IETF Logo Mail Archive

Re: Resetting the sequence number in an authenticated BFD session

David Ward <dward@cisco.com> Sun, 13 January 2008 16:18 UTC

Return-path: <rtg-bfd-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JE5X8-0007D0-OY; Sun, 13 Jan 2008 11:18:02 -0500
Received: from rtg-bfd by megatron.ietf.org with local (Exim 4.43) id 1JE5X7-0007Cr-Jb for rtg-bfd-confirm+ok@megatron.ietf.org; Sun, 13 Jan 2008 11:18:01 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JE5X7-0007Cj-6K for rtg-bfd@ietf.org; Sun, 13 Jan 2008 11:18:01 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JE5X5-00022U-7Y for rtg-bfd@ietf.org; Sun, 13 Jan 2008 11:18:01 -0500
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by sj-iport-6.cisco.com with ESMTP; 13 Jan 2008 08:17:57 -0800
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m0DGHuqY015641; Sun, 13 Jan 2008 11:17:56 -0500
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m0DGHuN6022448; Sun, 13 Jan 2008 16:17:56 GMT
Received: from xmb-rtp-202.amer.cisco.com ([64.102.31.52]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 13 Jan 2008 11:17:56 -0500
Received: from [127.0.0.1] ([171.68.225.134]) by xmb-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 13 Jan 2008 11:17:54 -0500
In-Reply-To: <64122293A6365B4A9794DC5636F9ACFD0252D70D@ILPTEX02.ecitele.com>
References: <64122293A6365B4A9794DC5636F9ACFD0252D70A@ILPTEX02.ecitele.com> <7FA0C743C38E5340BFC2873488FA1E8E8B22F9@emailcorp3.jnpr.net> <A1C094AD-3891-4660-AE2C-DADE1FF7DD96@cisco.com> <64122293A6365B4A9794DC5636F9ACFD0252D70B@ILPTEX02.ecitele.com> <A050B43B-2ABA-4FCC-811E-2017003A1B50@cisco.com> <64122293A6365B4A9794DC5636F9ACFD0252D70D@ILPTEX02.ecitele.com>
Mime-Version: 1.0 (Apple Message framework v753)
Content-Type: multipart/alternative; boundary="Apple-Mail-2-743049712"
Message-Id: <37AA0457-0AC7-4C00-975F-96416C050870@cisco.com>
From: David Ward <dward@cisco.com>
Date: Sun, 13 Jan 2008 10:17:45 -0600
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
X-Mailer: Apple Mail (2.753)
X-OriginalArrivalTime: 13 Jan 2008 16:17:54.0462 (UTC) FILETIME=[DA2023E0:01C855FF]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=24369; t=1200241076; x=1201105076; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dward@cisco.com; z=From:=20David=20Ward=20<dward@cisco.com> |Subject:=20Re=3A=20Resetting=20the=20sequence=20number=20i n=20an=20authenticated=20BFD=20session |Sender:=20 |To:=20Alexander=20Vainshtein=20<Alexander.Vainshtein@ecite le.com>; bh=HNsF/XrxfhM5XciKw4PofRb23hK5ELSkgwIobW6B6IE=; b=BzFrSJG6Lf1DfvotHf0VDSQTtYkxBBAzWE8FVTi/08wQOf/evcX8mXVo/3 8NKu6IOpK4yNL8OlOjY9RlMrmDmO3DBEgKguk/Kuwg7SQ3JrBf4wdiksDXa/ 916dNR8MWR;
Authentication-Results: rtp-dkim-1; header.From=dward@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ba9cd4f9acda58dbe142afff7265daff
Cc: Ronen Sommer <Ronen.Sommer@ecitele.com>, Dave Katz <dkatz@juniper.net>, Igor Danilovich <Igor.Danilovich@ecitele.com>, David Ward <dward@cisco.com>, BFD WG <rtg-bfd@ietf.org>
Subject: Re: Resetting the sequence number in an authenticated BFD session
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Errors-To: rtg-bfd-bounces@ietf.org

Sasha -

What you need to realize is that you have a layering problem to solve  
and one could solve it multiple ways today.

One solution:

Run LACP or UDLD between the router and the switch that has the  
bundled interface, monitor component links and the state of the  
bundle. Independently run a BFD session between the two routers.


Second solution:

Run BFD between the two routers and on the router with the bundled  
interface, have a distributed state machine on all cards that home  
component links (this is an implementation specific design).


Third solution:

Run BFD between the router and the switch with the bundled interface  
via IP and monitor all component links. Run a second BFD between the  
two routers and use either a centralized BFD, a master link (that can  
receive all BFD packets through internal forwarding) or replicate  
state via #2.



All three of the above solve the problem (there are obvious variants)  
and are deployed today.

-DWard



On Jan 12, 2008, at 11:24 PM, Alexander Vainshtein wrote:

> David,
> I have probably poorly presented the case of an intermediate L2  
> device.
> What I have in mind is the following combination:
> A single L3 adjacency monitored by BFD that has been established  
> across an intermediate L2 device
> Different number of L2-bundled links between each of the L3 peers  
> and the intermediate L2 device.
> I do not see how your proposed solutions would help to resolve the  
> problem:
>
> Not sure why UDLR is relevant to this scenario, will look-up the  
> appropriate RFC first
> LACP operates per L2-bundled link. It would help to detect a  
> failure of such a link, but, IMHO, no more than that



> L3 BFD between a L3 and L2 device would not affect the state of the  
> L3 BFD session between the L3 peers.
>





> Regards,
>
>                 Sasha
>
>
> From: David Ward [mailto:dward@cisco.com]
> Sent: Fri 1/11/2008 4:18 PM
> To: Alexander Vainshtein
> Cc: David Ward; Nitin Bahadur; Dave Katz; Ronen Sommer; BFD WG;  
> Igor Danilovich
> Subject: Re: Resetting the sequence number in an authenticated BFD  
> session
>
> Sasha -
>
>
> I think I already covered your points on centralization and master  
> component link. WRT the issue that a L3 device is connected to an  
> L2 device via a bundled interface and the far L3 device is single  
> attached ... BFD is currently an L3 solution. You'd have to run  
> LACP, UDLR or BFD at L3 to the L2 device to cover this scenario.
>
> -DWard
>
>
> On Jan 11, 2008, at 4:11 AM, Alexander Vainshtein wrote:
>
>> David, Nitin and all,
>> Please see inline below (blue italics)..Unfortunately it seems  
>> that none of the options explicitly proposed by David resolve the  
>> issue.
>>
>> Regards,
>>                  Sasha
>>
>> From: David Ward [mailto:dward@cisco.com]
>> Sent: Thu 1/10/2008 11:51 PM
>> To: Nitin Bahadur
>> Cc: David Ward; Alexander Vainshtein; Dave Katz; Ronen Sommer; BFD  
>> WG; Igor Danilovich
>> Subject: Re: Resetting the sequence number in an authenticated BFD  
>> session
>>
>> Solutions include (and are alluded to in the drafts):
>>
>> run BFD on bundled interfaces (any flavor) centrally [Sasha] This  
>> rasies the issue of the central component failover (as mentioned  
>> in my oriinal message).
>>
>> run BFD on all component links independently [Sasha] IMHO this is  
>> not a viable option. E.g., consider a L3 1-hop situation where the  
>> bundled interfaces run between one of the routers and a L2 switch,  
>> while the L3 adjacency is unaware of bundling. This is easily  
>> achieved with LAG.
>>
>> run BFD on a master component link [Sasha] The failure of the LC  
>> that carries the "master componet link" is the original scenario  
>> described in my original email, and the issue remains unsloved IMO.
>>
>> There are other variants as well.
>>
>> -DWard
>>
>> On Jan 10, 2008, at 3:41 PM, Nitin Bahadur wrote:
>>
>>> Alexander,
>>>
>>>    I agree that keeping the sequence number consistent between  
>>> line cards is not practical. We need a way for a system to  
>>> indicate that it wants to restart the sequence.
>>>
>>> Nitin
>>>
>>> From: Alexander Vainshtein [mailto:Alexander.Vainshtein@ecitele.com]
>>> Sent: Thursday, January 10, 2008 12:42 PM
>>> To: David Ward; Dave Katz
>>> Cc: Ronen Sommer; BFD WG; Igor Danilovich
>>> Subject: Resetting the sequence number in an authenticated BFD  
>>> session
>>> Importance: High
>>>
>>> Hi all,
>>> I have a question related to the expected behavior of sequence  
>>> numbers in an aythenticated (MD5 or SHA1) BFD session.
>>>
>>> The corresdponding sections of draft-ietf-bfd-base-06 state that,  
>>> once the packet has been authenticated by the receiver, its  
>>> sequence number MUST be checked; if its value is out of range  
>>> defined by the last received sequence number and the Detect  
>>> Multiplexor, the packet MUST be discarded.
>>>
>>> This may result in the a BFD session going down in the situation  
>>> when the transceiver "loses" the information about its last  
>>> transmitted sequence number. A suitable use case is a multilink  
>>> interface (LAG, ML-PPP, etc.) with the links residing in  
>>> different line cards, and e BFD implemented in one of these  
>>> cards: if this card fails, the BFD would could be re-started in  
>>> one of the remaining cards. Such a restart would not affect the  
>>> local session because the BFD machine would be restarted with  
>>> bfd.AuthSeqKnown = 0, but keeping bfd.XmitAuthSeq consistent  
>>> between different line cards seems problematic. (Implemeting BFD  
>>> in some common card would resolve the situation with the  
>>> multilink interfaces but would raise similar issues when the  
>>> common card fails).
>>>
>>> Note that this problem would not occur for a non-authenticated  
>>> BFD session.
>>>
>>> IMHO this problem is real, and I do not see a simple solution for  
>>> it.
>>> I would highly appreciate any feedback from the draft authors and/ 
>>> or from the WG.
>>>
>>> Regards,
>>>                   Sasha
>>>
>>
>

v2.23.0 | Report a Bug | By Email