Re: [mpls] MPLS-RT review of draft-chandra-mpls-ri-rsvp-frr

Hi Chandra,
Sorry for the late reply. See inline for some follow-up.

Regards,
Mustapha.

> -----Original Message-----
> From: Chandrasekar Ramachandran [mailto:csekar@juniper.net]
> Sent: Friday, December 18, 2015 12:41 AM
> To: Chandrasekar Ramachandran; Aissaoui, Mustapha (Mustapha); Sriganesh Kini;
> Loa Andersson; Lucy yong
> Cc: mpls-chairs@ietf.org; mpls@ietf.org; draft-chandra-mpls-ri-rsvp-frr@ietf.org;
> Guijuan Wang 3; Lizhong Jin
> Subject: RE: MPLS-RT review of draft-chandra-mpls-ri-rsvp-frr
> 
> Mustapha,
> Did my response address your concerns? If I have understood you correctly, the
> concerns fall in two categories and I have tried to address these concerns.
> (A) The need for introducing refresh-interval independent behavior into RSVP-TE
> (B) Why some kind of local implementation based timers will not be sufficient to
> support long refresh intervals
> 
> Do you have any specific comment on my responses? Specifically, do you still
> think the responses did not address (A), or (B) or both?
> 
> Regards,
> Chandra.
> 
> > -----Original Message-----
> > From: mpls [mailto:mpls-bounces@ietf.org] On Behalf Of Chandrasekar
> > Ramachandran
> > Sent: Thursday, December 03, 2015 12:58 AM
> > To: Aissaoui, Mustapha (Mustapha)
> > <mustapha.aissaoui@alcatel-lucent.com>;
> > Sriganesh Kini <sriganesh.kini@ericsson.com>; Loa Andersson
> > <loa@pi.nu>; Lucy yong <lucy.yong@huawei.com>
> > Cc: mpls-chairs@ietf.org; mpls@ietf.org; draft-chandra-mpls-ri-rsvp-
> > frr@ietf.org; Guijuan Wang 3 <guijuan.wang@ericsson.com>; Lizhong Jin
> > <lizho.jin@gmail.com>
> > Subject: Re: [mpls] MPLS-RT review of draft-chandra-mpls-ri-rsvp-frr
> >
> > Mustapha,
> >
> > > -----Original Message-----
> > > From: Aissaoui, Mustapha (Mustapha)
> > > [mailto:mustapha.aissaoui@alcatel-
> > > lucent.com]
> > > Sent: Thursday, November 26, 2015 8:48 AM
> > > To: Sriganesh Kini <sriganesh.kini@ericsson.com>; Loa Andersson
> > > <loa@pi.nu>; Lucy yong <lucy.yong@huawei.com>
> > > Cc: Lizhong Jin <lizho.jin@gmail.com>; Guijuan Wang 3
> > > <guijuan.wang@ericsson.com>;
> > > draft-chandra-mpls-ri-rsvp-frr@ietf.org;
> > > mpls-chairs@ietf.org; Aissaoui, Mustapha (Mustapha)
> > > <mustapha.aissaoui@alcatel-lucent.com>; mpls@ietf.org
> > > Subject: RE: MPLS-RT review of draft-chandra-mpls-ri-rsvp-frr
> > >
> > > Dear authors,
> > > I read this draft and I believe the intent is to provide a tighter
> > > control plane synchronization of the PLR and MP roles on a per RSVP
> > > session basis such that a LSR will know if it is a MP for a given
> > > RSVP session which requested protection. This is done such that the
> > > decision to retain or delete the state by the LSR detecting the
> > > failure of the link to the previous hop (or the failure of the
> > > previous hop itself) is made with the prior knowledge that the LSR is a MP or
> not on a per RSVP session basis.
> >
> > [Chandra] The primary motivation of the draft is to enable LSRs to
> > support FRR when the LSP scale on the LSR is of the order of hundreds
> > of thousands. The analysis of the bottlenecks as a consequence of LSP
> > scale, that can cause disruption of the LSR has already been
> > documented in RFC 5439. As analyzed in RFC 5439, while there is a
> > correlation between the percentage increase in refresh time and the
> > improvement in LSR performance, there is a degree of functionality
> > that is lost owing to the soft-state nature of the protocol. TE-
> > SCALE-REC
> > (https://tools.ietf.org/html/draft-ietf-teas-rsvp-te-scaling-rec-00)
> > outlines the motivation for refresh independent RSVP (RI-RSVP) for all
> > types of LSPs (packet or non-packet), and makes recommendations to
> > enable RSVP implementations eliminate the reliance on short refresh
> > time. This draft addresses the refresh-interval dependent behavior of
> > RFC 4090 in order to support RI-RSVP, as facility backup FRR is a
> > widely deployed feature in production networ  ks.

MA> It seems to me the main issue with bypass protection is to deal with the generation (PLR) and processing (MP) of a large number of *triggered* Path messages for the individual protected LSPs at the time the PLR activates the bypass LSP. 

I do not see anything new in this draft to address the bottleneck of the state refresh mechanism itself. In fact, the draft suggests that after the bypass LSP is activated, the state refresh continues with summary refreshes which is the solution already existent as per RFC 2961. Based on that, it is misleading to call this a Refresh-Independent RSVP FRR and this draft is not changing the fact that a PLR can generate and the MP may have to process a Srefresh message with potentially a large number of message IDs once the bypass is activated.

What this mechanism is providing is a bulk notification of bypass activation from the PLR to the MP. This can speed up the creation in the control plane of the new remote neighbor (PLR) at the MP and associate the existing PSB/RSBs of the protected LSPs with this new neighbor. The savings in the creation of the new remote neighbor is due to not relying on the receipt from the PLR and the processing of a triggered refresh message for each protected LSP. Note here there are no issue with the data plane and packets from all LSPs will be forwarded properly at the MP since the ILM for the protected LSP is the same whether the packet is received from the primary interface or from the bypass LSP interface. 

Based on the above, I am having trouble reconciling the limited benefits and the complexity of the proposed mechanism.
I am not opposed for this part of the draft to move forward as an optional mechanism but I propose that it gets merged with draft-mtaillon-mpls-summary-frr-rsvpte and that the reference to "Refresh-Independent RSVP FRR" be removed. Also, the objective of the mechanism to more clearly explained as a bulk notification mechanism when bypass is activated.

> > > However,  the procedures presented in this document are fairly
> > > complex and go at odds with the original intent of making state
> > > synchronization based on a soft-state mechanism.
> >
> > [Chandra] The tradeoffs between using short or long refresh intervals
> > has been well understood. Short refresh intervals aid fast
> > synchronization of states along the path of the LSP, but is
> > problematic because of the control message traffic that a router has
> > to handle at high LSP scale. Routers not only must synchronize new
> > states as promptly as possible, but also must maintain the rate of
> > periodic Srefresh messages to a level sufficient to refresh all
> > existing states without being timed out. When the number of LSPs that routers
> carry approach half a million, there will be two problems with the control message
> rate.
> > (1) As analyzed in RFC 5439, even with RFC 2961 refresh reduction the
> > size of Srefresh message may become very large, and the processing
> > required may cause disruption of the LSR.
> > (2) Apart from the problem of RSVP message processing overhead, there
> > is also the problem of RSVP-TE becoming a bottleneck preventing the
> > router to scale other protocols or services.

MA> This draft does not solve the issue of large Srefresh message. After the bulk triggering of the bypass, Srefresh message will still be large because implementations will need to make efficient use of the message by sending as many Message IDs as possible.

> > > In fact, what I fail to find is a compelling argument or data from
> > > the field which shows the issue is not resolved via much simpler
> > > methods which are used in production networks today. I describe this
> > > in the detailed comments below.
> >
> > [Chandra] Some of the mechanisms already deployed in multi-vendor
> > production networks involve configuring implementation specific timers or
> delays on LSRs.
> > Multiple vendors support various timers or delays on Ingress and Transit LSRs.
> > However, in practice the values configured for these timers or delays
> > are very scale specific, and the values that work at one LSP scale
> > usually do not work at higher LSP scale. In practice, the "scale" that
> > impacts the behavior at specific timer or delay value is not only the
> > number of LSPs carried on the router, but also the number of other
> > protocol states that reside on the router. It should be noted that the
> > reliance on such implementation specific timers or delays has been a
> > major contributor of operational complexity in running RSVP-TE FRR.
> > Any solution based on such timers or delays while being operationally
> > simple at one scale ceases to be so at higher scale. It has been
> > practically found (with existing implementations from multiple
> > vendors) tha  t it is operationally hard to find out the new better
> > value as a running production network grows over time. In short, the use of such
> timers or delays has been found to involve guess work that seldom remain simple
> in the long run.

MA> The timer is for a different issue than the main objective of the draft. Let us discuss it in the points below

> > > Regards,
> > > Mustapha.
> > > ---------------------
> > > 1. Section 3.1 - Problem Description "
> > > - If the protected LSP on C times out before D receives signaling
> > > for the backup LSP, then D would receive PathTear from C prior to
> > > receiving signaling for the backup LSP, thus resulting in deleting
> > > the LSP state. This would be possible at scale even with default
> > > refresh time.
> > > "
> > > MA> Since each LSR in the path of a RSVP session which requested
> > > MA> protection
> > > has to assume it can be a MP without prior knowledge, a simpler
> > > method is to reset the refresh timeout for each session as soon as
> > > the link to the previous hop failed. In fact, a user configurable MP
> > > timeout upon failure, independent of the refresh timeout, can be
> > > provided to tune it to the desired value to give enough time to the
> > > Path message to be received via the bypass LSP.
> >
> > [Chandra] The option of resetting the refresh timeout may not be
> > viable if long refresh interval (of the order of tens of minutes) is
> > applied on the LSPs. That leaves the other option of providing a "wait
> > timer" (independent of refresh time) that is configurable on the MP. However, it is
> fairly clear that the "wait timer"
> > that the operator should configure on MP will be problematic for two reasons.
> > The operator should carefully analyze the performance impact of an
> > existing timer/delay value if and when (a) the LSP scale on the same
> > router increases, and (2) the LSP scale increases on other routers
> > around it (that may potentially become upstream PLRs)!

MA> The use of a refresh-timeout independent timer has been shown to work in production networks. Most of the time, the value is conservative enough to cover a large scale network.  

> > > 2. Section 3.1 - Problem Description:
> > > "
> > > - If upon the link failure C is to keep state until its timeout,
> > > then with long refresh interval this may result in a large amount of
> > > stale state on C. Alternatively, if upon the link failure C is to
> > > delete the state and send PathTear to D, this would result in
> > > deleting the state on D, thus deleting the LSP. D needs a reliable
> > > mechanism to determine whether it is MP or not to overcome this
> > > problem.
> > > "
> > > MA> What is exactly the issue with state timeout being retained
> > > MA> until the
> > > refresh timeout? You refer to this as "stale" state but in fact it
> > > is desirable to keep the state until node D created the backup PSB.
> > > Also, remember that head-end node will perform global revertive MBB
> > > and may tear down the LSP before the state timeout.
> >
> > [Chandra] As described in the first response in this mail, the
> > motivation driving the draft is to eliminate RSVP-TE's reliance of
> > short refresh intervals. If router C were to retain the LSP state
> > until time out, without any additional procedures that provide an
> > explicit indication to router C on when the LSP state is no longer
> > required, then router C would retain the LSP state potentially for
> > hours if the refresh interval is long. So, router C will not only
> > store the state of the LSP but also periodically send the Path message
> > (in Srefresh) downstream - thereby unnecessarily consuming resources that
> could potentially be utilized for other LSPs.
> > It should also be noted that the transit router cannot assume that
> > Ingress LSR will be able to complete global repair within a particular
> > time frame. The transit LSR procedures should be able to handle cases
> > when global repair does not complete for some valid reason for an extended
> period of time.

MA> Clearly, you are not taking away the reliance on refresh messages. Any ad-hoc mechanism which is not reliable such as a PathTear may still keep the state until it times out. Furthermore, relying exclusively on Message ID ACk as proposed in draft-ietf-teas-rsvp-te-scaling-rec in a scaled network is not good. Data from deployment networks I am familiar with has shown that the retransmission of messages which are not acknowledged when the control plane churn is happening is causing much more churn. Our advice for our customers was to disable the requirement to receive a Message ID Ack.

> > > 3. Section 3.1 - Problem Statement:
> > > "
> > > - If head-end A attempts to tear down LSP after step 1 but before
> > > step 2 of the above sequence, then B may receive the tear down
> > > message before step 2 and delete the LSP state from its state
> > > database. If B deletes its state without informing D, with long
> > > refresh interval this could cause (large) buildup of stale state on
> > > D.
> > > "
> > > MA> I am not sure I understand the issue here. If B acting as a PLR
> > > MA> receives a
> > > PathTear from A, all it needs to do is to check that the primary
> > > path neighbor (C in this case) is in down or in cleanup state and
> > > send the PathTear over the bypass before deleting its own local state.
> > > Note here a key assumption is that PLR node B must send triggered
> > > Path refresh messages to the MP over the bypass. If node B has to
> > > wait to the next refresh interval to send the Path refresh over the
> > > bypass, then you can run into the issue described here.
> >
> > [Chandra] The problem described is different. Router B detects the
> > failure and undertakes local actions for re-routing traffic for all
> > protected LSPs traversing the failed link. In parallel, router B also
> > initiates backup LSP signaling for all those protected LSPs. At scale
> > (i.e. if the number of protected LSPs thus undergoing repair is of the
> > order of hundreds of thousands), the initiation of backup LSP
> > signaling for all those protected LSPs is not expected to happen
> > within short time period. If the Ingress LSR initiates LSP tear down
> > during this interim time duration, the existing procedures do not
> > offer any mechanism for router B to indicate to MP that it need not
> > hold on to that state any longer. The new procedure described in the
> > document does not introduce any major extension but simply use PathTear
> message from PLR to MP even though the PLR had not reliably refreshed backup
> LSP Path.
> >
> > Here again, one may suggest the use of some "wait timer" on MP
> > independent of refresh time out - say if the MP does not receive
> > backup LSP Path message within the "wait timer", the MP can delete the
> > LSP state. But depending on a timer or delay suffers from the same
> > drawbacks pointed out in the response to comment #1.

MA> A timer at the MP node D will not work in this case because the MP does not see any incoming interface failure. For me this is a non issue as head-end trying to delete an LSP during a churn in the network is not a common event. 

> > > 4. Section 3.1 - Problem Statement:
> > > "
> > > - If B fails to perform local repair in step 1, then B will delete
> > > the LSP state from its state database without informing D. As B
> > > deletes its state without informing D, with long refresh interval
> > > this could cause (large) buildup of stale state on D.
> > > "
> > > MA> Well this is the normal RSVP soft-state behavior and in fact
> > > MA> this
> > > behavior can occur for defects of link B-C which are not detected
> > > and which will not trigger the activation of the bypass LSP. There
> > > is nothing abnormal about this and this behavior is not specific to
> > > the case when the bypass could not be activated.
> >
> > [Chandra] The problem is not about the activation of bypass LSP but
> > that there is no indication to the MP router that it does not have to
> > hold on to the LSP state any more. The problem has been explained in
> > the response to comment #3 and #4. On the soft-state behavior, the
> > responses to the first three paragraphs to your mail contain the
> > reasoning for removing the limitations of soft-state nature of the protocol.

MA> Again, it is not clear what would cause B to not be able to perform local repair. Seems like another non issue. By the way, this is not different from the case when the LSP does not have the "local protection desired" flag and the PathTear cannot be sent downstream because of the failure of the outgoing interface for the LSP. Nothing unusual here. RSVP protocol was designed this way.

> > > 5. Section 4.5.2 - Procedures for backward compatibility:
> > > MA> What is the need to set the refresh interval to the default
> > > MA> value when a
> > > LSR detects that a downstream or upstream neighbour does not support
> > > the refresh independent procedures? I assume you meant to change it
> > > back to the configured value which may not be the default value of 30
> seconds.
> >
> > [Chandra] If refresh time is not explicitly configured on the LSR
> > supporting RI- RSVP-FRR, then the refresh interval should be reduced
> > to RFC 2205 default value of 30 seconds for messages sent to a
> > neighboring router that is not RI-RSVP capable. TE-SCALE-REC draft
> > recommends default refresh interval of 20 minutes be used in Path and
> > Resv messages if RI-RSVP is supported by the LSR. The statement in the
> > draft referred here is not applicable if the operator has overridden the RI-RSVP
> default value.
> >
> > I think the text in Section 4.5.2 could have state explicitly that if
> > downstream or upstream neighbor does not advertise RI-RSVP capability,
> > then the router should reduce the refresh interval to 30 seconds if
> > the refresh interval has not been configured on the router. We will
> > update this section accordingly to clarify the proposed behavior.
> >
> > Regards,
> > Chandra.
> >
> > _______________________________________________
> > mpls mailing list
> > mpls@ietf.org
> > https://www.ietf.org/mailman/listinfo/mpls