IETF Logo Mail Archive

Re: Mirja Kühlewind's Discuss on draft-ietf-bfd-seamless-base-09: (with DISCUSS)

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Wed, 04 May 2016 14:33 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9041412D540; Wed, 4 May 2016 07:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.516
X-Spam-Level:
X-Spam-Status: No, score=-15.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y2AuiP6BRI0g; Wed, 4 May 2016 07:33:52 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF1E12D6B0; Wed, 4 May 2016 07:33:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34390; q=dns/txt; s=iport; t=1462372432; x=1463582032; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Eshu19X2f9ZdSnuLtZve6ofLj8fFjJklaZUwvIDLlpQ=; b=SQCxxwTiV0cBDuEX+TPnF1lWL9awhTh0RxogkKg4iJIfGuGVk4Zyd4oz mgn4ZjQc9vuA6WqB06YXGIdnDoyke6z61wHeqMtOF4ll+/golPoN1VvSh 8mh+eFhVon7G6z9N/DrwoupRR2WaJ9ntKZeSs7aCYHnuptTqRlRooloQM U=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAwDzBypX/5JdJa1UCoJsTFMtAU8GtTSCH4IPDoF1IoVuAoE0OBQBAQEBAQEBZSeEQQEBAQMBI1YFCwIBCBggAQkCAjIaCwIEDgUOiBQIDqwYkRcBAQEBAQEBAQEBAQEBAQEBAQEBAQENBASGIIF2gleEEQYFBgEGgxYrgi4Fh3iLLIR1AYMngWdtiByBaIRNiF6JQoVxAR4BQ4I2gTVsAYZ+CBcffwEBAQ
X-IronPort-AV: E=Sophos;i="5.24,577,1454976000"; d="asc'?scan'208,217";a="99004132"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 May 2016 14:33:50 +0000
Received: from XCH-RTP-002.cisco.com (xch-rtp-002.cisco.com [64.101.220.142]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id u44EXoUi019766 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 4 May 2016 14:33:50 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-002.cisco.com (64.101.220.142) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 4 May 2016 10:33:49 -0400
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1104.009; Wed, 4 May 2016 10:33:49 -0400
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
Subject: Re: Mirja Kühlewind's Discuss on draft-ietf-bfd-seamless-base-09: (with DISCUSS)
Thread-Topic: Mirja Kühlewind's Discuss on draft-ietf-bfd-seamless-base-09: (with DISCUSS)
Thread-Index: AQHRpR8YB75iFhnPVECZQ0i//enE0Z+ne5KAgAAvsACAAA7wAIABXPwAgAAFk4A=
Date: Wed, 04 May 2016 14:33:49 +0000
Message-ID: <2129C9FD-F4C4-4C2D-B3E9-369A754163A4@cisco.com>
References: <20160503093512.7446.68991.idtracker@ietfa.amsl.com> <EC687254-EEDA-4EFF-B01B-757449183CED@cisco.com> <1EB9BDDB-483F-48BC-9D2F-D68E6ACA285E@kuehlewind.net> <BB0CE67E-0DA4-420B-AE8D-4F39BDE05D55@cisco.com> <ABC84681-A58E-44B9-9E32-50EB22403603@kuehlewind.net>
In-Reply-To: <ABC84681-A58E-44B9-9E32-50EB22403603@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.150.49.250]
Content-Type: multipart/signed; boundary="Apple-Mail=_54959E82-5E16-4867-99D7-2079CEBFCDC2"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtg-bfd/WiujMPkYCzL0LQXLgXsiNL1CGHQ>
Cc: The IESG <iesg@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-seamless-base@ietf.org" <draft-ietf-bfd-seamless-base@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2016 14:33:55 -0000

Thanks much for the response, Mirja!

I think we are converging, please see inline.

> On May 4, 2016, at 10:13 AM, Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> wrote:
> 
> Hi Carlos,
> 
> see below.
> 
>> Am 03.05.2016 um 19:24 schrieb Carlos Pignataro (cpignata) <cpignata@cisco.com>:
>> 
>> Hi, Mirja,
>> 
>>> On May 3, 2016, at 12:31 PM, Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> wrote:
>>> 
>>> Hi Carlos,
>>> 
>>> 
>>>> Am 03.05.2016 um 15:40 schrieb Carlos Pignataro (cpignata) <cpignata@cisco.com>:
>>>> 
>>>> Hi, Mirja,
>>>> 
>>>> What is an uncontrolled packet in an IP network, and what entity controls controlled ones? :-)
>>> 
>>> Questions over questions… :-)
>>> 
>>> See below...
>>> 
>>>> 
>>>> More seriously, please see inline.
>>>> 
>>>>> On May 3, 2016, at 5:35 AM, Mirja Kuehlewind <ietf@kuehlewind.net> wrote:
>>>>> 
>>>>> Mirja Kühlewind has entered the following ballot position for
>>>>> draft-ietf-bfd-seamless-base-09: Discuss
>>>>> 
>>>>> When responding, please keep the subject line intact and reply to all
>>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>>> introductory paragraph, however.)
>>>>> 
>>>>> 
>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>> 
>>>>> 
>>>>> The document, along with other ballot positions, can be found here:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-bfd-seamless-base/
>>>>> 
>>>>> 
>>>>> 
>>>>> ----------------------------------------------------------------------
>>>>> DISCUSS:
>>>>> ----------------------------------------------------------------------
>>>>> 
>>>>> As S-BFD has no initiation process anymore it is not guarenteed that the
>>>>> receiver/responder actually exists. That means that packets could float
>>>>> (uncontrolled) in the network or even outside of the adminstrative domain
>>>>> (e.g. due to configuration mistakes). From my point of view this document
>>>>> should recommend/require two things:
>>>>> 
>>>> 
>>>> We have called out the misconfiguration — however:
>>>> 
>>>>> 1) A maximum number of S-BFD packet that is allow to be send without
>>>>> getting a response (maybe leading to a local error report).
>>>>> 
>>>> 
>>>> This can result in a deadlock situation, if an S-BFD Reflector is enabled much later. I’m very hesitant to cap the packets sent. We can, and I think it is useful, MAY log an error for multiple timeouts.
>>> 
>>> Okay, I understand that a hard limit probably does make sense. An error log seems definitely useful.
>> 
>> OK, that sounds good. See below.
>> 
>>> Another proposal for consideration: Currently the draft says an initiator should only send one packet per second if the target is in ADMINDOWN state. In this case there this state is explicit announced. However if the other end just disappears or was never/not yet there, one could use an exponential back off instead, starting with a smaller intervals than one second but then increase it exponentially. Just an idea...
>> 
>> Thanks for the proposal. Please have in mind however that this is a protocol for detecting liveness (and lack of it), so increasing exponentially defeats the purpose.
>> 
>> Further, exponential back off may not be the best choice when interacting with routing protocols.
>> 
>> What we currently say is:
>>     The criteria for declaring loss of
>>     reachability and the action that would be triggered as a result
>>     are outside the scope of this document.
>> 
>> As much of these are implementation choices.
>> 
>> But we can add at the end “, and MAY include logging an error.“
> 
> Please do so.

Done.

> 
>>> 
>>>> 
>>>>> 2) Egress filtering at the adminstrative border of the domain that uses
>>>>> S-BFD to make sure that no S-BFD packets leave the domain.
>>>>> 
>>>> 
>>>> This is no different than any other application that uses UDP; a misconfigured DNS server will result in the same, and a traceroute is also not too different. This seems too onerous of a requirement. An administrative domain filters at ingress.
>>> 
>>> First of all, just because other protocols might have such a problem, that does mean it’s okay.
>> 
>> I agree with this. I had a different point in mind though — trying to specify this on every UDP application might not be the most effective way. Perhaps there’s a UDP guideline you are uncovering.
>> 
>>> However, correctly me if I’m wrong, but there the situation seems slightly different because there is no termination criterium at all that means an s-bfd node would send useless data forever (… until manual change of the config).
>>> 
>> 
>> But as far as this doc is concerned, let me try to make some clarifications (and a correction).
>> 
>> There are termination criteria — the document says:
>> 
>>  An SBFDInitiator may be a persistent session on the initiator with a
>>  timer for S-BFD control packet transmissions (stateful
>>  SBFDInitiator).  An SBFDInitiator may also be a module, a script or a
>>  tool on the initiator that transmits one or more S-BFD control
>>  packets "when needed" (stateless SBFDInitiator).
>> 
>> For the case in which you have a “when needed” SBFDInitiator, the workflow is like a “ping”.
>> 
>> For the case in which you have a “persistent" SBFDInitiator, in theory this can run forever (for some value of ever). However, please don’t loose track of why this protocol exists. Having OAM failures and do nothing about it defeats the purpose of having OAM. Meaning, a red alarm will blink, a honk will horn, and the config state will be changed (manually or by some support system).
>> 
>> In other words, I do not think this is such a unique case (insofar as running ad-infinutum).
> 
> I still believe that the case where you have a misconfiguration and the initiator sends packets (forever) but never ever gest a reply (and never has seen a reply in the past), is a different case and can be detected and handled separately.
> 

Again, I would not qualify this as ‘forever’, but I understand what you mean.

>> 
>>> I still believe that egress filtering would be more appropriate here (than ingress) because the domain that is using s-bfd knows about it and therefor can set up the respective filters and should not spam others while hoping that filters are in place.
>>> 
>> 
>> To me, there is no insignificant operational complexity with requiring the addition of filters throughout, for one particular application not leaking (where the leak does not cause anything special), and when the leak might happen because of a misconfiguration (or bug) but will be detected by the operational support systems. The ROI does not seem to add up.
> 
> Okay the document should probably not require egress filtering in any case but what’s about saying something like:
> 
> „If S-BFD is used it SHOULD be ensured that S-BFD control packet do not propagate outside of the administrative domain that uses it.“
> 

We can add an additional explanation of the problem before a statement, but I do not think that particular SHOULD is actionable. How’s something like:

Explain that without handshake, a persistent initiator can send blindly, to then add “In such case, operational measures SHOULD be taken to identify if S-BFD packets are not responded to for an extended period of time, and remediate the situation”

> This is not an uncommon thing to specify also for other protocols.
> 

I agree. Frankly, I am happy with either statement, but I think the latter might be more operationally actionable.

Preference?

Thanks,

— Carlos.

> Mirja
> 
> 
>> 
>> Does the explanation of the termination criteria help?
>> 
>>>> 
>>>> Seems to me the logging will alert someone/something to take action, and should be enough.
>>> 
>>> Logging plus alerts is definitely a good thing.
>>> 
>> 
>> I agree.
>> 
>> Will add “, and MAY include logging an error.” as per above.
>> 
>> Do you think we should expand on this somewhere else in the document?
>> 
>> Thanks,
>> 
>> — Carlos.
>> 
>>> Mirja
>>> 
>>> 
>>>> 
>>>> Thoughts?
>>>> 
>>>> Thanks,
>>>> 
>>>> — Carlos.

v2.23.0 | Report a Bug | By Email