Re: [Idr] AD Review of draft-ietf-idr-bgp-gr-notification-13

[<bruno.decraene@orange.com>]

Hi John,

Thank you for the updated draft.
In general -14 looks good to me, but I have 2 comments below, and more inline [Bruno] in your email.

1)
In case of Hard Reset “encapsulating” another notification, I had a comment about which Error (sub)Code is to be indicated to the network operator (e.g. in Yang, SNMP, Syslog…) I’m not seeing an answer nor clarification in the draft. (I’m not sure there is a good answer, but I’d prefer a consistent answer from all implementations)


2)
Following the change introduced, I wish that the meaning of the N bit were slightly clarified: does it enable/disable the gr-notification capability for the subsequent/future event (à la BGP capability) or for the past one (à la GR "F" bit)? More below

§2:
"   If a BGP speaker which previously advertised the "N" bit opens a new
   session without advertising that bit, normal BGP Graceful Restart
   procedures documented in [RFC4724] apply."

FYI when first reading this new sentence, I have been wondering whether this was meant as aborting the gr-notification procedures underway (a la "F" bit). Then I tough probably not. If so may be :s/apply/will apply      (or apply from this Open till the next Open; or will apply for subsequent Notification). But really up to you.

But then section 4.1 is changed with the addition of
"The sentence "To deal with possible consecutive restarts, a route
   (from the peer) previously marked as stale MUST be deleted" only
   applies when the "N" bit has not been exchanged with the peer:"

Which may be understood as saying that not sending the N bit will result in aborting the gr-notification procedure.

Especially given that §4 says
"   When such a BGP speaker has received the "N" bit from its peer, and
   receives from that peer a BGP NOTIFICATION message other than a Hard
   Reset, it MUST follow the rules for the Receiving Speaker mentioned
   in Section 4.1."

While section 4.1 only explicitly covers "detects termination of the TCP session for a BGP session" which may be understood as only TCP “issues” and not the termination of the BGP session following the reception of a Notification.



From: John G. Scudder [mailto:jgs@juniper.net]
Sent: Friday, April 06, 2018 5:16 PM
To: DECRAENE Bruno IMT/OLN
Cc: idr-chairs@ietf.org; draft-ietf-idr-bgp-gr-notification@ietf.org; idr@ietf. org; Alvaro Retana
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-gr-notification-13

Hi Bruno,

I've just posted a -14 which I believe addresses all comments so far (yours and Alvaro's) other than this one, for which some discussion below.

On Apr 6, 2018, at 4:57 AM, bruno.decraene@orange.com<mailto:bruno.decraene@orange.com> wrote:

Hi John,

Sorry to turn this thread into a general call for comment while the document is post WGLC…

Better now than when it gets to IETF Last Call.

When:
1)     a BGP session is established (OPEN1)
2)     then GR or draft-ietf-idr-bgp-gr-notification triggers a new BGP open (OPEN2)
3)     this BGP OPEN2 triggers a Notification OPEN Message Error
4)     draft-ietf-idr-bgp-gr-notification is used to handle this Notification using GR

It’s not crystal clear to me whether the BGP speakers should behave (in term of OPEN capability/parameters) as per OPEN1 or as per OPEN2.
Indeed, OPEN2 is the latest but was erroneous and explicitly refused.
Then again, the answer may be subcode specific… (with “Unacceptable Hold Time” it’s unlikely to accept the (Hold Time) parameter(s) from OPEN2).

I think if the OPEN2 still exchanges the "N" bit it's already sufficiently specified, or maybe the point is moot.

[Bruno] To be more specific, at step “4”, does the BGP speaker uses the GR parameters such as “Restart Time”, “GR AFI/SAFI” from OPEN1 or OPEN2? Same question for the “Forwarding State (F) » bits. Same question for parameters in LLGR capability.

From your answer, you seem so say that the “N” bit from OPEN2 needs to be considered and taken into account. I’d like this to be clarified.

OTOH if OPEN2 doesn't exchange the "N" bit (either because it removes the GR capability entirely or because it removes the bit) then maybe there is some clarification required. Unfortunately RFC 5492 doesn't seem to say when a capability is said to have been successfully exchanged, probably because at time of writing (or at least at time of writing the predecessor) the idea of keeping around previous-session state didn't exist.
[Bruno] Exactly. That’s why I believe the burden to clarify/specify this falls on draft-ietf-idr-bgp-gr-notification

Tentatively, my answer is to say "a capability is only considered to have been exchanged when the session carrying it transitions to ESTABLISHED state". In the situation under discussion, that wouldn't happen, so gr-notification type semantics would continue to remain in effect.
[Bruno] Any answer works for me. I particularly like your proposition being clear and very general. However, it seems to say that the BGP capability advertised in OPEN2 should not be considered. While in your above answer, you seem to take it into consideration (“if the OPEN2 still exchanges the "N"”)

Thanks,
Regards,
--Bruno

--John



Thanks,
--Bruno

From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of John G. Scudder
Sent: Tuesday, April 03, 2018 10:03 PM
To: Alvaro Retana; idr@ietf. org
Cc: idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>; draft-ietf-idr-bgp-gr-notification@ietf.org<mailto:draft-ietf-idr-bgp-gr-notification@ietf.org>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-gr-notification-13

Hi WG,

As co-chair, I want to point out that the AD asked the WG for comments ("I want to ask the WG to consider..."). Since Alvaro asked more than three months ago and nobody answered, maybe nobody has anything to say -- as he points out ("[After I wrote the text above…] I found that some of the points have been discussed on the list already"), this topic was beaten to death in March 2017 (https://www.ietf.org/mail-archive/web/idr/current/msg17679.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_idr_current_msg17679.html&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=hLt5iDJpw7ukqICc0hoT7A&m=7AX9lsHCz9FSlFK6feRmlnAwToPRMqMdbsjdQNxre98&s=Eb2l4KGMYRyULZHgUquSdC0EFBsq78qFVgQH_0svDSU&e=> and the following thread, specifically in the context of session culling which Alvaro brings up). Also, for reference the original WGLC all the way back in May 2014 is here: https://www.ietf.org/mail-archive/web/idr/current/msg13202.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_idr_current_msg13202.html&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=hLt5iDJpw7ukqICc0hoT7A&m=7AX9lsHCz9FSlFK6feRmlnAwToPRMqMdbsjdQNxre98&s=Cj0Pme9WuS9-M7h-jLQRDlyUlQT70fb2qCojXaqenYQ&e=>.

However, maybe some people have just missed Alvaro's request, so if you have comments you want considered, please send them by April 10. I will follow up myself (with cu-author hat).

Thanks,

--John

On Dec 7, 2017, at 4:11 PM, Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>> wrote:

Dear authors:

I just finished reading this document — I have some comments, please see the list below.

I understand the intent of this document: instead of resetting a BGP session when a NOTIFICATION is received, use Graceful Restart; if the session is going to *really* be reset, then use the new Hard Reset sub-code.  That makes sense to me…but, is that the only code/sub-code for which it makes sense to do a hard reset?  The NOTIFICATION has always had the “stigma” of being something bad, so much that we (idr/IETF) have even worked on ways to reduce its use (rfc7606, for example).  I want to ask the WG to consider whether other code/sub-code NOTIFICATION combinations should also result in a hard reset.  I think there are several cases, for example:

(1) rfc4486 (Subcodes for BGP Cease Notification Message) defines “Administrative Shutdown” ("a BGP speaker decides to administratively shut down its peering with a neighbor”).  It seems to me that the sender of this NOTIFICATION would not want to "follow the rules for the Receiving Speaker” (as specified in Section 4).

(2) rfc4486 also defines "Administrative Reset” ("a BGP speaker decides to administratively reset the peering with a neighbor”); no more details are provided, but that sounds like a hard reset to me.

(3) …there’s probably others...

Having said all that, I note that Section 3.1. (Sending a Hard Reset) specifies the “encapsulation” (for lack of a better word) of the real reason for the Hard Reset.  If the consensus is to go forward with that, and not call out other exceptions, then I think that the text in 3.1 should expand more on the encapsulation operation and the rationale for doing it this way, and the document should also address other recent work that recommends the use of Administrative Shutdown, for example draft-ietf-grow-bgp-session-culling (a BCP currently in the RFC Editor’s Queue).

[After I wrote the text above…] I found that some of the points have been discussed on the list already — please include some of that discussion/analysis in the document.


I’ll wait until the issue above and ones marked Major (below) are addressed before starting the IETF LC.

Thanks!

Alvaro.



Major:

M1. Unfortunately, rfc4724 failed to setup a registry for the Restat Flags (or the Flags for Address Family), which means that anyone is able to use the bits in there (assuming the receiver looks at them, of course).  Given that there are only a few bits, and to prevent conflicts, I would really like to see a registry set up.  This document is already tagged to Update rfc4724, so it seems like a good place to establish the registries.  [If for some reason you rather not include that information here, then we can take care of it elsewhere.  IOW, this request is not a requirement.]




M2. Section 4.1. (Rules for the Receiving Speaker) has me a little confused.  Are the proposed changes contingent to setting the N bit?  The text starts by saying: "As part of this extension, routes from the peer previously marked as stale MUST NOT be deleted, until and unless the optional timer…expires…”…does that mean that the timer is no longer optional?   Then you also say: “...if the Graceful Notification ("N") bit is not set in the newly received Graceful Restart Capability, no new actions are triggered on the Receiving Speaker -- in particular, a clear "N” bit does not trigger deletion of stale routes.”  If I understand rfc4724 correctly, stale routes could be deleted — the text indicates changes in the behavior even if the N bit is not set, right?  If you are Updating this section of rfc4724, what would make it crystal clear is an “OLD/NEW” notation of the text (as in, this is the OLD text…and this is the NEW text…).





M3. Security Considerations:  Maybe not a security issue, but something to think about.  Section 4.1 says that “routes...previously marked as stale MUST NOT be deleted, until and unless the optional timer...expires, or unless a Hard Reset is performed.  This supersedes the “consecutive restarts” requirement…”.  Not deleting the stale routes and not making the timer mandatory could result in stale routes that live forever if an attacker manages to create consecutive restarts (by simply sending NOTIFICATIONS before EoR) — stale routes are ok in the short term, but may point in the wrong direction eventually.  Is this an issue?  I think that it would be mitigated if the timer was made mandatory (with a nice default).





Minor:


P1. Section 4: “...receive and send BGP NOTIFICATION messages in Graceful mode...” What is “Graceful mode”?





Nits:

N1. In Section 2, please indicate that the first figure corresponds to the GR Capability from rfc4724.

N2. s/subcode is defined known as/subcode is defined as

N3. s/Graceful Notification flag/Graceful Notification bit   (For consistency)

N4. The operation is obviously per-AF; maybe it’s worth saying that somewhere just for completeness.


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.