Re: [auth48] AUTH48: RFC-to-be 9494 <draft-ietf-idr-long-lived-gr-06> for your review

[John Scudder <jgs@juniper.net>]

Hi Bruno and all,

My comments are in line. I agree with most of Bruno’s suggestions, but not all. Following this email I’ll send my edited version of the XML (that doesn’t include anything with respect to this reply).

> On Oct 3, 2023, at 12:06 PM, bruno.decraene@orange.com wrote:
> 
> Hi RFC Editor, _John_
> 
> Thanks for the updated draft.
> 
> I've read the diff and don't have comments.
> I have read the whole document and don't have firm request for change.
> 
> 
> I may have some weak suggestions below, so only to be retained if someone else support them.(e.g., John 😉 )
> 
> John, I apologize for some late comments.
> 
> ----
> §5.2
> Although this document has a single Figure, I generally find useful for Figures to have a reference. So my suggestion would be to add a reference (e.g., Figure 1)

OK by me.

> 
> -----
> §3.1 says  "This [LLGR] capability MUST be advertised in conjunction with the Graceful Restart capability ;"
> §4.1 says "The Graceful Restart capability MUST be advertised in conjunction with the LLGR capability." (i.e., the other way around)
> 
> I'm not sure whether "conjunction" is "bijective" or not.
> - If not, both sentences would not mean the same thing.
> - if yes, I don't think that this is exactly what we mean.
> 
> What we mean, in very simple terms, is: If the LLGR capability is sent, then the GR capability MUST be sent.
> But we don't want to imply the other way around. (Since this RFC does not update RFC4724, I don't think that someone could understand it wrongly)
> 
> I'll leave anyone else to suggest text. (or just drop the comment as being paranoiac)

I think you’re right.

> 
> ---
> §4.1
> 
> OLD: We observe that, if support for conventional Graceful Restart is not
>   desired for the session, the conventional GR phase can be skipped by
>   omitting all AFIs/SAFIs from the GR capability, advertising a Restart
>   Time of zero, or both.
> 
> NEW:
> We observe that, if support for conventional Graceful Restart is not
>   desired for the session, the conventional GR phase can be skipped by
>   omitting all AFIs/SAFIs from the GR capability, _or_ advertising a Restart
>   Time of zero, or both.
> 
> (adding "or" before " advertising a Restart Time of zero")
> Totally up to you. An explicit "or" would typically be required in French to distinguish from an implicit "and". May be "or" is implicit in English.

Doesn’t seem necessary but I leave it to the pros to decide. 

> 
> ---
> 
> 
> §4.2
> 
> " Similar to [RFC4724], once the session is re-established, if the F
>   bit for a specific address family is not set in the newly received
>   LLGR Capability, or if a specific address family is not included in
>   the newly received LLGR Capability or if the LLGR and accompanying GR
>   Capability are not received in the re-established session at all,
>   then the Helper MUST immediately remove all the stale routes from the
>   peer that it is retaining for that address family."
> 
> My reading is that the above sentence could be read as changing RFC4724 by saying that if a specific address family is not included in the newly received LLGR Capability then the Helper MUST immediately remove all the [GR] stale routes, including during the GR "Restart Time".
> 
> I would suggest the minimal change below
> OLD: once the session is re-established
> NEW: once the session is re-established after the duration of the "Restart Time"

Agreed on the principle. For example, the new GR cap might advertise a given AFI/SAFI with nonzero restart time, and the LLGR cap might not advertise that AFi/SAFI at all… which elsewhere we say is an implicit LLGR time. So yeah, in that case it should only be policed once the LLGR phase is initiated.

A little concerned that the proposed wording might not be clear, but let’s see it in context and we can re-review. 

> 
> ------
> §4.2
> 
> "  While the session is down, the expiration of a "Long-lived Stale
>   Time" timer is treated analogously to the expiration of the "Restart
>   Time" timer in Graceful Restart"
> 
> I would suggest
> OLD: the expiration of the "Restart Time" timer in Graceful Restart
> NEW: the expiration of the "Restart Time" timer in [RFC 4724]

WFM.

> 
> Because "the expiration of the "Restart Time" timer in Graceful Restart" could be read as the new behavior defined in this section, with text starting with " Once the "Restart Time" period ends (including the case in which the "Restart Time" is zero), the LLGR period is said to have begun and  the following procedures MUST be performed"
> 
> ----
> §4.3
> 
> " A BGP speaker that has advertised the "Long-lived Graceful Restart
>   Capability" to a neighbor MUST perform the following upon receiving a
>   route from that neighbor with the "LLGR_STALE" community"
> 
> Possibly
> OLD: advertised the "Long-lived Graceful Restart Capability" to a neighbor
> NEW: exchanged the "Long-lived Graceful Restart Capability" with a neighbor
> 
> Reason: if the LLGR capability is not received from the neighbor, possibly than neighbor does not support LLGR and hence was not the one setting the "LLGR_STALE" community. This seems to open the possibility of a (possibly distant) attacker to influence routing on the receiver.

I don’t think we should make this change, I think it would be a change to the design. If I remember right, it’s intentional that it should work as you state. It’s been a while, so maybe I’m wrong… but in Section 4.6 we have,

   Ideally, all routers in an Autonomous System (AS) would support this
   specification before it were enabled.  However, to facilitate
   incremental deployment, stale routes MAY be advertised to neighbors
   that have not advertised the Long-lived Graceful Restart Capability
   under the following conditions:

> 
> ---
> §4.6
> 
> "If this strategy for partial deployment is used, the network operator
>   should set the LOCAL_PREF to zero for all long-lived stale routes
>   throughout the Autonomous System.  This trades off a small reduction
>   in flexibility (ordering may not be preserved between competing long-
>   lived stale routes) for consistency between routers that do, and do
>   not, support this specification.  Since the consistency of route
>   selection can be important for preventing forwarding loops, the
>   latter consideration dominates."
> 
> John, the above text seems to indicate that the whole AS should use LOCAL_PREF zero rather than honoring "LLGR_STALE" community. This seems to call for §4.6 to also ask to remove the "LLGR_STALE" community. (otherwise a downstream BGP speaker compliant with LLGR would react on this community.

This argument and the previous one may well be meritorious. But, a change like you suggest would be normative and significant, requiring both another trip through the WG and (more concerning to me) a respin of implementations that have been in the field for quite a long time now. If you think it’s very important, of course, “better late than never” applies to fixing serious protocol errors. But my first reaction is that this isn’t a serious error, just a design choice that we might have wanted to reconsider had we discussed it earlier, and we should leave the design as it stands.

> 
> ---
> §5.2
> Minor comment as this is part of an example.
> OLD: Routers A and D are AS border routers, each advertising some route, R, into the AS
> NEW: Routers A and D are AS border routers, each advertising some route, R, with same preference, into the AS

Fine by me, although s/with same preference/with the same preference/ and then we also have to ask if we should use “preference” which is ambiguous, or LOCAL_PREF which is more ponderous but also more precise. 

> 
> ---
> §5.2
> " Since different routers within an AS might have different notions as
>   to whether their respective sessions with a given peer are up or
>   down, they might apply different selection criteria to routes from
>   that peer."
> 
> Agreed.
> Another case if when a BGP receiver change the timers received in the LLGR capability (and we called for them to be modifiable). Do we want to also raise that case? (I'm not asking for. Raising the point just in case )

It’s a good point but I think we can let it go — it’s not an error in the spec, just something we could have added if we had thought of it in time.

—John

> 
> Thanks,
> Regards,
> --Bruno
> 
> 
> Orange Restricted
> 
> -----Original Message-----
> From: rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org>
> Sent: Monday, October 2, 2023 9:40 PM
> To: juttaro@ieee.org; enchen@paloaltonetworks.com; DECRAENE Bruno INNOV/NET <bruno.decraene@orange.com>; jgs@juniper.net
> Cc: rfc-editor@rfc-editor.org; idr-ads@ietf.org; idr-chairs@ietf.org; jhaas@juniper.net; andrew-ietf@liquid.tech; auth48archive@rfc-editor.org
> Subject: AUTH48: RFC-to-be 9494 <draft-ietf-idr-long-lived-gr-06> for your review
> 
> *****IMPORTANT*****
> 
> Updated 2023/10/02
> 
> RFC Author(s):
> --------------
> 
> Instructions for Completing AUTH48
> 
> Your document has now entered AUTH48.  Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC.
> If an author is no longer available, there are several remedies available as listed in the FAQ (https://urldefense.com/v3/__https://www.rfc-editor.org/faq/__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQtzoR9vM$ ).
> 
> You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval.
> 
> Planning your review
> ---------------------
> 
> Please review the following aspects of your document:
> 
> *  RFC Editor questions
> 
>   Please review and resolve any questions raised by the RFC Editor
>   that have been included in the XML file as comments marked as
>   follows:
> 
>   <!-- [rfced] ... -->
> 
>   These questions will also be sent in a subsequent email.
> 
> *  Changes submitted by coauthors
> 
>   Please ensure that you review any changes submitted by your
>   coauthors.  We assume that if you do not speak up that you
>   agree to changes submitted by your coauthors.
> 
> *  Content
> 
>   Please review the full content of the document, as this cannot
>   change once the RFC is published.  Please pay particular attention to:
>   - IANA considerations updates (if applicable)
>   - contact information
>   - references
> 
> *  Copyright notices and legends
> 
>   Please review the copyright notice and legends as defined in
>   RFC 5378 and the Trust Legal Provisions
>   (TLP – https://urldefense.com/v3/__https://trustee.ietf.org/license-info/__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQ5NkLorc$ ).
> 
> *  Semantic markup
> 
>   Please review the markup in the XML file to ensure that elements of
>   content are correctly tagged.  For example, ensure that <sourcecode>
>   and <artwork> are set correctly.  See details at
>   <https://urldefense.com/v3/__https://authors.ietf.org/rfcxml-vocabulary__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQnnu17-c$ >.
> 
> *  Formatted output
> 
>   Please review the PDF, HTML, and TXT files to ensure that the
>   formatted output, as generated from the markup in the XML file, is
>   reasonable.  Please note that the TXT will have formatting
>   limitations compared to the PDF and HTML.
> 
> 
> Submitting changes
> ------------------
> 
> To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties
> include:
> 
>   *  your coauthors
> 
>   *  rfc-editor@rfc-editor.org (the RPC team)
> 
>   *  other document participants, depending on the stream (e.g.,
>      IETF Stream participants are your working group chairs, the
>      responsible ADs, and the document shepherd).
> 
>   *  auth48archive@rfc-editor.org, which is a new archival mailing list
>      to preserve AUTH48 conversations; it is not an active discussion
>      list:
> 
>     *  More info:
>        https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQ-aFlTyo$
> 
>     *  The archive itself:
>        https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/browse/auth48archive/__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQVE5hoq4$
> 
>     *  Note: If only absolutely necessary, you may temporarily opt out
>        of the archiving of messages (e.g., to discuss a sensitive matter).
>        If needed, please add a note at the top of the message that you
>        have dropped the address. When the discussion is concluded,
>        auth48archive@rfc-editor.org will be re-added to the CC list and
>        its addition will be noted at the top of the message.
> 
> You may submit your changes in one of two ways:
> 
> An update to the provided XML file
> — OR —
> An explicit list of changes in this format
> 
> Section # (or indicate Global)
> 
> OLD:
> old text
> 
> NEW:
> new text
> 
> You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient.
> 
> We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes.  Information about stream managers can be found in the FAQ.  Editorial changes do not require approval from a stream manager.
> 
> 
> Approving for publication
> --------------------------
> 
> To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication.  Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval.
> 
> 
> Files
> -----
> 
> The files are available here:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.xml__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQ3q87kds$
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.html__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQ7baiIsA$
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.pdf__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQuSKcnyc$
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.txt__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQRyhV5Js$
> 
> Diff file of the text:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494-diff.html__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQTRMZd_0$
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494-rfcdiff.html__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQj1NXPL0$  (side by side)
> 
> For your convenience, we have also created an alt-diff file that will allow you to more easily view changes where text has been deleted or
> moved:
>   https://urldefense.com/v3/__http://www.rfc-editor.org/authors/rfc9494-alt-diff.html__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQrGQUWro$
> 
> Diff of the XML:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494-xmldiff1.html__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQzQ7ANvk$
> 
> The following files are provided to facilitate creation of your own diff files of the XML.
> 
> Initial XMLv3 created using XMLv2 as input:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.original.v2v3.xml__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQFSpLeHA$
> 
> XMLv3 file that is a best effort to capture v3-related format updates
> only:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/authors/rfc9494.form.xml__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQspdLPMQ$
> 
> 
> Tracking progress
> -----------------
> 
> The details of the AUTH48 status of your document are here:
>   https://urldefense.com/v3/__https://www.rfc-editor.org/auth48/rfc9494__;!!NEt6yMaO-gk!HOtjEsdhsHdRC4bu4E97keM0CgAviUnuB2bt04VMbik8Im9-R-eh5DcDB8BA3n6BnktWJ8k8Jcg7koXQqMer0TU$
> 
> Please let us know if you have any questions.
> 
> Thank you for your cooperation,
> 
> RFC Editor
> 
> --------------------------------------
> RFC9494 (draft-ietf-idr-long-lived-gr-06)
> 
> Title            : Support for Long-lived BGP Graceful Restart
> Author(s)        : J. Uttaro, E. Chen, B. Decraene, J. Scudder
> WG Chair(s)      : Susan Hares, Keyur Patel, Jeffrey Haas
> 
> Area Director(s) : Alvaro Retana, John Scudder, Andrew Alston
> 
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.