Re: [pcp] FW: New Version Notification for draft-vinapamula-flow-ha-01.txt

[Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>]

On 8/12/14 1:35 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
wrote:

>> -----Original Message-----
>> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
>> Sent: Tuesday, August 12, 2014 12:06 AM
>> To: Tirumaleswar Reddy (tireddy)
>> Cc: pcp@ietf.org
>> Subject: Re: [pcp] FW: New Version Notification for
>>draft-vinapamula-flow-
>> ha-01.txt
>> 
>> Thanks for your comments. Please see inline.
>> 
>> On 8/8/14 1:22 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
>> wrote:
>> 
>> >Hi Suresh,
>> >
>> >Comments:
>> >
>> >[1] What is the reason for updating the reserved field in the PCP
>> >Common Request Packet Format ?
>> >A new PCP option can also be defined to signal if it's a critical flow
>> >or not.
>> 
>> Suresh> Yes, a PCP option can also be used and we thought about it. We
>> were debating if option would be an overkill, as there is nothing
>>negotiated
>> unlike other options, while indicating checkpointing. We are debating
>>on the
>> use cases where bit is not sufficient and an option is required. Please
>>let us
>> know if you think of cases where bit will not work.
>
>A new PCP option will help to add more fields for future use cases.
I am not sure what fields can be added for future use. I agree it is
better to have scope for extensions. We will work on it.
>
>> >
>> >[1b] It may help the client to know if the flow is check pointed or
>> >not, this way the client can make a decision to prioritize the flows
>> >accordingly when multiple interfaces with associated PCP servers are
>> >involved.
>> 
>> Suresh> A reserve bit in the PCP response can indicate that PCP server
>> honored PCP checkpoint request or not. Will update the draft.
>> >
>> >[1c] Success or fail response ((e.g. Quota exceeded) from PCP server
>> >can also help the client to remove check pointing for some of the
>> >existing flows so as to check point new flows.
>> Suresh> Would response to 1b handle it?
>
>Yes.
>
>> >
>> >[2] This document describes a mechanism for a host to signal various
>> >   network functions' High Availability (HA) module to checkpoint
>> >   interested connections through PCP.
>> >
>> >Comment> The above line is not clear.
>> 
>> Suresh> Not sure what is not clear, What I meant to say here is, this
>> document provides a mechanism to signal any network functions' (firewall
>> NAT IPSec etcŠ) high availability module for checkpointing interested
>> connections by host. If this is still not clear, can you please be more
>>specific ?
>
>Client has no clue if network function have HA or not, instead let the
>client just signal
>it's a critical flow or not.
Yes, Client will indicate what flows are business critical through PCP.
And PCP server will invoke interested network function's high availability
module to checkpoint respective connection's state.
> 
>> 
>> >
>> >
>> >[3]   Internet service continuity is critical in service provider
>> >        environment.  To achieve this, most service providers have
>>active-
>> >        backup systems.
>> >
>> >Comment> Enterprise networks also typically deploy Active-Standby.
>> Suresh> Ok will update document.
>> >
>> >
>> >[4] For service continuity of those connections on backup
>> >   when active fail, that corresponding state had to be checkpointed on
>> >   the backup.
>> >
>> >Nit> Replace "fail" with "fails"
>> Suresh> ok.
>> >
>> >[5]   Typically, this is addressed by identifying long lived
>>connections
>> >        and checkpointing state of only those connections that lived
>>long
>> >         enough, to the backup for service continuity.
>> >
>> >Comment> You may want to add that identification is also done by DPI,
>> >which fails with encrypted traffic.
>> Suresh> ok
>> >
>> >[6]   2.  A connection may not be long lived but critical like shorter
>> >       phone conversations.
>> >
>> >Comment> Replace "phone conversation" with "VOIP conversation"
>> Suresh> ok
>> >
>> >[7]     3.  Similarly not every long lived connection need to be
>>critical,
>> >       say a free-service connection of a hosted service need not be
>> >       checkpointed while a paid-service connection has to be
>> >       checkpointed.
>> >
>> >Comment> Why would the application client differentiate and not signal
>> >that it's a critical flow in both the cases. Are you envisioning that
>> >the application client software makes this decision internally or it
>> >involves human intervention from some UI to signal to the network that
>> >it's a critical flow.
>
>> Suresh> Human intervention may or may not be required. What involves in
>> signaling is out of scope and is left for implementation. For example, a
>> hosted service knows if the subscriber is a free subscriber or a paid
>> subscriber. A policy may be enforced to automatically trigger
>>checkpoint if
>> the service requested is from a paid subscriber and not trigger if the
>>service
>> requested is from a free subscriber.
>
>If policy is triggered by the network automatically then
>what is the need for endpoint to explicitly signal that the flow is
>critical or not ?
The policy referred here is not the network function policy. It is the
policy in the hosted service.
>
>> As another example, a human may be
>> given a choice for signaling, just like human intervention when a
>>location
>> based services app is launched. Or in some cases application may decide.
>> And, one may come up with an even smarter way of when to signal.
>> So, what involves in signaling is left for implementation and is of
>>scope of this
>> document. However, I can mention the above as examples, if required.
>
>Okay.
>
>> >
>> >[8] How would this work when PCP authentication is used ?
>> >(I mean will authentication related info be also check pointed or
>> >client will have to authenticate afresh when backup becomes active and
>> >other related issues.)
>> Suresh> I would not expect another authentication to happen. The
>> implementation should ensure all the necessary state is check pointed on
>> backup so that it doesn¹t need to re authenticate.
>
>PCP authentication has stateful information like sequence number, which
>need to be synced regularly for HA to work and creates more chatter b/w
>Active and Standby.
>When PCP authentication is used it will be good to identify all the
>relevant issues with HA.
Yes, all the relevant state has to be check pointed. This happens even for
IPSec, where window is check pointed periodically.
>
>> >
>> >[9]   1.  Disruption in a phone connection is not desired.  Application
>> >       that is initiating a phone connection MUST mark connection HA
>>bit
>> >       in the header, while initiating a PCP request for checkpointing.
>> >
>> >Comment> Are you referring to VoIP signaling connection ?
>> Suresh> I am referring to VOIP signaling and data.
>> >
>> >[10]   2.  Similarly disruption in media streaming is not desired.  A
>>user
>> >       hosting a media service, MUST mark HA bit in the header while
>> >       initiating a mapping request, and MAY mark connection associated
>> >       with that mapping, depending on whether the connection is from a
>> >       paid subscriber or from a free subscriber through a PEER
>>request.
>> >       So checkpointing mapping doesn't result in auto checkpointing of
>> >       connections, as it gives flexibility to the end user to pick
>> >       specific connections only to checkpoint.
>> >
>> >Comment> I am not sure why this distinction is required b/w free and
>> >Comment> paid
>> >VoIP calls, free call could also be an emergency call or high-priority
>> >call.
>> Suresh> In this context, media streaming refers to streaming services
>> Suresh> like
>> netflix, hulu, yupptv, spotify or some privately owned services etc.
>
>The content provided by these services is typically in the form of chunks
>(HTTP Adaptive Streaming) and can be short-lived TCP sessions.
>I don't see the need to checkpoint these flows.
They might be short lived, but they are business critical.
>
>
>> Yes,
>> emergency calls are free and are high priority and implementor can
>>always
>> initiate checkpointing for those calls. And, I am not sure why you are
>>relating
>> them here? Am I missing something?
>> >
>> >6.   In conjunction with NAT, other network functions that MAY maintain
>> >   state for each conneciton such as Stateful Firewall, IPSec, Load
>> >   balancing etc..., MAY register to PCP server, and MAY be triggered
>> >   for checkpointing respective state of that connection.
>> >
>> >Comment1> Are there stateless firewalls ?
>> Suresh> Yes, simple packet filters or ASIC based firewall etcŠ
>> 
>> >Comment 2> I did not understand this draft usage with load balancers
>> >and IPSec.
>> Suresh> Suppose IPSec as a gateway service along with firewall and NAT.
>> IPSec may register with PCP, such that IPSec's HA module will be
>>triggered by
>> PCP server to checkpoint state associated with a flow, when a PCP
>>request for
>> that flow with HA bit set is received.
>
>Why would IPSEC care about the state associated with flows ?
IPSec should care about IPSec state associated with flows right? Otherwise
when master IPSec fails, and backup takes over, how would IPSec continue
to secure traffic seamlessly?
>
>-Tiru
>
>> Similarly for load balancing.
>> >
>> >Cheers,
>> >-Tiru
>> >
>> >
>> >>
>> >> On 6/13/14 4:19 PM, "Suresh Kumar Vinapamula Venkata"
>> >> <sureshk@juniper.net> wrote:
>> >>
>> >> >Hi
>> >> >
>> >> >This new version of draft address review comments received on the
>> >> >previous version. Kindly review.
>> >> >Sorry for the delay.
>> >> >
>> >> >Thanks
>> >> >Suresh
>> >> >
>> >> >On 6/13/14 4:14 PM, "internet-drafts@ietf.org"
>> >> ><internet-drafts@ietf.org>
>> >> >wrote:
>> >> >
>> >> >>
>> >> >>A new version of I-D, draft-vinapamula-flow-ha-01.txt has been
>> >> >>successfully submitted by Suresh Vinapamula and posted to the IETF
>> >> >>repository.
>> >> >>
>> >> >>Name:		draft-vinapamula-flow-ha
>> >> >>Revision:	01
>> >> >>Title:		Flow high availability through PCP
>> >> >>Document date:	2014-06-13
>> >> >>Group:		Individual Submission
>> >> >>Pages:		6
>> >> >>URL:
>> >> >>http://www.ietf.org/internet-drafts/draft-vinapamula-flow-ha-01.txt
>> >> >>Status:
>> >> >>https://datatracker.ietf.org/doc/draft-vinapamula-flow-ha/
>> >> >>Htmlized:  
>>http://tools.ietf.org/html/draft-vinapamula-flow-ha-01
>> >> >>Diff:
>> >> >>http://www.ietf.org/rfcdiff?url2=draft-vinapamula-flow-ha-01
>> >> >>
>> >> >>Abstract:
>> >> >>   This document describes a mechanism for a host to signal various
>> >> >>   network functions' High Availability (HA) module to checkpoint
>> >> >>   interested connections through PCP.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>Please note that it may take a couple of minutes from the time of
>> >> >>submission until the htmlized version and diff are available at
>> >> >>tools.ietf.org.
>> >> >>
>> >> >>The IETF Secretariat
>> >> >>
>> >> >
>> >> >_______________________________________________
>> >> >pcp mailing list
>> >> >pcp@ietf.org
>> >> >https://www.ietf.org/mailman/listinfo/pcp
>> >
>