Re: [pcp] FW: New Version Notification for draft-vinapamula-flow-ha-01.txt

["Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>]

> -----Original Message-----
> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
> Sent: Tuesday, August 12, 2014 12:06 AM
> To: Tirumaleswar Reddy (tireddy)
> Cc: pcp@ietf.org
> Subject: Re: [pcp] FW: New Version Notification for draft-vinapamula-flow-
> ha-01.txt
> 
> Thanks for your comments. Please see inline.
> 
> On 8/8/14 1:22 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
> wrote:
> 
> >Hi Suresh,
> >
> >Comments:
> >
> >[1] What is the reason for updating the reserved field in the PCP
> >Common Request Packet Format ?
> >A new PCP option can also be defined to signal if it's a critical flow
> >or not.
> 
> Suresh> Yes, a PCP option can also be used and we thought about it. We
> were debating if option would be an overkill, as there is nothing negotiated
> unlike other options, while indicating checkpointing. We are debating on the
> use cases where bit is not sufficient and an option is required. Please let us
> know if you think of cases where bit will not work.

A new PCP option will help to add more fields for future use cases.

> >
> >[1b] It may help the client to know if the flow is check pointed or
> >not, this way the client can make a decision to prioritize the flows
> >accordingly when multiple interfaces with associated PCP servers are
> >involved.
> 
> Suresh> A reserve bit in the PCP response can indicate that PCP server
> honored PCP checkpoint request or not. Will update the draft.
> >
> >[1c] Success or fail response ((e.g. Quota exceeded) from PCP server
> >can also help the client to remove check pointing for some of the
> >existing flows so as to check point new flows.
> Suresh> Would response to 1b handle it?

Yes.

> >
> >[2] This document describes a mechanism for a host to signal various
> >   network functions' High Availability (HA) module to checkpoint
> >   interested connections through PCP.
> >
> >Comment> The above line is not clear.
> 
> Suresh> Not sure what is not clear, What I meant to say here is, this
> document provides a mechanism to signal any network functions' (firewall
> NAT IPSec etcŠ) high availability module for checkpointing interested
> connections by host. If this is still not clear, can you please be more specific ?

Client has no clue if network function have HA or not, instead let the client just signal 
it's a critical flow or not.
 
> 
> >
> >
> >[3]   Internet service continuity is critical in service provider
> >        environment.  To achieve this, most service providers have active-
> >        backup systems.
> >
> >Comment> Enterprise networks also typically deploy Active-Standby.
> Suresh> Ok will update document.
> >
> >
> >[4] For service continuity of those connections on backup
> >   when active fail, that corresponding state had to be checkpointed on
> >   the backup.
> >
> >Nit> Replace "fail" with "fails"
> Suresh> ok.
> >
> >[5]   Typically, this is addressed by identifying long lived connections
> >        and checkpointing state of only those connections that lived long
> >         enough, to the backup for service continuity.
> >
> >Comment> You may want to add that identification is also done by DPI,
> >which fails with encrypted traffic.
> Suresh> ok
> >
> >[6]   2.  A connection may not be long lived but critical like shorter
> >       phone conversations.
> >
> >Comment> Replace "phone conversation" with "VOIP conversation"
> Suresh> ok
> >
> >[7]     3.  Similarly not every long lived connection need to be critical,
> >       say a free-service connection of a hosted service need not be
> >       checkpointed while a paid-service connection has to be
> >       checkpointed.
> >
> >Comment> Why would the application client differentiate and not signal
> >that it's a critical flow in both the cases. Are you envisioning that
> >the application client software makes this decision internally or it
> >involves human intervention from some UI to signal to the network that
> >it's a critical flow.

> Suresh> Human intervention may or may not be required. What involves in
> signaling is out of scope and is left for implementation. For example, a
> hosted service knows if the subscriber is a free subscriber or a paid
> subscriber. A policy may be enforced to automatically trigger checkpoint if
> the service requested is from a paid subscriber and not trigger if the service
> requested is from a free subscriber. 

If policy is triggered by the network automatically then 
what is the need for endpoint to explicitly signal that the flow is critical or not ?

> As another example, a human may be
> given a choice for signaling, just like human intervention when a location
> based services app is launched. Or in some cases application may decide.
> And, one may come up with an even smarter way of when to signal.
> So, what involves in signaling is left for implementation and is of scope of this
> document. However, I can mention the above as examples, if required.

Okay.

> >
> >[8] How would this work when PCP authentication is used ?
> >(I mean will authentication related info be also check pointed or
> >client will have to authenticate afresh when backup becomes active and
> >other related issues.)
> Suresh> I would not expect another authentication to happen. The
> implementation should ensure all the necessary state is check pointed on
> backup so that it doesn¹t need to re authenticate.

PCP authentication has stateful information like sequence number, which need to be synced regularly for HA to work and creates more chatter b/w Active and Standby.
When PCP authentication is used it will be good to identify all the relevant issues with HA.

> >
> >[9]   1.  Disruption in a phone connection is not desired.  Application
> >       that is initiating a phone connection MUST mark connection HA bit
> >       in the header, while initiating a PCP request for checkpointing.
> >
> >Comment> Are you referring to VoIP signaling connection ?
> Suresh> I am referring to VOIP signaling and data.
> >
> >[10]   2.  Similarly disruption in media streaming is not desired.  A user
> >       hosting a media service, MUST mark HA bit in the header while
> >       initiating a mapping request, and MAY mark connection associated
> >       with that mapping, depending on whether the connection is from a
> >       paid subscriber or from a free subscriber through a PEER request.
> >       So checkpointing mapping doesn't result in auto checkpointing of
> >       connections, as it gives flexibility to the end user to pick
> >       specific connections only to checkpoint.
> >
> >Comment> I am not sure why this distinction is required b/w free and
> >Comment> paid
> >VoIP calls, free call could also be an emergency call or high-priority
> >call.
> Suresh> In this context, media streaming refers to streaming services
> Suresh> like
> netflix, hulu, yupptv, spotify or some privately owned services etc. 

The content provided by these services is typically in the form of chunks (HTTP Adaptive Streaming) and can be short-lived TCP sessions. 
I don't see the need to checkpoint these flows.


> Yes,
> emergency calls are free and are high priority and implementor can always
> initiate checkpointing for those calls. And, I am not sure why you are relating
> them here? Am I missing something?
> >
> >6.   In conjunction with NAT, other network functions that MAY maintain
> >   state for each conneciton such as Stateful Firewall, IPSec, Load
> >   balancing etc..., MAY register to PCP server, and MAY be triggered
> >   for checkpointing respective state of that connection.
> >
> >Comment1> Are there stateless firewalls ?
> Suresh> Yes, simple packet filters or ASIC based firewall etcŠ
> 
> >Comment 2> I did not understand this draft usage with load balancers
> >and IPSec.
> Suresh> Suppose IPSec as a gateway service along with firewall and NAT.
> IPSec may register with PCP, such that IPSec's HA module will be triggered by
> PCP server to checkpoint state associated with a flow, when a PCP request for
> that flow with HA bit set is received.

Why would IPSEC care about the state associated with flows ?

-Tiru

> Similarly for load balancing.
> >
> >Cheers,
> >-Tiru
> >
> >
> >>
> >> On 6/13/14 4:19 PM, "Suresh Kumar Vinapamula Venkata"
> >> <sureshk@juniper.net> wrote:
> >>
> >> >Hi
> >> >
> >> >This new version of draft address review comments received on the
> >> >previous version. Kindly review.
> >> >Sorry for the delay.
> >> >
> >> >Thanks
> >> >Suresh
> >> >
> >> >On 6/13/14 4:14 PM, "internet-drafts@ietf.org"
> >> ><internet-drafts@ietf.org>
> >> >wrote:
> >> >
> >> >>
> >> >>A new version of I-D, draft-vinapamula-flow-ha-01.txt has been
> >> >>successfully submitted by Suresh Vinapamula and posted to the IETF
> >> >>repository.
> >> >>
> >> >>Name:		draft-vinapamula-flow-ha
> >> >>Revision:	01
> >> >>Title:		Flow high availability through PCP
> >> >>Document date:	2014-06-13
> >> >>Group:		Individual Submission
> >> >>Pages:		6
> >> >>URL:
> >> >>http://www.ietf.org/internet-drafts/draft-vinapamula-flow-ha-01.txt
> >> >>Status:
> >> >>https://datatracker.ietf.org/doc/draft-vinapamula-flow-ha/
> >> >>Htmlized:       http://tools.ietf.org/html/draft-vinapamula-flow-ha-01
> >> >>Diff:
> >> >>http://www.ietf.org/rfcdiff?url2=draft-vinapamula-flow-ha-01
> >> >>
> >> >>Abstract:
> >> >>   This document describes a mechanism for a host to signal various
> >> >>   network functions' High Availability (HA) module to checkpoint
> >> >>   interested connections through PCP.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>Please note that it may take a couple of minutes from the time of
> >> >>submission until the htmlized version and diff are available at
> >> >>tools.ietf.org.
> >> >>
> >> >>The IETF Secretariat
> >> >>
> >> >
> >> >_______________________________________________
> >> >pcp mailing list
> >> >pcp@ietf.org
> >> >https://www.ietf.org/mailman/listinfo/pcp
> >