IETF Logo Mail Archive

Re: [Idr] I-D Action: draft-ietf-idr-error-handling-03.txt

Rob Shakir <rjs@rob.sh> Sun, 09 December 2012 23:46 UTC

Return-Path: <rjs@rob.sh>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6613F21F8D82 for <idr@ietfa.amsl.com>; Sun, 9 Dec 2012 15:46:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVElrFXHgZGn for <idr@ietfa.amsl.com>; Sun, 9 Dec 2012 15:46:36 -0800 (PST)
Received: from cappuccino.rob.sh (cappuccino.rob.sh [IPv6:2001:b98:201:101::10:cafe]) by ietfa.amsl.com (Postfix) with ESMTP id 6077F21F8D06 for <idr@ietf.org>; Sun, 9 Dec 2012 15:46:32 -0800 (PST)
Received: from [46.65.174.228] (helo=[172.16.1.6]) by cappuccino.rob.sh with esmtpa (Exim 4.72) (envelope-from <rjs@rob.sh>) id 1ThqWy-0003oD-H1; Sun, 09 Dec 2012 23:43:32 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Rob Shakir <rjs@rob.sh>
In-Reply-To: <07df01cdd661$f28ef7c0$d7ace740$@highwayman.com>
Date: Sun, 09 Dec 2012 23:46:38 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <36E98AE5-3EF8-4738-9982-42B9CA0BAAF5@rob.sh>
References: <20121121191321.6164.6887.idtracker@ietfa.amsl.com> <50AD2986.90705@cisco.com> <058b01cdd3b4$9f5193b0$ddf4bb10$@highwayman.com> <8ED5B0B0F5B4854A912480C1521F973A0F4940@xmb-rcd-x13.cisco.com> <94913EE5-2864-4EE2-B474-9631430B1E22@ericsson.com> <068701cdd478$2cf01cf0$86d056d0$@highwayman.com> <CAEGVVtBy-zdLz8hVajLnuAqgzfgQHrseK4r-N9=pOZGtqV7LbA@mail.gmail.com>, <074d01cdd536$173f5830$45be0890$@highwayman.com> <9474D8DC-30FF-4C52-9504-15CBCC47E7D8@ericsson.com> <07df01cdd661$f28ef7c0$d7ace740$@highwayman.com>
To: Chris Hall <chris.hall@highwayman.com>
X-Mailer: Apple Mail (2.1499)
Cc: idr@ietf.org
Subject: Re: [Idr] I-D Action: draft-ietf-idr-error-handling-03.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2012 23:46:37 -0000

Chris,

In my opinion (and as per Jakob's comment earlier in the thread) you are looking at the treat-as-withdraw behaviour in the wrong way. I have written multiple messages about this previously, but let me reiterate some of the discussions.

The current BGP implementation of session reset optimises solely to make sure it maintaining single device RIB consistency, and knowledge of correct routing information being used by that local speaker. What this misses out is the other dimension to the correctness, which is that of whether services within the network as a system are functional. Where we pursue anything around the revised error handling functionality that is being discussed in this draft, we balance the correctness of the local device's RIB, against the functionality of the overall network system.

As such, I think we have to accept that the current protocol behaviour can be *very* damaging to network deployments and hence operators of real networks are prepared to tweak this balance somewhat. The requirements draft that I am continuing to edit tries to lay out a framework whereby one can limit the amount of time over which this inconsistency may affect the network through having means by which RIB consistency may be recovered. For example, these are:

- A more selective means by which ROUTE REFRESH can be achieved (e.g., one-time ORF, using rt-constrain to refresh a subset of routes, or building upon the Enhanced GR UPDATE-VERSION message) - which allows the individual speaker to recovery consistency of the RIB.
- Better ways to be able to do session reset (the observation being that the session-level error handling causes most problems due to forwarding outages during it) - which is answered by GR based on NOTIFICATION, and Enhanced GR.

It strikes me that your analysis is aiming to ensure 100% consistency at the device level - which I think is something that we have to accept is incompatible with overall network system robustness. Can I suggest that you contribute some text to the draft as to where there are caveats (i.e., where the treat-as-withdraw mechanism may fail), and note that these are positions where a device may wish to continue to implement session level reset behaviours, or additional risk may be faced by the device?

My view is that we should *not* have a capability to indicate this behaviour. I would like a means by which I am not reliant on 3rd party actions (be it my peers in the dfz, or l3vpn deployments, or all device vendors) to begin to address a risk within my network deployments.

Kind regards,
r.

On 9 Dec 2012, at 23:07, Chris Hall <chris.hall@highwayman.com> wrote:

> Jakob Heitz wrote (on Sat 08-Dec-2012 at 16:43 +0000):
>> The goal of "treat as withdraw" is not to reinterpret a broken
>> update message and continue the session, like nothing happened.
>> 
>> IMO, the goal is to limit the disruption caused by a session reset,
>> while alerting a human to fix the problem that no machine can.
> 
> I guess you are suggesting that it does not then matter if a broken
> UPDATE message results in some NLRI being missed, and so not
> "treated-as-withdraw", and hence the receiver continues with some
> invalid or out of date routes, for some time.
> 
> Clearly session-reset is a less than perfect remedy.  But in proposing
> an alternative treatment, perhaps "first do no harm" is as good a
> guide as any.  I think that to achieve that, one needs to be sure that
> *all* NLRI in a broken update can be identified if "treat-as-withdraw"
> is to be applied.  
> 
> If the intention is to "treat-as-withdraw" any NLRI which is visible,
> but continue the session in any case (so, accepting the risks of
> invalid or out of date routes) then I think the draft should estimate
> the risks and set out a justification for this being a less-bad remedy
> than session-reset.
> 
> Of course, a major issue with session-reset is that the error may well
> simply be repeated, creating a ghastly cycle session-reset/restart.
> It could well be better to avoiding session-reset, and continue with
> some invalid or out of date routes -- or a while, defined somehow ?  I
> just don't know how to demonstrate that, or how to limit the downside
> of accepting that risk, etc.
> 
> "Treat-as-withdraw" is an excellent and minimally disruptive response
> in those cases where all NLRI can be identified.  But it is not the
> only alternative to session-reset.  If there is doubt and uncertainty
> about some routes, the receiver could deem *all* routes learned from
> the peer in question to be "routes-of-last-resort", which it then uses
> if and only if it had nothing else, but would not advertise them to
> other peers.  This is just short of a "session-reset", and avoids
> falling into a cycle of session-reset/restart.
> 
> Chris
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email