IETF Logo Mail Archive

Re: Resolving lingering issues with BFD authentication drafts

Jeffrey Haas <jhaas@pfrc.org> Thu, 29 February 2024 21:23 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3CFC14F6A8 for <rtg-bfd@ietfa.amsl.com>; Thu, 29 Feb 2024 13:23:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjG-WUEVBTkA for <rtg-bfd@ietfa.amsl.com>; Thu, 29 Feb 2024 13:23:52 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id E641FC14F5EE for <rtg-bfd@ietf.org>; Thu, 29 Feb 2024 13:23:51 -0800 (PST)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id 2B7071E039; Thu, 29 Feb 2024 16:23:51 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_866A062F-CB17-414B-B800-2CBD3EEB717D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: Resolving lingering issues with BFD authentication drafts
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <1930332684.1428630.1709235369243@mail.yahoo.com>
Date: Thu, 29 Feb 2024 16:23:50 -0500
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Message-Id: <B0096C18-9B25-4E2D-8B77-EA5CC44B77EF@pfrc.org>
References: <20240223213246.GA15208@pfrc.org> <1596993238.316567.1708900303895@mail.yahoo.com> <845A6BC6-DC4D-4637-9FF0-909261803845@pfrc.org> <1930332684.1428630.1709235369243@mail.yahoo.com>
To: Reshad Rahman <reshad@yahoo.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/2ApuwuJUaXvdVMT6RvpycvvNLL8>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 21:23:53 -0000

Reshad,


> On Feb 29, 2024, at 2:36 PM, Reshad Rahman <reshad@yahoo.com> wrote:
> 
> Jeff, 
> 
> The only thing I am still a bit hesitant about is delaying the notification to the BFD clients (that the session is up) until we've successfully moved to the optimized mode. It's not the actual delay, which should be short, but the fact that it's changing the BFD state machine a bit. But I don't see any other way to do this without the risk of bouncing the BFD session. 

It's worth pointing out that the "bfd holddown" features implemented by multiple vendors ALREADY does this.  And, when it's in use, the client will wait for stuff on the order of seconds to minutes for some providers.

So, while I agree that it's a change, and theoretically a scary one, it's well deployed already in some form.

In the interest of honesty, such holddown features didn't interoperate in their use terribly well and was the reason for the PROTOCOLS / clients to refine how they used BFD - hence the "strict" features.  Again, not a problem with the idea of holddown, but rather than RFC 5882 was a bit too general in its advice.


> Regarding "until we've successfully switched over to the optimized mechanism", what does a successful switch mean? Does it mean sending detect mult packets with optimized auth?

I believe it means that both sides are using the optimized mode.  It can't be only one side since the potential session drop will only happen when each side turns on optimization.

-- Jeff

v2.23.0 | Report a Bug | By Email