsec
- Does not have proper way for two peer CPEs to negotiate IPSec
keys, based on the configuration sent by the Controller. keys, based on the configuration sent by the Controller.
- Does not have field to indicate the UDP NAT private address <-> - Does not have any field to indicate the UDP NAT private address
public address mapping <-> public address mapping
- C-PEs tend to communicate with a few other CPEs, not all the C-PEs - C-PEs tend to communicate with a subset of the other C-PEs, not
need to form mesh connections. Without any BGP extension, many all the C-PEs need to form mesh connections. Without any BGP
nodes can get dumped with too much information of other nodes that extension, many nodes can get dumped with too much information
they never need to communicate with. coming from other nodes that they never need to communicate with.
[VPN-over-Internet] describes a way to securely interconnect C-PEs [SECURE-L3VPN] describes how to extend the RFC4364 VPN to allow some
via IPsec using BGP. This method is useful, however, it still misses PEs to connect to other PEs via public networks. [SECURE-L3VPN]
some aspects to aggregate CPE-based VPN routes with internet routes introduces the concept of Red Interface & Black Interface on those
that interconnect the CPEs. In addition: PEs, where the RED interfaces are used to forward traffic into the
VPN, and the Black Interfaces are used between WAN ports over which
only IPsec-protected packets to the Internet or other backbone
network are sent thereby eliminating the need for MPLS transport in
the backbone.
- The draft does not have options of C-PE having both MPLS ports and [SECURE-L3VPN] assumes PEs terminate MPLS packets, and use MPLS over
Internet ports. IPsec when sending traffic through the Black Interfaces.
- The draft assumes that CPE "registers" with the RR. However, it does not
say how. It assumes that the remote CPEs are pre-configured with the
IPsec SA manually. In SD-WAN, Zero Touch Provisioning is expected. It is
not acceptable to require manual configuration.
- For RR communication with CPE, this draft only mentioned IPSec. Missing
TLS/DTLS.
- The draft assumes that CPEs and RR are connected with an IPsec tunnel.
With zero touch provisioning, we need an automatic way to synchronize
the IPsec SA between CPE and RR. The draft assumes:
A CPE must also be provisioned with whatever additional information
is needed in order to set up an IPsec SA with each of the red RRs
- IPsec requires periodic refreshment of the keys. The draft hasn't [SECURE-EVPN] describes a solution where point-to-multipoint BGP
addressed how to synchronize the refreshment among multiple nodes. signaling is used in the control plane for SDWAN Scenario #1. It
- IPsec usually only sends configuration parameters to two endpoints relies upon a BGP cluster design to facilitate the key and policy
and let the two endpoints negotiate the KEY. Now we assume that RR exchange among PE devices to create private pair-wise IPsec Security
is responsible for creating the KEY for all endpoints. When one Associations without IKEv2 point-to-point signaling or any other
endpoint is compromised, all other connections are impacted. direct peer-to-peer session establishment messages.
4.2. Gaps in preventing attacks from Internet facing ports Both [SECURE-L3VPN] and [SECURE-EVPN] are useful, however, they both
miss the aspects of aggregating VPN and Internet underlays. In
summary:
When C-PEs have ports facing Internet, it brings in the security - These documents do not address the scenario of C-PE having some
risks of potential DDoS attacks to the C-PEs from the ports facing ports facing VPN PEs and other ports facing the Internet.
internet. -
- The [SECURE-L3VPN] assumes that CPE "registers" with the RR.
However, it does not say how. It assumes that the remote CPEs are
pre-configured with the IPsec SA manually. In SD-WAN, Zero Touch
Provisioning is expected. Manual configuration is not an option,
given the dimensioning figures but also the purpose of SD-WAN to
automate configuration tasks.
- For RR communication with CPEs, this draft only mentions IPsec.
Missing TLS/DTLS.
- The draft assumes that CPEs and RR are connected with an IPsec
tunnel. With zero touch provisioning, we need an automatic way to
synchronize the IPsec SAs between CPE and RR. The draft assumes:
A CPE must also be provisioned with whatever additional
information is needed in order to set up an IPsec SA with
each of the red RRs
To mitigate security risks, in addition to requring Anti-DDoS - IPsec requires periodic refreshment of the keys. The draft does
features on C-PEs to prevent major DDoS attacks, it is necessary to not provide any information about how to synchronize the
have ways for C-PEs to validate traffic from remote peers to prevent refreshment among multiple nodes.
spoofed traffic. - IPsec usually sends configuration parameters to two endpoints only
and lets these endpoints negotiate the key. Let us assume that the
RR is responsible for creating the key for all endpoints: When one
endpoint is compromised, all other connections will be impacted.
4.2. Gaps in preventing attacks from Internet-facing ports
When C-PEs have Internet-facing ports, additional security risks are
raised.
To mitigate security risks, in addition to requiring Anti-DDoS
features on C-PEs, it is necessary for CPEs to support means to
determine whether traffic sent by remote peers is legitimate to
prevent spoofing attacks.
5. Gap analysis of CPEs not directly connected to VPN PEs 5. Gap analysis of CPEs not directly connected to VPN PEs
Because of the ephemeral property of the selected Cloud DCs, an Because of the ephemeral property of the selected Cloud DCs, an
enterprise or its network service provider may not have the direct enterprise or its network service provider may not have direct
links to the Cloud DCs that are optimal for hosting the enterprise's connections to the Cloud DCs that are used for hosting the
specific workloads/Apps. Under those circumstances, SD-WAN is a very enterprise's specific workloads/Apps. Under those circumstances, SD-
flexible choice to interconnect the enterprise on-premises data WAN is a very flexible choice to interconnect the enterprise on-
centers & branch offices to its desired Cloud DCs. premises data centers & branch offices to its desired Cloud DCs.
However, SD-WAN paths over public Internet can have unpredictable However, SD-WAN paths over public Internet can have unpredictable
performance, especially over long distances and across domains. performance, especially over long distances and across domains.
Therefore, it is highly desirable to place as much as possible the Therefore, it is highly desirable to place as much as possible the
portion of SD-WAN paths over service provider VPN (e.g., portion of SD-WAN paths over service provider VPN (e.g.,
enterprise's existing VPN) that have guaranteed SLA to minimize the enterprise's existing VPN) that have guaranteed SLA to minimize the
distance/segments over public Internet. distance/segments over public Internet.
MEF Cloud Service Architecture [MEF-Cloud] also describes a use case MEF Cloud Service Architecture [MEF-Cloud] also describes a use case
of network operators needing to use SD-WAN over LTE or public of network operators that use SD-WAN over LTE or the public
Internet for last mile accesses where they are not present. Internet for last mile access where the VPN providers cannot
necessarily provide the required physical infrastructure.
Under those scenarios, one or both of the SD-WAN endpoints may not Under those scenarios, one or two of the SD-WAN endpoints may not be
directly be attached to the PEs of a VPN Domain. directly attached to the PEs of a VPN Domain.
Using SD-WAN to connect the enterprise existing sites with the When using SD-WAN to connect the enterprise's existing sites with
workloads in Cloud DC, the enterprise existing sites' CPEs have to the workloads in Cloud DC, the corresponding CPEs have to be
be upgraded to support SD-WAN. If the workloads in Cloud DC need to upgraded to support SD-WAN. If the workloads in Cloud DCs need to
be connected to many sites, the upgrade process can be very be connected to many sites, the upgrade process can be very
expensive. expensive.
[Net2Cloud-Problem] describes a hybrid network approach that [Net2Cloud-Problem] describes a hybrid network approach that
integrates SD-WAN with traditional MPLS-based VPNs, to extend the integrates SD-WAN with traditional MPLS-based VPNs, to extend the
existing MPLS-based VPNs to the Cloud DC Workloads over the access existing MPLS-based VPNs to the Cloud DC Workloads over the access
paths that are not under the VPN provider control. To make it work paths that are not under the VPN provider's control. To make it work
properly, a small number of the PEs of the MPLS VPN can be properly, a small number of the PEs of the MPLS VPN can be
designated to connect to the remote workloads via SD-WAN secure designated to connect to the remote workloads via SD-WAN secure
IPsec tunnels. Those designated PEs are shown as fPE (floating PE IPsec tunnels. Those designated PEs are shown as fPE (floating PE
or smart PE) in Figure 3. Once the secure IPsec tunnels are or smart PE) in Figure 3. Once the secure IPsec tunnels are
established, the workloads in Cloud DC can be reached by the established, the workloads in Cloud DC can be reached by the
enterprise's VPN without upgrading all of the enterprise's existing enterprise's VPN without upgrading all of the enterprise's existing
CPEs. The only CPE that needs to support SD-WAN would be a CPEs. The only CPE that needs to support SD-WAN would be a
virtualized CPE instantiated within the cloud DC. virtualized CPE instantiated within the cloud DC.
+--------+ +--------+ +--------+ +--------+
skipping to change at page 11, line 39 skipping to change at page 12, line 7
| | | |
+---+----+ +---+----+ +---+----+ +---+----+
| Remote | | Remote | | Remote | | Remote |
| App-1 | | App-2 | | App-1 | | App-2 |
+--------+ +--------+ +--------+ +--------+
Figure 3: VPN Extension to Cloud DC Figure 3: VPN Extension to Cloud DC
In Figure 3, the optimal Cloud DC to host the workloads (due to In Figure 3, the optimal Cloud DC to host the workloads (due to
proximity, capacity, pricing, or other criteria chosen by the proximity, capacity, pricing, or other criteria chosen by the
enterprises) does not happen to have a direct connection to the PEs enterprises) does not have a direct connection to the PEs of the
of the MPLS VPN that interconnects the enterprise's existing sites. MPLS VPN that interconnects the enterprise's existing sites.
5.1. Gap Analysis of Floating PEs to connect to Remote CPEs 5.1. Gap Analysis of Floating PEs to connect to Remote CPEs
To extend MPLS VPNs to remote CPEs, it is necessary to establish To extend MPLS VPNs to remote CPEs, it is necessary to establish
secure tunnels (such as IPsec tunnels) between the Floating PEs and secure tunnels (such as IPsec tunnels) between the Floating PEs and
the remote CPEs. the remote CPEs.
Gap: Gap:
Even though a set of PEs can be manually selected to act as the Even though a set of PEs can be manually selected to act as the
floating PEs for a specific cloud data center, there are no standard floating PEs for a specific cloud data center, there are no standard
protocols for those PEs to interact with the remote CPEs (most protocols for those PEs to interact with the remote CPEs (most
likely virtualized) instantiated in the third party cloud data likely virtualized) instantiated in the third party cloud data
centers (such as exchanging performance or route information). centers (such as exchanging performance or route information).
When there is more than one fPE available for use (as there should When there is more than one fPE available for use (as there should
be for resiliency or the ability to support multiple cloud DCs be for resiliency or the ability to support multiple cloud DCs
scattered geographically), it is not straightforward to designate an geographically scattered), it is not straightforward to designate an
egress fPE to remote CPEs based on applications. There is too much egress fPE to remote CPEs based on applications. There is too much
applications' traffic traversing PEs, and it is not feasible for PEs applications' traffic traversing PEs, and it is not feasible for PEs
to recognize applications from the payload of packets. to recognize applications from the payload of packets.
5.2. NAT Traversal 5.2. NAT Traversal
Most cloud DCs only assign private addresses to the workloads Most cloud DCs only assign private addresses to the instantiated
instantiated. Therefore, traffic to/from the workload usually need workloads. Therefore, traffic to/from the workload usually needs to
to traverse NAT. traverse NATs.
A SD-WAN edge node can inquire STUN (Session Traversal of UDP A SD-WAN edge node can solicit a STUN (Session Traversal of UDP
Through Network Address Translation RFC 3489) Server to get the NAT Through Network Address Translation RFC 3489) Server to get the NAT
property, the public IP address and the Public Port number to pass property, the public IP address and the Public Port number to pass
to peers. to peers.
5.3. Complication of using BGP between PEs and remote CPEs via Internet 5.3. Complication of using BGP between PEs and remote CPEs via Internet
Even though an EBGP (external BGP) Multi-hop design can be used to Even though an EBGP (external BGP) Multi-hop design can be used to
connect peers that are not directly connected to each other, there connect peers that are not directly connected to each other, there
are still some complications/gaps in extending BGP from MPLS VPN PEs are still some complications/gaps in extending BGP from MPLS VPN PEs
to remote CPEs via any access paths (e.g., Internet). to remote CPEs via any access paths (e.g., Internet).
The path between the remote CPEs and VPN PE can traverse untrusted The path between the remote CPEs and VPN PE can traverse untrusted
nodes. nodes.
EBGP Multi-hop scheme requires static configuration on both peers. EBGP Multi-hop design requires static configuration on both peers.
To use EBGP between a PE and remote CPEs, the PE has to be manually To use EBGP between a PE and remote CPEs, the PE has to be manually
configured with the "next-hop" set to the IP addresses of the CPEs. configured with the "next-hop" set to the IP address of the CPEs.
When remote CPEs, especially remote virtualized CPEs are dynamically When remote CPEs, especially remote virtualized CPEs are dynamically
instantiated or removed, the configuration on the PE Multi-Hop EBGP instantiated or removed, the configuration of Multi-Hop EBGP on the
has to be changed accordingly. PE has to be changed accordingly.
Gap: Gap:
Egress peering engineering (EPE) is not enough. Running BGP on Egress peering engineering (EPE) is not enough. Running BGP on
virtualized CPEs in Cloud DC requires GRE tunnels being virtualized CPEs in Cloud DC requires GRE tunnels being
established first, which in turn requires address and key established first, which in turn requires address and key
management for the remote CPEs. RFC 7024 (Virtual Hub & Spoke) and management for the remote CPEs. RFC 7024 (Virtual Hub & Spoke) and
Hierarchical VPN is not enough. Hierarchical VPN is not enough.
Also there is a need for a method to automatically trigger Also there is a need for a mechanism to automatically trigger
configuration changes on PE when remote CPEs' are instantiated or configuration changes on PEs when remote CPEs' are instantiated or
moved (leading to an IP address change) or deleted. moved (leading to an IP address change) or deleted.
EBGP Multi-hop scheme does not have an embedded security EBGP Multi-hop design does not include a security mechanism by
mechanism. The PE and remote CPEs need secure communication default. The PE and remote CPEs need secure communication channels
channels when connecting via the public Internet. when connecting via the public Internet.
Remote CPEs, if instantiated in Cloud DC, might have to traverse NAT Remote CPEs, if instantiated in Cloud DCs, might have to traverse
to reach PE. It is not clear how BGP can be used between devices NATs to reach PE. It is not clear how BGP can be used between
outside the NAT and the entities behind the NAT. It is not clear how devices outside the NAT and the entities behind the NAT. It is not
to configure the Next Hop on the PEs to reach private IPv4 clear how to configure the Next Hop on the PEs to reach private IPv4
addresses. addresses.
5.4. Designated Forwarder to the remote edges 5.4. Designated Forwarder to the remote edges
Among multiple floating PEs available for a remote CPE, multicast Among the multiple floating PEs that are available for a remote CPE,
traffic from the remote CPE towards the MPLS VPN can be forwarded multicast traffic sent by the remote CPE towards the MPLS VPN can be
back to the remote CPE due to the PE receiving the multicast data forwarded back to the remote CPE due to the PE receiving the
frame forwarding the multicast/broadcast frame to other PEs that in multicast data frame forwarding the multicast/broadcast frame to
turn send to all attached CPEs. This process may cause traffic loop. other PEs that in turn send to all attached CPEs. This process may
cause traffic loops.
Therefore, it is necessary to designate one floating PE as the CPE's Therefore, it is necessary to designate one floating PE as the CPE's
Designated Forwarder, similar to TRILL's Appointed Forwarders Designated Forwarder, similar to TRILL's Appointed Forwarders
[RFC6325]. [RFC6325].
Gap: the MPLS VPN does not have features like TRILL's Appointed Gap: the MPLS VPN does not have features like TRILL's Appointed
Forwarders. Forwarders.
5.5. Traffic Path Management 5.5. Traffic Path Management
When there are multiple floating PEs that have established IPsec When there are multiple floating PEs that have established IPsec
tunnels to the remote CPE, the remote CPE can forward the outbound tunnels with the remote CPE, the remote CPE can forward outbound
traffic to the Designated Forwarder PE, which in turn forwards the traffic to the Designated Forwarder PE, which in turn forwards
traffic to egress PEs to the destinations. However, it is not traffic to egress PEs and then to the final destinations. However,
straightforward for the egress PE to send back the return traffic to it is not straightforward for the egress PE to send back the return
the Designated Forwarder PE. traffic to the Designated Forwarder PE.
Example of Return Path management using Figure 3 above. Example of Return Path management using Figure 3 above.
- fPE-1 is DF for communication between App-1 <-> Host-a due to - fPE-1 is DF for communication between App-1 <-> Host-a due to
latency, pricing or other criteria. latency, pricing or other criteria.
- fPE-2 is DF for communication between App-1 <-> Host-b. - fPE-2 is DF for communication between App-1 <-> Host-b.
6. Manageability Considerations 6. Manageability Considerations
Zero touch provisioning of SD-WAN edge nodes is expected in SD- Zero touch provisioning of SD-WAN edge nodes is expected in SD-WAN
WAN deployment. It is necessary for a newly powered up SD-WAN deployment. It is necessary for a newly powered up SD-WAN edge
edges to establish a secure connection (such as TLS, DTLS, etc.) node to establish a secure connection (by means of TLS, DTLS,
to its controller. etc.) with its controller.
7. Security Considerations 7. Security Considerations
The intention of this draft is to identify the gaps in current and The intention of this draft is to identify the gaps in current and
proposed SD-WAN approaches that can address requirements proposed SD-WAN approaches that can address requirements
identified in [Net2Cloud-problem]. identified in [Net2Cloud-problem].
Several of these approaches have gaps in meeting enterprise Several of these approaches have gaps in meeting enterprise
security requirements when tunneling their traffic over the security requirements when tunneling their traffic over the
Internet, as is the general intention of SD-WAN. See the Internet, since this is the purpose of SD-WAN. See the individual
individual sections above for further discussion of these security sections above for further discussion of these security gaps.
gaps.
8. IANA Considerations 8. IANA Considerations
This document requires no IANA actions. RFC Editor: Please remove This document requires no IANA actions. RFC Editor: Please remove
this section before publication. this section before publication.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
9.2. Informative References 9.2. Informative References
[RFC8192] S. Hares, et al, "Interface to Network Security Functions [RFC8192] S. Hares, et al, "Interface to Network Security Functions
(I2NSF) Problem Statement and Use Cases", July 2017 (I2NSF) Problem Statement and Use Cases", July 2017
skipping to change at page 15, line 18 skipping to change at page 15, line 31
9.2. Informative References 9.2. Informative References
[RFC8192] S. Hares, et al, "Interface to Network Security Functions [RFC8192] S. Hares, et al, "Interface to Network Security Functions
(I2NSF) Problem Statement and Use Cases", July 2017 (I2NSF) Problem Statement and Use Cases", July 2017
[RFC5521] P. Mohapatra, E. Rosen, "The BGP Encapsulation Subsequent [RFC5521] P. Mohapatra, E. Rosen, "The BGP Encapsulation Subsequent
Address Family Identifier (SAFI) and the BGP Tunnel Address Family Identifier (SAFI) and the BGP Tunnel
Encapsulation Attribute", April 2009. Encapsulation Attribute", April 2009.
[BGP-SDWAN-EXT]L. Dunbar, "BGP Extension for SDWAN Overlay [BGP-SDWAN-PORT]L. Dunbar, et al, "Subsequent Address Family
Networks", draft-dunbar-idr-bgp-sdwan-overlay-ext-00, Oct Indicator for SDWAN Ports", draft-dunbar-idr-sdwan-port-
2018. safi-00, Work-in-progress, March 2019.
[BGP-SDWAN-Usage] L. Dunbar, et al, "Framework of Using BGP for [BGP-SDWAN-Usage] L. Dunbar, et al, "Framework of Using BGP for
SDWAN Overlay Networks", draft-dunbar-idr-sdwan-framework- SDWAN Overlay Networks", draft-dunbar-idr-sdwan-framework-
00, work-in-progress, Feb 2019. 00, work-in-progress, Feb 2019.
[Tunnel-Encap]E. Rosen, et al, "The BGP Tunnel Encapsulation [Tunnel-Encap]E. Rosen, et al, "The BGP Tunnel Encapsulation
Attribute", draft-ietf-idr-tunnel-encaps-10, July 2018. Attribute", draft-ietf-idr-tunnel-encaps-10, July 2018.
[VPN-over-Internet] E. Rosen, "Provide Secure Layer L3VPNs over [SECURE-L3VPN] E. Rosen, "Provide Secure Layer L3VPNs over Public
Public Infrastructure", draft-rosen-bess-secure-l3vpn-00, Infrastructure", draft-rosen-bess-secure-l3vpn-00, work-
work-in-progress, July 2018 in-progress, July 2018
[DMVPN] Dynamic Multi-point VPN: [DMVPN] Dynamic Multi-point VPN:
https://www.cisco.com/c/en/us/products/security/dynamic- https://www.cisco.com/c/en/us/products/security/dynamic-
multipoint-vpn-dmvpn/index.html multipoint-vpn-dmvpn/index.html
[DSVPN] Dynamic Smart VPN: [DSVPN] Dynamic Smart VPN:
http://forum.huawei.com/enterprise/en/thread-390771-1- http://forum.huawei.com/enterprise/en/thread-390771-1-
1.html 1.html
[ITU-T-X1036] ITU-T Recommendation X.1036, "Framework for creation, [ITU-T-X1036] ITU-T Recommendation X.1036, "Framework for creation,
 End of changes. 66 change blocks. 
267 lines changed or deleted 274 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/