Re: [dhcwg] Mirja Kühlewind's No Objection on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with COMMENT)

"Mirja Kuehlewind (IETF)" <> Thu, 02 February 2017 17:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D1F411298C0 for <>; Thu, 2 Feb 2017 09:08:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R139Rp8foUys for <>; Thu, 2 Feb 2017 09:08:01 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CAE81298BF for <>; Thu, 2 Feb 2017 09:08:01 -0800 (PST)
Received: (qmail 25687 invoked from network); 2 Feb 2017 18:07:57 +0100
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 2 Feb 2017 18:07:57 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: "Mirja Kuehlewind (IETF)" <>
In-Reply-To: <>
Date: Thu, 2 Feb 2017 18:07:56 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: kkinnear <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Cc:,, Bernie Volz <>,, The IESG <>
Subject: Re: [dhcwg] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_draft-?= =?utf-8?q?ietf-dhc-dhcpv6-failover-protocol-04=3A_=28with_COMMENT=29?=
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Feb 2017 17:08:04 -0000

Hi Kim,

thanks for your reply. See below.

> Am 02.02.2017 um 17:25 schrieb kkinnear <>:
> Mirja,
> Thanks for your review.
> I'll respond to your questions directly, indented, below...
>> On Feb 2, 2017, at 9:44 AM, Mirja Kuehlewind <> wrote:
>> Mirja Kühlewind has entered the following ballot position for
>> draft-ietf-dhc-dhcpv6-failover-protocol-04: No Objection
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> Please refer to
>> for more information about IESG DISCUSS and COMMENT positions.
>> The document, along with other ballot positions, can be found here:
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> A few questions that are not fully clear to me and maybe need some
>> additional explanation in the draft (or maybe it's just me...):
>> - It's not fully clear to me when a TCP connection is opened or closed.
>> Are the two servers supposed to have one long-lived connection? And if
>> that connection is terminated for any reason, should the primary server
>> try to re-open immediately? And if a (new) connection is (re-)open do I
>> always need to send a CONNECT first, or only if I didn't have any
>> connection with this server before? And if the secondary server goes down
>> and comes up in RECOVER state (sec 8.5.1.), should it open a TCP
>> connection to the primary server, or will always the primary server be
>> the one that opens the connection (and if so when will it do it)?
> 	I would have thought that this was spelled out, but as I look
> 	at the draft I see that it isn't all that explicit.  While I
> 	could answer your questions directly, let me instead offer a
> 	new paragraph which tries to answer these questions for not
> 	just you but other readers of the document:
> 6.  Connection Management
>   Communication between failover partners takes place over a
>   long-lived TCP connection.  This connection is always initiated by
>   the primary server, and if the long-lived connection is lost it is
>   the responsibility of the primary server to attempt to reconnect to
>   the secondary server.  The detailed process used by the primary
>   server when initiating a connection and by the secondary server
>   when responding to a connection attempt documented in
>   Section 6.1 is followed each time a connection is established,
>   regardless of any previous connection between the failover
>   partners.
Thanks, that’s great!

> 6.1.  Creating Connections
>> - Also not really clear to me is why OPTION_F_MAX_UNACKED_BNDUPD  is
>> needed and how the server should know the right value. I guess you would
>> want to calculate this based on the send buffer, however, not all message
>> have the same size and as such I don't know how to calculate that. And is
>> that really needed? If messages will not be accepted by the receiver-side
>> server, the receive window will be zero and the socket on the sending
>> side will be blocked; no additional message can be send. What will be
>> different if the sender knows in advance when it could potentially happen
>> (but also might not if the other end processes the messages quickly and
>> there is no excessive loss).
> 	The intent here is to keep the TCP connection unblocked, so
> 	that information can flow in both directions.  If one
> 	direction is is maxed out, it shouldn't keep information from
> 	flowing in the other direction.  At a TCP level it won't, but
> 	at an application level it will.  Much of the failover
> 	information flow involves one server sending a BNDUPD and then
> 	the partner sends a BNDREPLY.  If one server server sends more
> 	BNDUPD's than the other server can absorb, the TCP connection
> 	will block.  This will mean that any BNDREPLY's from the
> 	server that sent the BNDUPD's will also be blocked.  Ideally,
> 	the BNDUPD->BNDREPLY flow from each server to the other would
> 	be independent, and the OPTION_F_MAX_UNACKED_BNDUPD count is
> 	designed to help that be true.

So you mean this is purely an application parameter saying I will not process more than X messages at once (before sending out a BNDREPLY). So this is rather independent of any socket buffer configuration, expect that the buffer needs to be large enough to at least handle X (max-size) messages which maybe is a good thing to notice as well.

However, this basically means that you at sender-side anyway need a way to cache BNDUPD message that you are not allowed to send out yet. Why don’t you just basically set this value implicitly always to 1 and say you can’t send another BNDUPD if an BNDREPLY is still outstanding…? I would guess it’s anyway rather unlikely that you need to send more than one message at once, no?

> 	Additionally, there are messages other than BNDUPD/BNDREPLY
> 	(e.g. STATE, DISCONNECT, UPDDONE) that are important to
> 	transmit from one server to the other and not have backed up
> 	behind a blocked TCP connection that has been overloaded with
> 	BNDUPD's for the partner to process.
> 	We could have created a separate TCP connection for these
> 	control messages, but the overhead of doing that (and
> 	specifying that) was great enough that it seemed like using
> 	the application-level flow control of the
> 	OPTION_F_MAX_UNACKED_BNDUPD was a good tradeoff.

I would actually say that the overhead is rather low. Maybe one should discuss this option at least as one potential implementation possibility. The only hard requirement is that the receiver side would be able to process message coming from different connections from the same endpoint, which I assume would be easy given you anyway have to handle different connections from different endpoints, no?


> Thanks again for your review!
> Kim