IETF Logo Mail Archive

RE: Resetting the sequence number in an authenticated BFD session

Alexander Vainshtein <Alexander.Vainshtein@ecitele.com> Sun, 13 January 2008 17:17 UTC

Return-path: <rtg-bfd-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JE6SP-0002hR-JN; Sun, 13 Jan 2008 12:17:13 -0500
Received: from rtg-bfd by megatron.ietf.org with local (Exim 4.43) id 1JE6SO-0002hJ-Dj for rtg-bfd-confirm+ok@megatron.ietf.org; Sun, 13 Jan 2008 12:17:12 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JE6SN-0002hB-Vc for rtg-bfd@ietf.org; Sun, 13 Jan 2008 12:17:12 -0500
Received: from eci-iron1.ecitele.com ([147.234.242.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JE6SL-00032h-Ca for rtg-bfd@ietf.org; Sun, 13 Jan 2008 12:17:11 -0500
Received: from unknown (HELO ILPTAM01.ecitele.com) ([147.234.244.44]) by eci-iron1.ecitele.com with ESMTP; 13 Jan 2008 19:35:26 +0200
Received: from ilptexch01.ecitele.com ([172.31.244.40]) by ILPTAM01.ecitele.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 13 Jan 2008 19:17:08 +0200
Received: from ILPTMAIL01.ecitele.com (147.234.245.211) by ilptexch01.ecitele.com (172.31.244.40) with Microsoft SMTP Server id 8.1.240.5; Sun, 13 Jan 2008 19:17:07 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C85608.1FF0EE3E"
Date: Sun, 13 Jan 2008 19:17:06 +0200
Message-ID: <64122293A6365B4A9794DC5636F9ACFD02672A85@ILPTEX02.ecitele.com>
In-Reply-To: <37AA0457-0AC7-4C00-975F-96416C050870@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Resetting the sequence number in an authenticated BFD session
Thread-Index: AchV/+GFD8u7CUsBTgCt4Y8Ruk6D+gABkLOg
References: <64122293A6365B4A9794DC5636F9ACFD0252D70A@ILPTEX02.ecitele.com> <7FA0C743C38E5340BFC2873488FA1E8E8B22F9@emailcorp3.jnpr.net> <A1C094AD-3891-4660-AE2C-DADE1FF7DD96@cisco.com> <64122293A6365B4A9794DC5636F9ACFD0252D70B@ILPTEX02.ecitele.com> <A050B43B-2ABA-4FCC-811E-2017003A1B50@cisco.com> <64122293A6365B4A9794DC5636F9ACFD0252D70D@ILPTEX02.ecitele.com> <37AA0457-0AC7-4C00-975F-96416C050870@cisco.com>
From: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
To: David Ward <dward@cisco.com>
X-OriginalArrivalTime: 13 Jan 2008 17:17:08.0248 (UTC) FILETIME=[2058D980:01C85608]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8403cbbf1773e27474a13192645c46f
Cc: BFD WG <rtg-bfd@ietf.org>, Ronen Sommer <Ronen.Sommer@ecitele.com>, Dave Katz <dkatz@juniper.net>
Subject: RE: Resetting the sequence number in an authenticated BFD session
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Errors-To: rtg-bfd-bounces@ietf.org

David and all,
Lots of thanks for a prompt and detailed response.
 
My gut feeling is that replicated state (or something like that) is part
of all the approaches you've outlined, but I must carefully  re-check
this feeling.
 
Regards,
                Sasha

________________________________

From: David Ward [mailto:dward@cisco.com] 
Sent: Sunday, January 13, 2008 6:18 PM
To: Alexander Vainshtein
Cc: David Ward; Nitin Bahadur; Dave Katz; Ronen Sommer; BFD WG; Igor
Danilovich
Subject: Re: Resetting the sequence number in an authenticated BFD
session


Sasha - 

What you need to realize is that you have a layering problem to solve
and one could solve it multiple ways today.

One solution:

Run LACP or UDLD between the router and the switch that has the bundled
interface, monitor component links and the state of the bundle.
Independently run a BFD session between the two routers. 


Second solution:

Run BFD between the two routers and on the router with the bundled
interface, have a distributed state machine on all cards that home
component links (this is an implementation specific design).


Third solution:

Run BFD between the router and the switch with the bundled interface via
IP and monitor all component links. Run a second BFD between the two
routers and use either a centralized BFD, a master link (that can
receive all BFD packets through internal forwarding) or replicate state
via #2.



All three of the above solve the problem (there are obvious variants)
and are deployed today.

-DWard



On Jan 12, 2008, at 11:24 PM, Alexander Vainshtein wrote:


	David,
	I have probably poorly presented the case of an intermediate L2
device. 
	What I have in mind is the following combination:

	1.	
		A single L3 adjacency monitored by BFD that has been
established across an intermediate L2 device
	2.	
		Different number of L2-bundled links between each of the
L3 peers and the intermediate L2 device.

	I do not see how your proposed solutions would help to resolve
the problem:

	1.	Not sure why UDLR is relevant to this scenario, will
look-up the appropriate RFC first 
	2.	LACP operates per L2-bundled link. It would help to
detect a failure of such a link, but, IMHO, no more than that




	3.	L3 BFD between a L3 and L2 device would not affect the
state of the L3 BFD session between the L3 peers.

	






	Regards,

	                Sasha


________________________________

	From: David Ward [mailto:dward@cisco.com]
	Sent: Fri 1/11/2008 4:18 PM
	To: Alexander Vainshtein
	Cc: David Ward; Nitin Bahadur; Dave Katz; Ronen Sommer; BFD WG;
Igor Danilovich
	Subject: Re: Resetting the sequence number in an authenticated
BFD session
	
	
	Sasha - 


	I think I already covered your points on centralization and
master component link. WRT the issue that a L3 device is connected to an
L2 device via a bundled interface and the far L3 device is single
attached ... BFD is currently an L3 solution. You'd have to run LACP,
UDLR or BFD at L3 to the L2 device to cover this scenario.

	-DWard


	On Jan 11, 2008, at 4:11 AM, Alexander Vainshtein wrote:


		David, Nitin and all,
		Please see inline below (blue italics)..Unfortunately it
seems that none of the options explicitly proposed by David resolve the
issue.
		 
		Regards,
		                 Sasha

________________________________

		From: David Ward [mailto:dward@cisco.com]
		Sent: Thu 1/10/2008 11:51 PM
		To: Nitin Bahadur
		Cc: David Ward; Alexander Vainshtein; Dave Katz; Ronen
Sommer; BFD WG; Igor Danilovich
		Subject: Re: Resetting the sequence number in an
authenticated BFD session
		
		
		Solutions include (and are alluded to in the drafts): 

		run BFD on bundled interfaces (any flavor) centrally
[Sasha] This rasies the issue of the central component failover (as
mentioned in my oriinal message).
		 
		run BFD on all component links independently [Sasha]
IMHO this is not a viable option. E.g., consider a L3 1-hop situation
where the bundled interfaces run between one of the routers and a L2
switch, while the L3 adjacency is unaware of bundling. This is easily
achieved with LAG. 
		 
		run BFD on a master component link [Sasha] The failure
of the LC that carries the "master componet link" is the original
scenario described in my original email, and the issue remains unsloved
IMO.

		There are other variants as well.

		-DWard

		On Jan 10, 2008, at 3:41 PM, Nitin Bahadur wrote:


			
			Alexander,
			 
			   I agree that keeping the sequence number
consistent between line cards is not practical. We need a way for a
system to indicate that it wants to restart the sequence.
			 
			Nitin
			 
			
________________________________

			From: Alexander Vainshtein
[mailto:Alexander.Vainshtein@ecitele.com] 
			Sent: Thursday, January 10, 2008 12:42 PM
			To: David Ward; Dave Katz
			Cc: Ronen Sommer; BFD WG; Igor Danilovich
			Subject: Resetting the sequence number in an
authenticated BFD session
			Importance: High
			 
			Hi all,
			I have a question related to the expected
behavior of sequence numbers in an aythenticated (MD5 or SHA1) BFD
session.
			 
			The corresdponding sections of
draft-ietf-bfd-base-06 state that, once the packet has been
authenticated by the receiver, its sequence number MUST be checked; if
its value is out of range defined by the last received sequence number
and the Detect Multiplexor, the packet MUST be discarded.
			 
			This may result in the a BFD session going down
in the situation when the transceiver "loses" the information about its
last transmitted sequence number. A suitable use case is a multilink
interface (LAG, ML-PPP, etc.) with the links residing in different line
cards, and e BFD implemented in one of these cards: if this card fails,
the BFD would could be re-started in one of the remaining cards. Such a
restart would not affect the local session because the BFD machine would
be restarted with bfd.AuthSeqKnown = 0, but keeping bfd.XmitAuthSeq
consistent between different line cards seems problematic. (Implemeting
BFD in some common card would resolve the situation with the multilink
interfaces but would raise similar issues when the common card fails).
			 
			Note that this problem would not occur for a
non-authenticated BFD session.
			 
			IMHO this problem is real, and I do not see a
simple solution for it. 
			I would highly appreciate any feedback from the
draft authors and/or from the WG.
			 
			Regards,
			                  Sasha

v2.23.0 | Report a Bug | By Email