NVO3 participants, This draft proposes to extend GENEVE to get SD-WAN traffic (IPsec encrypted) across the Cloud backbone without Cloud GWs decrypting the traffic: https://datatracker.ietf.org/doc/draft-dmk-rtgwg-multisegment-sdwan/
The traffic between the CPEs is encrypted by the IPsec SAs maintained by the CPEs. As the traffic from the enterprise's CPEs doesn't terminate within the Cloud DCs, the goal is to eliminate the decryption and re-encryption processing burden on Cloud GWs for the IPsec encrypted traffic from one CPE via Cloud GWs to another. For Cloud GWs to differentiate the packets destined towards their internal hosts/services, which require decryption, and transit packets to be forwarded to the respective destination branch CPEs, proper marking is needed in the packets' header. As the GENEVE Encapsulation [RFC8926] is supported by most Cloud Service Providers, GENEVE is chosen as the encapsulation header for Cloud GWs to steer IPsec encrypted packets among CPEs without decryption. We would like to get feedback from NVO3 group about the proposed method. Thank you very much! Linda
_______________________________________________ nvo3 mailing list nvo3@ietf.org https://www.ietf.org/mailman/listinfo/nvo3
