Re: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unaffiliated-echo-12: (with DISCUSS and COMMENT)

xiao.min2@zte.com.cn Mon, 21 October 2024 06:24 UTC

Return-Path: <xiao.min2@zte.com.cn>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9EEC1E6426; Sun, 20 Oct 2024 23:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nuxDnn1T6SrU; Sun, 20 Oct 2024 23:24:10 -0700 (PDT)
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [63.216.63.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17A9C14F6FF; Sun, 20 Oct 2024 23:24:05 -0700 (PDT)
Received: from mxct.zte.com.cn (unknown [192.168.251.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4XX4yS44dmz5B1KR; Mon, 21 Oct 2024 14:24:00 +0800 (CST)
Received: from mse-fl2.zte.com.cn (unknown [10.5.228.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mxct.zte.com.cn (FangMail) with ESMTPS id 4XX4xq5lVzz510b6; Mon, 21 Oct 2024 14:23:27 +0800 (CST)
Received: from njb2app06.zte.com.cn ([10.55.23.119]) by mse-fl2.zte.com.cn with SMTP id 49L6N7D6085775; Mon, 21 Oct 2024 14:23:07 +0800 (+08) (envelope-from xiao.min2@zte.com.cn)
Received: from mapi (njb2app06[null]) by mapi (Zmail) with MAPI id mid201; Mon, 21 Oct 2024 14:23:09 +0800 (CST)
Date: Mon, 21 Oct 2024 14:23:09 +0800
X-Zmail-TransId: 2afe6715f34dffffffffaec-69f15
X-Mailer: Zmail v1.0
Message-ID: <20241021142309180BF8uKkpZNxJP9Z3mF6qUR@zte.com.cn>
In-Reply-To: <CAEh=tcdnyeZdg2zuX+Hc7TNDbG1Q4jpP27TXThCZ-FDxUuqG=g@mail.gmail.com>
References: 172916955050.1346853.15954860630215626238@dt-datatracker-78dc5ccf94-w8wgc,84FCAC35-D8DE-4B2B-BC08-7AC2E8C611B8@pfrc.org,CAEh=tcdnyeZdg2zuX+Hc7TNDbG1Q4jpP27TXThCZ-FDxUuqG=g@mail.gmail.com
Mime-Version: 1.0
From: xiao.min2@zte.com.cn
To: zahed.sarker.ietf@gmail.com
Subject: Re: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unaffiliated-echo-12: (with DISCUSS and COMMENT)
Content-Type: multipart/mixed; boundary="=====_001_next====="
X-MAIL: mse-fl2.zte.com.cn 49L6N7D6085775
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 6715F380.001/4XX4yS44dmz5B1KR
Message-ID-Hash: 3EOZFEJAAOFO2EAINFNL2TXKN2MJCDJ3
X-Message-ID-Hash: 3EOZFEJAAOFO2EAINFNL2TXKN2MJCDJ3
X-MailFrom: xiao.min2@zte.com.cn
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rtg-bfd.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: iesg@ietf.org, draft-ietf-bfd-unaffiliated-echo@ietf.org, bfd-chairs@ietf.org, rtg-bfd@ietf.org, trammell@google.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection" <rtg-bfd.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/87izGm_Pdozqi59aCxP4F1pRUWk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Owner: <mailto:rtg-bfd-owner@ietf.org>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Subscribe: <mailto:rtg-bfd-join@ietf.org>
List-Unsubscribe: <mailto:rtg-bfd-leave@ietf.org>

Hi Zahed, Jeff,

I'm following your discussion.
As Jeff noted, I'll handle the proposed text change.
Please see inline.

Original


From: ZaheduzzamanSarker <zahed.sarker.ietf@gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>;
Cc: The IESG <iesg@ietf.org>;draft-ietf-bfd-unaffiliated-echo@ietf.org <draft-ietf-bfd-unaffiliated-echo@ietf.org>;bfd-chairs@ietf.org <bfd-chairs@ietf.org>;rtg-bfd@ietf.org <rtg-bfd@ietf.org>;trammell@google.com <trammell@google.com>;
Date: 2024年10月19日 01:21
Subject: Re: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unaffiliated-echo-12: (with DISCUSS and COMMENT)






On Thu, Oct 17, 2024 at 3:49 PM Jeffrey Haas <jhaas@pfrc.org> wrote:

Zahed,
 
 
 > On Oct 17, 2024, at 8:52 AM, Zaheduzzaman Sarker via Datatracker <noreply@ietf.org> wrote:
 > ----------------------------------------------------------------------
 > DISCUSS:
 > ----------------------------------------------------------------------
 > 
 > Thanks for working on this specificaition. This is an interesting protocol to
 > enable system to loopback packets to itself.
 > 
 > [...]
 
 > I am holding a discuss on the relaxation of congestion control statements in
 > the operational considerations. I think it is very important that we explain
 > the reason better on why we are relaxing that requirement on BFD session ( but
 > not session) in this specification.
 > 
 > [...]
 
 >  and this specification says
 > 
 >      All Operational Considerations from [RFC5880] apply, except that the
 >     Unaffiliated BFD Echo can only be used across one hop, which result in
 >     unnecessity of a congestion control mechanism.
 > 
 >   It seems like this specification is relaxing the congestion control
 >  requirements without really explaining why it is an exception from what is a
 >  SHOULD in RFC 5880, even for single hop. Note that RFC 8085 cprovides
 >  congestion control guidelines for protocol that uses UDP. I understand that
 >  there is a periodicity and configured value to send the BFD Echo packets,
 >  still that does not automatically result in unnecessity of a congestion
 >  control requirement for UDP traffic, especially when RFC 5880 also says the
 >  congestion is not only a traffic phenomenon. I was expecting more explanation
 >  of this exception ( this was also brought up by the TSVART review ) and
 >  potential operation impacts as RFC 5880 also indicates the effects can be
 >  catastrophic.
 
 This sentence, which is admittedly a bit vague, seems only to be causing confusion and grief.  Would dropping it make these concerns go away?
 
 Note, keeping or dropping it doesn't really change anything.  Two things are going on here:
 
 1. Since this mechanism leverages existing BFD machinery, particularly periodic pacing of traffic based on configuration, there's no real "congestion control" present. That's true even in the base BFD protocol.  If the session is unable to sustain the paced traffic, the session drops because some combination of link or protocol resources is unable to sustain it.  In such cases, "works as designed". 
 2. The Echo mechanism in the base BFD protocol gave zero guarantees about any sort of congestion control to start with.  All behavior was locally chosen.  But similar to 1, above, since the point is to determine if the link is up and providing bidirectional connectivity, doing Bad Things to it doesn't make sense.
 
 In particular, this document's recommendations to leverage the existing BFD machinery toward Echo makes for a better behaved system rather than the less specified "do as you like" in RFC 5880.
 
 Thus, the sentence adds no deep clarity, nor its absence removes any real considerations.

You are saying the pacing works in a way that guarantees no congestion on the path, and that covers both traffic on the wire and computational considerations, right? Also if the sender of echo packets not receiving anything back for whatever reasons the session is dropped.

In that case, can we add a summary of what you just wrote above and drop the last part of  the sentence under question?


Perhaps the following: 

    All Operational Considerations from [RFC5880] apply. Since this mechanism leverages existing BFD machinery, particularly periodic pacing of traffic based on configuration, there's no real possibility to create congestion. Moreover, creating congestion would be counter productive to check the bidirectional connectivity. 
[XM]>>> To my understanding, BFD congestion control (Section 7 of RFC 5880) relies on BFD timer negotiation (Section 6.8.2 of RFC 5880). So propose to change the text as you suggested with small tweaks.
OLD
 All Operational Considerations from [RFC5880] apply, except that the
 Unaffiliated BFD Echo can only be used across one hop, which result
 in unneccessity of a congestion control mechanism.NEW
 All Operational Considerations from [RFC5880] apply. Since this mechanism leverages existing BFD machinery, at the same time removing BFD timer negotiation and being based on configuration, there's no real possibility to perform congestion control. Moreover, creating congestion would be counterproductive to check the bidirectional connectivity. END 



 > ----------------------------------------------------------------------
 > COMMENT:
 > ----------------------------------------------------------------------
 > 
 > I have further comments below as I believe when addressed that will improve the
 > specification description -
 > 
 > # Section 1 : I don't quite get this statement
 > 
 >    This document updates [RFC5880] by defining a new method of BFD Echo-Only
 >    without requiring an implementation to support the full BFD protocol.
 
 The intent here is to cover the one-sidedness of the mechanism.  Did you have any suggested text changes to clarify that?

I see. even if this might be obvious to the experts I would still rewrite it as 

      This document updates [RFC5880] by defining a new method of BFD Echo-Only
       which only impacts the BFD Echo sender without requiring an implementation to 
       support the BFD protocol at the loop-back device, such that any IP forwarder
       can loop-back the BFD Echo packets. 
[XM]>>> OK. Will change the text as you suggested.


 > 
 >  Does this mean any IP packet forwarder can be Device B in figure 1?
 
 Any forwarder.

Then we should call the Device B as a regular IP forwarder without associating it to BFD terminology.

OLD:

   As shown in Figure 1, device A supports BFD, whereas device B does not support BFD

NEW: 
   As shown in Figure 1, device A supports BFD, whereas device B is a regular IP forwarder that does not support BFD
 [XM]>>> LGTM. Will use it.
 > or the
 >  device B actually needs to implement RFC5880 partially.
 
 Device B only loops packets.  It may be completely ignorant of the BFD protocol, and that is the purpose of this mechanism.
 
 > In the description of
 >  Figure 1 , it says Device B does not support BFD. So to me, Device B can be
 >  anything that understands IP forwarding, is it?
 > 
 > # Section 5 : it is not clear to me if Device B (loop-back device) in figure 1
 > does not support BFD then how it can provide the authentication as per RFC
 > 8550. I think we should say that for authentication the loop-back device needs
 > to support RFC 5880.
 
 Device B only provides loopback support.  All authentication is isolated to device A which implements this mechanism.
 
 Reviewing section 5, the intent here is to cover attacks where the active attacker spoofs traffic targeting Device A by sending them through the loopback Device B.  Authentication prevents Device A from being susceptible to that attack.
 
 What text would you prefer to see instead?

The whole point is, it was not super clear just from this specification that all the updates, related mechanisms, and considerations in this specification only impact Device A that supports BFD and does not impact Device B. If  we make that clear early in the document then it will address the confusions. I have proposed changes in the introduction above, that explicitness should clarify things, at least for me.
[XM]>>> Thank you for the suggestions!

Cheers,
Xiao Min

//Zahed
 
 -- jeff
 
 
 > 
 >