IETF Logo Mail Archive

Re: [Idr] WG Adoption call for draft-spaghetti-idr-bgp-sendholdtimer-09 (2/28/2023 to 3/14/2023)

Robert Raszuk <robert@raszuk.net> Mon, 06 March 2023 22:11 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5051CC152F00 for <idr@ietfa.amsl.com>; Mon, 6 Mar 2023 14:11:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pC_Qs-sluw1 for <idr@ietfa.amsl.com>; Mon, 6 Mar 2023 14:11:44 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5460C152EFA for <idr@ietf.org>; Mon, 6 Mar 2023 14:11:44 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id j3so6634375wms.2 for <idr@ietf.org>; Mon, 06 Mar 2023 14:11:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1678140702; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a+ZdOuMcPPzEbTyNzX5tpmQGzZ1PvInj9k2TAP4X2Ko=; b=bmefNZgI6+xKpWugGpSskrshWqGIe9xoCZJAZwI0qBPp6TBpSSrH0ZzvlUKjaO7E6x d/tz9I8BPwH3QDht/yTGzaQ/jTJxYNzGGe8XZS90/pVhOA/X/JpQ3bxhX8N9a3Mvn4Y5 J7r5MzmLQmMlW9YP/76f4RzmRwxkLgmy01MfkvJ3KsA+n1Q1bCF0U5iVW0rhIXOgp3i8 PdMIQXJhPQ3Xi6jA3+nX7ectPJ4/QZKaQ/djpWAcUeF3O5xdpTrHQpd6h0yq13Fd0btk tboLMkkUAy6GSgYSdvva7NvoQjAa2Rfd73oCBbvPP5P6BAtYEBCHNQUne5nMoo8+6LxW KRaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678140702; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a+ZdOuMcPPzEbTyNzX5tpmQGzZ1PvInj9k2TAP4X2Ko=; b=XuGtBnMi1c9GQiFI0wovdP6wriOeTzHtbKl43ZOo1k4GNj6JUvo5+PGI4w6B76PAq1 twfpn8hwseehfeAmW/PBNWN5ZL0yXfvfNmBkr5WN2a2Dp6xANeLHNOqIl+H9KKogx9kJ mXNKq+0my6xQnV9NIxntyfGjU0aM6EEIECCP/jHHvUH+MbF6Xy1GzulqyVcJDwp3CKe3 cAzO/husqf98LdGiR9WYKghjXw5Yg7LLWtpKwF7Z5QXO6M2Y/3c3aPhbLNEY6hjKQH+z 2khuvRz4YWqLIVAxT/blrQ/3AWVxPbOFf/RtZo12bfGW/i5ShWQ8TeG1Gi7VjtQtQ3AC ISGQ==
X-Gm-Message-State: AO0yUKUzBk9YEQLbthdevTbCye61tNDeO6F+BFQUk4YVbyibbm2JeSsP chZ1jj3+Rlqw4J+paiFT8y8ScTM76v4u3A4UYNuGmw==
X-Google-Smtp-Source: AK7set+QdA0Na6HSO6Pzz3zUXZPw2MPporKNYynDs79MSMQ8BRqVxFF1gk50HDsBaTrxnyRsOEiQxiqN6KJRIYAshBw=
X-Received: by 2002:a05:600c:16c6:b0:3eb:2e68:5c86 with SMTP id l6-20020a05600c16c600b003eb2e685c86mr2827670wmn.6.1678140702518; Mon, 06 Mar 2023 14:11:42 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR08MB4872FD426205CAC6F82D22BEB3AD9@BYAPR08MB4872.namprd08.prod.outlook.com> <AM7PR07MB6248673BB25E0C0BCDBEE480A0B69@AM7PR07MB6248.eurprd07.prod.outlook.com> <CAOj+MMHF9G5-CmGPJpWja=1kgBrV=EYtzyhQr9La1722=D+ugA@mail.gmail.com> <m2edq1ac7s.wl-randy@psg.com> <ZAZSyywxxg0HkaDw@snel>
In-Reply-To: <ZAZSyywxxg0HkaDw@snel>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 06 Mar 2023 23:11:31 +0100
Message-ID: <CAOj+MMGiB8iiqKbj40kZsSFAQXCQ+baGQWuA7oQ1D0qF5aygeQ@mail.gmail.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Cc: idr@ietf.org, Enke Chen <enchen@paloaltonetworks.com>
Content-Type: multipart/alternative; boundary="00000000000075034f05f642946c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/g-cJ_aqT2k3I9nWIT-V0kvOtwcs>
Subject: Re: [Idr] WG Adoption call for draft-spaghetti-idr-bgp-sendholdtimer-09 (2/28/2023 to 3/14/2023)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2023 22:11:49 -0000

Job,

> The above changeset has been tested against exploit code we developed,
> it works.

My main issue with what is proposed here is that it completely ignores TCP
keepalives.

When I was exploring this topic with Enke we actually found a good number
of completely legal and valid cases where TCP will suppress flow
unidirectionally for a good and valid reasons.

When application (here BGP) is trying to be smarter then transport it is
relaying on we are looking at zoo of new hard to debug issues.

Of course one may say ... Oh if I configure long enough timers we will be
fine - and that is maybe true - maybe SendHoldTimer will be just an extra
fuse.

Currently draft says:

A HoldTimer value of 4 minutes is suggested.
A SendHoldTimer value of 8 minutes is suggested.

But I am sure there is going to be CLI to override it.

And when I see HoldTimer recommendation of 4 minutes ... well many folks
are asking vendors to support HoldTimer of 30 sec as they do not (or can
not) use BFD. What are they suppose to do ? Naturally will set
SendHoldTimer to 60 sec and the fun will start.

Regards,
Robert









On Mon, Mar 6, 2023 at 9:53 PM Job Snijders <job=40fastly.com@dmarc.ietf.org>
wrote:

> On Mon, Mar 06, 2023 at 11:53:11AM -0800, Randy Bush wrote:
> > > But technically what is in this draft and apparently prototyped in
> > > one open source implementation has a very limited (read narrow)
> > > applicability.
>
> Worth pointing out: two widely used open-source implementations and one
> closed-source implementation already exist. All three interopable and
> independently authored, see Appendix A of the draft.
>
> > adding complexity and significan new code to bgp when, as you and enke
> > point out, the vendors can merely flush out their tcp implementation
> > where the solution is already specified.
>
> 'adding complexity' is a highly subjective assessment.
>
> The changeset to introduce sendholdtimer in OpenBGPD's FSM is very
> readable and concise:
> https://marc.info/?l=openbsd-tech&m=160820754925261&w=2
> The above changeset has been tested against exploit code we developed,
> it works.
>
> On the other hand, the solution Raszuk and Enke advocate was broken from
> the 90s until Linux Kernel 5.11 arrived, requiring a bugfix [1] that
> seems of similar 'complexity' as the OpenBGPD approach.
>
> So yes, new code somewhere in the stack will need to be added to deal
> with broken remote peers that are stuck in this particular problematic
> state.
>
> Using a recently fixed Linux-specific feature certainly is one way of
> doing it, but certainly not the only way.
>
> Kind regards,
>
> Job
>
> [1]:
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=9d9b1ee0b2d1c9e02b2338c4a4b0a062d2d3edac
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email