Re: [pcp] FW: New Version Notification for draft-vinapamula-flow-ha-01.txt
Suresh Kumar Vinapamula Venkata <sureshk@juniper.net> Tue, 19 August 2014 18:24 UTC
Return-Path: <sureshk@juniper.net>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069341A06A5 for <pcp@ietfa.amsl.com>; Tue, 19 Aug 2014 11:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvKRJwWWk5E4 for <pcp@ietfa.amsl.com>; Tue, 19 Aug 2014 11:24:45 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32141A06A0 for <pcp@ietf.org>; Tue, 19 Aug 2014 11:24:44 -0700 (PDT)
Received: from DM2PR05MB288.namprd05.prod.outlook.com (10.141.101.11) by DM2PR05MB287.namprd05.prod.outlook.com (10.141.101.27) with Microsoft SMTP Server (TLS) id 15.0.1010.18; Tue, 19 Aug 2014 18:24:41 +0000
Received: from DM2PR05MB288.namprd05.prod.outlook.com ([10.141.101.11]) by DM2PR05MB288.namprd05.prod.outlook.com ([10.141.101.11]) with mapi id 15.00.1010.016; Tue, 19 Aug 2014 18:24:41 +0000
From: Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Thread-Topic: [pcp] FW: New Version Notification for draft-vinapamula-flow-ha-01.txt
Thread-Index: Ac+2oNv1u/PcvthDCk26TaHNEsrzHwAUCXOAARjHCIAAEwK4gA==
Date: Tue, 19 Aug 2014 18:24:41 +0000
Message-ID: <D018E08A.4A4BC%sureshk@juniper.net>
In-Reply-To: <913383AAA69FF945B8F946018B75898A283176FC@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [66.129.239.11]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 0308EE423E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019006)(6009001)(377424004)(199003)(189002)(13464003)(24454002)(377454003)(479174003)(51704005)(83322001)(101416001)(15202345003)(77982001)(85852003)(86362001)(83072002)(20776003)(92726001)(74662001)(36756003)(74502001)(87936001)(85306004)(19580405001)(19580395003)(31966008)(76482001)(105586002)(99396002)(50986999)(64706001)(79102001)(4396001)(80022001)(99286002)(106356001)(15975445006)(46102001)(2656002)(92566001)(95666004)(107046002)(110136001)(81542001)(54356999)(83506001)(81342001)(230783001)(21056001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR05MB287; H:DM2PR05MB288.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <F9A0B4116B705B4CB99F3E2170B19758@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/PUKrBI2TB-6cN3zhf3MDsz9gxn4
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] FW: New Version Notification for draft-vinapamula-flow-ha-01.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 18:24:55 -0000
On 8/18/14 7:20 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> wrote: >> -----Original Message----- >> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] >> Sent: Thursday, August 14, 2014 12:51 AM >> To: Tirumaleswar Reddy (tireddy) >> Cc: pcp@ietf.org >> Subject: Re: [pcp] FW: New Version Notification for >>draft-vinapamula-flow- >> ha-01.txt >> >> >> >> On 8/12/14 7:47 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> >> wrote: >> >> >> -----Original Message----- >> >> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] >> >> Sent: Tuesday, August 12, 2014 11:33 PM >> >> To: Tirumaleswar Reddy (tireddy) >> >> Cc: pcp@ietf.org >> >> Subject: Re: [pcp] FW: New Version Notification for >> >>draft-vinapamula-flow- >> >> ha-01.txt >> >> >> >> >> >> >> >> On 8/12/14 1:35 AM, "Tirumaleswar Reddy (tireddy)" >> >> <tireddy@cisco.com> >> >> wrote: >> >> >> >> >> -----Original Message----- >> >> >> From: Suresh Kumar Vinapamula Venkata >> [mailto:sureshk@juniper.net] >> >> >> Sent: Tuesday, August 12, 2014 12:06 AM >> >> >> To: Tirumaleswar Reddy (tireddy) >> >> >> Cc: pcp@ietf.org >> >> >> Subject: Re: [pcp] FW: New Version Notification for >> >> >>draft-vinapamula-flow- >> >> >> ha-01.txt >> >> >> >> >> >> Thanks for your comments. Please see inline. >> >> >> >> >> >> On 8/8/14 1:22 AM, "Tirumaleswar Reddy (tireddy)" >> >> >> <tireddy@cisco.com> >> >> >> wrote: >> >> >> >> >> >> >Hi Suresh, >> >> >> > >> >> >> >Comments: >> >> >> > >> >> >> >[1] What is the reason for updating the reserved field in the PCP >> >> >> >Common Request Packet Format ? >> >> >> >A new PCP option can also be defined to signal if it's a critical >> >> >> >flow or not. >> >> >> >> >> >> Suresh> Yes, a PCP option can also be used and we thought about >>it. >> >> >> Suresh> We >> >> >> were debating if option would be an overkill, as there is nothing >> >> >>negotiated unlike other options, while indicating checkpointing. >> >> >>We are debating on the use cases where bit is not sufficient and >> >> >>an option is required. Please let us know if you think of cases >> >> >>where bit will not work. >> >> > >> >> >A new PCP option will help to add more fields for future use cases. >> >> I am not sure what fields can be added for future use. I agree it is >> >>better to have scope for extensions. We will work on it. >> > >> >Okay. >> > >> >> > >> >> >> > >> >> >> >[1b] It may help the client to know if the flow is check pointed >> >> >> >or not, this way the client can make a decision to prioritize the >> >> >> >flows accordingly when multiple interfaces with associated PCP >> >> >> >servers are involved. >> >> >> >> >> >> Suresh> A reserve bit in the PCP response can indicate that PCP >> >> >> Suresh> server >> >> >> honored PCP checkpoint request or not. Will update the draft. >> >> >> > >> >> >> >[1c] Success or fail response ((e.g. Quota exceeded) from PCP >> >> >> >server can also help the client to remove check pointing for some >> >> >> >of the existing flows so as to check point new flows. >> >> >> Suresh> Would response to 1b handle it? >> >> > >> >> >Yes. >> >> > >> >> >> > >> >> >> >[2] This document describes a mechanism for a host to signal >>various >> >> >> > network functions' High Availability (HA) module to checkpoint >> >> >> > interested connections through PCP. >> >> >> > >> >> >> >Comment> The above line is not clear. >> >> >> >> >> >> Suresh> Not sure what is not clear, What I meant to say here is, >> >> >> Suresh> this >> >> >> document provides a mechanism to signal any network functions' >> >> >>(firewall NAT IPSec etcŠ) high availability module for >> >> >>checkpointing interested connections by host. If this is still not >> >> >>clear, can you please be more specific ? >> >> > >> >> >Client has no clue if network function have HA or not, instead let >> >> >the client just signal it's a critical flow or not. >> >> Yes, Client will indicate what flows are business critical through >>PCP. >> >> And PCP server will invoke interested network function's high >> >>availability module to checkpoint respective connection's state. >> > >> >Works for me. >> > >> >> > >> >> >> >> >> >> > >> >> >> > >> >> >> >[3] Internet service continuity is critical in service provider >> >> >> > environment. To achieve this, most service providers >> >> >> >have >> >> >>active- >> >> >> > backup systems. >> >> >> > >> >> >> >Comment> Enterprise networks also typically deploy >>Active-Standby. >> >> >> Suresh> Ok will update document. >> >> >> > >> >> >> > >> >> >> >[4] For service continuity of those connections on backup >> >> >> > when active fail, that corresponding state had to be >> >>checkpointed on >> >> >> > the backup. >> >> >> > >> >> >> >Nit> Replace "fail" with "fails" >> >> >> Suresh> ok. >> >> >> > >> >> >> >[5] Typically, this is addressed by identifying long lived >> >> >>connections >> >> >> > and checkpointing state of only those connections that >> >> >> > lived >> >> >>long >> >> >> > enough, to the backup for service continuity. >> >> >> > >> >> >> >Comment> You may want to add that identification is also done by >> >> >> >Comment> DPI, >> >> >> >which fails with encrypted traffic. >> >> >> Suresh> ok >> >> >> > >> >> >> >[6] 2. A connection may not be long lived but critical like >> >>shorter >> >> >> > phone conversations. >> >> >> > >> >> >> >Comment> Replace "phone conversation" with "VOIP conversation" >> >> >> Suresh> ok >> >> >> > >> >> >> >[7] 3. Similarly not every long lived connection need to be >> >> >>critical, >> >> >> > say a free-service connection of a hosted service need >>not be >> >> >> > checkpointed while a paid-service connection has to be >> >> >> > checkpointed. >> >> >> > >> >> >> >Comment> Why would the application client differentiate and not >> >> >> >Comment> signal >> >> >> >that it's a critical flow in both the cases. Are you envisioning >> >> >> >that the application client software makes this decision >> >> >> >internally or it involves human intervention from some UI to >> >> >> >signal to the network that it's a critical flow. >> >> > >> >> >> Suresh> Human intervention may or may not be required. What >> >> >> Suresh> involves in >> >> >> signaling is out of scope and is left for implementation. For >> >> >>example, a hosted service knows if the subscriber is a free >> >> >>subscriber or a paid subscriber. A policy may be enforced to >> >> >>automatically trigger checkpoint if the service requested is from >> >> >>a paid subscriber and not trigger if the service requested is from >> >> >>a free subscriber. >> >> > >> >> >If policy is triggered by the network automatically then what is the >> >> >need for endpoint to explicitly signal that the flow is critical or >> >> >not ? >> >> The policy referred here is not the network function policy. It is >> >>the policy in the hosted service. >> > >> >It will be good to clarify what "hosted service" means in the >> >terminology section. >> Ok >> > >> > >> >> > >> >> >> As another example, a human may be given a choice for signaling, >> >> >>just like human intervention when a location based services app is >> >> >>launched. Or in some cases application may decide. >> >> >> And, one may come up with an even smarter way of when to signal. >> >> >> So, what involves in signaling is left for implementation and is >> >> >>of scope of this document. However, I can mention the above as >> >> >>examples, if required. >> >> > >> >> >Okay. >> >> > >> >> >> > >> >> >> >[8] How would this work when PCP authentication is used ? >> >> >> >(I mean will authentication related info be also check pointed or >> >> >> >client will have to authenticate afresh when backup becomes >> >> >> >active and other related issues.) >> >> >> Suresh> I would not expect another authentication to happen. The >> >> >> implementation should ensure all the necessary state is check >> >> >> pointed on backup so that it doesn¹t need to re authenticate. >> >> > >> >> >PCP authentication has stateful information like sequence number, >> >> >which need to be synced regularly for HA to work and creates more >> >> >chatter b/w Active and Standby. >> >> >When PCP authentication is used it will be good to identify all the >> >> >relevant issues with HA. >> >> Yes, all the relevant state has to be check pointed. This happens >> >>even for IPSec, where window is check pointed periodically. >> >> > >> >> >> > >> >> >> >[9] 1. Disruption in a phone connection is not desired. >> >>Application >> >> >> > that is initiating a phone connection MUST mark connection >> >> >> > HA >> >> >>bit >> >> >> > in the header, while initiating a PCP request for >> >>checkpointing. >> >> >> > >> >> >> >Comment> Are you referring to VoIP signaling connection ? >> >> >> Suresh> I am referring to VOIP signaling and data. >> >> >> > >> >> >> >[10] 2. Similarly disruption in media streaming is not >>desired. >> >>A >> >> >>user >> >> >> > hosting a media service, MUST mark HA bit in the header >>while >> >> >> > initiating a mapping request, and MAY mark connection >> >>associated >> >> >> > with that mapping, depending on whether the connection is >> >>from a >> >> >> > paid subscriber or from a free subscriber through a PEER >> >> >>request. >> >> >> > So checkpointing mapping doesn't result in auto >> >>checkpointing of >> >> >> > connections, as it gives flexibility to the end user to >>pick >> >> >> > specific connections only to checkpoint. >> >> >> > >> >> >> >Comment> I am not sure why this distinction is required b/w free >> >> >> >Comment> and paid >> >> >> >VoIP calls, free call could also be an emergency call or >> >> >> >high-priority call. >> >> >> Suresh> In this context, media streaming refers to streaming >> >> >> Suresh> services like >> >> >> netflix, hulu, yupptv, spotify or some privately owned services >>etc. >> >> > >> >> >The content provided by these services is typically in the form of >> >> >chunks (HTTP Adaptive Streaming) and can be short-lived TCP >>sessions. >> >> >I don't see the need to checkpoint these flows. >> >> They might be short lived, but they are business critical. >> >> > >> >> > >> >> >> Yes, >> >> >> emergency calls are free and are high priority and implementor can >> >> >>always initiate checkpointing for those calls. And, I am not sure >> >> >>why you are relating them here? Am I missing something? >> >> >> > >> >> >> >6. In conjunction with NAT, other network functions that MAY >> >>maintain >> >> >> > state for each conneciton such as Stateful Firewall, IPSec, >>Load >> >> >> > balancing etc..., MAY register to PCP server, and MAY be >> >>triggered >> >> >> > for checkpointing respective state of that connection. >> >> >> > >> >> >> >Comment1> Are there stateless firewalls ? >> >> >> Suresh> Yes, simple packet filters or ASIC based firewall etcŠ >> >> >> >> >> >> >Comment 2> I did not understand this draft usage with load >> >> >> >balancers and IPSec. >> >> >> Suresh> Suppose IPSec as a gateway service along with firewall and >> >>NAT. >> >> >> IPSec may register with PCP, such that IPSec's HA module will be >> >> >>triggered by PCP server to checkpoint state associated with a >> >> >>flow, when a PCP request for that flow with HA bit set is >>received. >> >> > >> >> >Why would IPSEC care about the state associated with flows ? >> >> IPSec should care about IPSec state associated with flows right? >> >>Otherwise >> >> when master IPSec fails, and backup takes over, how would IPSec >> >>continue to secure traffic seamlessly? >> > >> >May be I am missing some detail, IPSEC HA is explained in >> >http://tools.ietf.org/html/rfc6311 and there is no discussion about >> >individual flow state. >> They talk about SA state and checkpointing of that state. SA could be >>created >> at the granularity of flows, aggregated flows. Please look at IPSec and >>Ike >> RFCs. > >Yes, SA state is check pointed periodically and the SA counter >synchronization solution is discussed in section 5 which suggests >forwarding the IPSEC counters by a large value. >I don't see a problem with the above solution which causes packets of >critical flows to be dropped when there is a fail-over. Even to negotiate the capability IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED, one has to indicate that it is is critical and so negotiate it right? > >-Tiru > >> > >> >-Tiru >> > >> >> > >> >> >-Tiru >> >> > >> >> >> Similarly for load balancing. >> >> >> > >> >> >> >Cheers, >> >> >> >-Tiru >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> On 6/13/14 4:19 PM, "Suresh Kumar Vinapamula Venkata" >> >> >> >> <sureshk@juniper.net> wrote: >> >> >> >> >> >> >> >> >Hi >> >> >> >> > >> >> >> >> >This new version of draft address review comments received on >> >> >> >> >the previous version. Kindly review. >> >> >> >> >Sorry for the delay. >> >> >> >> > >> >> >> >> >Thanks >> >> >> >> >Suresh >> >> >> >> > >> >> >> >> >On 6/13/14 4:14 PM, "internet-drafts@ietf.org" >> >> >> >> ><internet-drafts@ietf.org> >> >> >> >> >wrote: >> >> >> >> > >> >> >> >> >> >> >> >> >> >>A new version of I-D, draft-vinapamula-flow-ha-01.txt has >> >> >> >> >>been successfully submitted by Suresh Vinapamula and posted >> >> >> >> >>to the IETF repository. >> >> >> >> >> >> >> >> >> >>Name: draft-vinapamula-flow-ha >> >> >> >> >>Revision: 01 >> >> >> >> >>Title: Flow high availability through PCP >> >> >> >> >>Document date: 2014-06-13 >> >> >> >> >>Group: Individual Submission >> >> >> >> >>Pages: 6 >> >> >> >> >>URL: >> >> >> >> >>http://www.ietf.org/internet-drafts/draft-vinapamula-flow-ha- >> 01. >> >> >> >> >>txt >> >> >> >> >>Status: >> >> >> >> >>https://datatracker.ietf.org/doc/draft-vinapamula-flow-ha/ >> >> >> >> >>Htmlized: >> >> >>http://tools.ietf.org/html/draft-vinapamula-flow-ha-01 >> >> >> >> >>Diff: >> >> >> >> >>http://www.ietf.org/rfcdiff?url2=draft-vinapamula-flow-ha-01 >> >> >> >> >> >> >> >> >> >>Abstract: >> >> >> >> >> This document describes a mechanism for a host to signal >> >>various >> >> >> >> >> network functions' High Availability (HA) module to >> >>checkpoint >> >> >> >> >> interested connections through PCP. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>Please note that it may take a couple of minutes from the >> >> >> >> >>time of submission until the htmlized version and diff are >> >> >> >> >>available at tools.ietf.org. >> >> >> >> >> >> >> >> >> >>The IETF Secretariat >> >> >> >> >> >> >> >> >> > >> >> >> >> >_______________________________________________ >> >> >> >> >pcp mailing list >> >> >> >> >pcp@ietf.org >> >> >> >> >https://www.ietf.org/mailman/listinfo/pcp >> >> >> > >> >> > >> > >
- [pcp] FW: New Version Notification for draft-vina… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… mohamed.boucadair
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata
- Re: [pcp] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [pcp] FW: New Version Notification for draft-… Suresh Kumar Vinapamula Venkata