Re: [Tsv-art] Tsvart last call review of draft-ietf-bfd-multipoint-16
Greg Mirsky <gregimirsky@gmail.com> Mon, 18 June 2018 17:39 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0880F12872C; Mon, 18 Jun 2018 10:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRp56EHbjS-w; Mon, 18 Jun 2018 10:39:40 -0700 (PDT)
Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6CD130DF6; Mon, 18 Jun 2018 10:39:39 -0700 (PDT)
Received: by mail-lf0-x243.google.com with SMTP id x13-v6so10492071lff.10; Mon, 18 Jun 2018 10:39:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BRuJ+CJqiI7nhNRjR3FWMcNM9yr4ShhK/OlrUWBCetk=; b=dFEOLENp2/i5akUB1LKyEwMkHhAJSKOYN3DwGbAESKIwd8N6PwPrKezeZw5QHH6rrY G0mhH4zDxGMqx4vCosoTAMTzoHVd1wKX8NHpTeUGwgW0Q2bb7/ZZK2ZymaoysVlXVHJz 7Qcf6wF8J6jCGgqJG9xZBeN7q3CZzT+kHkUeYZZhUT9BWhyAGcAkkUWqEqFzjtp9c4WH M0UyabkvKchlqqGY8A86ZG5OGOMEk9Qj9nhFn3CGBo/ACqjGaF1PUooJsyU9qKB3oBRW tvjchUis5MKEtUxOwtY/2GlLaMvJk7cxuAI/m51ZBFbZQvO+EFO5JQ2SDOLS0mEP/dRL vOtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BRuJ+CJqiI7nhNRjR3FWMcNM9yr4ShhK/OlrUWBCetk=; b=a3dN3I4gsi8Y0pukbiXCV+Nh5wgxIz5SHcZfn1qoa+ppnpeFgd0PYx0LVO9Vwl3cue jmrPoqSDN2ldVHfVYp+6py1G08f2XGvQ/mxrYYhyUEZgGlflIfxP7Nsdsd3GZ/NfcPR5 Q8T6BHjWGlKU5SesD+AbQsM9u/nlPmB5tbh7NA1TTGrq/fXpydEFKyJ8Cf+lAqd6sU8F eeWl+Bf5l+4emSm7IMqjsKp9ffAJZgKKm+AzRPwc72ZyxROzNUaNO2VW7jU8UeGbbZrw Ug0nn+TgJgFQTdh4DHJqtJnF5+/X+NlYLnbh5IMBAoAWsIXdUxhoak8pvtwicgq69TP8 rWgA==
X-Gm-Message-State: APt69E2+Qcn5F+29EkpTm3V7dVsV/KLxVjm7RbzE4HXp40WY8J5H4C51 pRzIgQbZ98g/m/oO8gcxjB9MTuSVqG405BjcYMQ=
X-Google-Smtp-Source: ADUXVKJtivGN1+yspyU3QUKLRUlnbN1rbmCQRj4P9H3jH7YxQJOFvsPFH0EiuAKbBgj4SrBXAk+KmZkqTxiBIrbSadI=
X-Received: by 2002:a2e:1b0a:: with SMTP id b10-v6mr8772143ljb.76.1529343577226; Mon, 18 Jun 2018 10:39:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:6e08:0:0:0:0:0 with HTTP; Mon, 18 Jun 2018 10:39:36 -0700 (PDT)
In-Reply-To: <4d67197f-7728-d226-66b0-7d188a995148@bobbriscoe.net>
References: <152694840016.8083.12174100605609215107@ietfa.amsl.com> <CA+RyBmVmsFxmiDTLLS5Jz+q_Fgb3O7QcsbMJwFUxbh-+9XxYWQ@mail.gmail.com> <1afa9af2-9fce-1588-ca09-cd39f1122688@bobbriscoe.net> <CA+RyBmVo2B6bh=j6a32xOcq8EwTGceuDeifgEGKBVRRwMi9HGQ@mail.gmail.com> <4a8bd1a3-3cfc-9c9c-c2cd-d0f8467da2c8@bobbriscoe.net> <CA+RyBmVNrp=k=s201S=0rH_-mONDwjwpK3C1Y=Tc5kbQC=VEBQ@mail.gmail.com> <4d67197f-7728-d226-66b0-7d188a995148@bobbriscoe.net>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 18 Jun 2018 10:39:36 -0700
Message-ID: <CA+RyBmXJ7tHgRtPxTHk09xJPY+WQShPxtCG+kzHSg0YrESpS2g@mail.gmail.com>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-bfd-multipoint-16
To: Bob Briscoe <ietf@bobbriscoe.net>
Cc: draft-ietf-bfd-multipoint.all@ietf.org, tsv-art@ietf.org, rtg-bfd@ietf.org, IETF list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a902f9056eee0c11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/skTm8ikAozkT9pcHrAEltbH1VAs>
X-Mailman-Approved-At: Mon, 18 Jun 2018 10:41:02 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 17:39:49 -0000
Hi Bob, many thanks for the comments and the discussion. The new update <https://datatracker.ietf.org/doc/draft-ietf-bfd-multipoint/> has been published to address your latest suggestions. Regards, Greg On Mon, Jun 11, 2018 at 2:47 PM, Bob Briscoe <ietf@bobbriscoe.net> wrote: > Greg, > > I may be wrong, in which case fine. > But I'll take each case in turn (there may not be security problems with > all, but a problem with just one would still be of concern): > > Multicast: > If there is an SSM tree from host A to multicast address G, I am not > familiar enough with SSM to know what happens when host B sends a packet to > G with source address A (i.e. spoofing A). I assume the IGMP messages build > the tree back from each member to A, so usually there will be no route from > B, even if it is spoofing A as the source. However, I would have thought > that a host connected to the same router as A could spoof A and get onto > the SSM tree. Or does SSM always check for this type of spoofing? > > Directly connected. > As with multicast, even tho not every machine on the Internet could spoof > the source address, surely if the link were a shared link (which is implied > in this use-case) any machine on the shared link could spoof the genuine > source. > > MPLS > I think the MPLS case is safe, cos at each hop the label switched path is > specific to each prior hop. > > As I said, I may be wrong. > But, if either of the first two cases have a vulnerability in certain > cases, it ought to be described in the draft, even if the vulnerability is > confined to a specific set of circumstances. > > > Bob > > > On 11/06/18 19:14, Greg Mirsky wrote: > > Hi Bob, > thank you for the most thoughtful and helpful comments. It was not my > intention to pull you into re-designing of the specification. I've accepted > all the editorial updates, applied them to the new working version. > > I have to admit that I'm bit confused that you see lack of 3WHS in > mpBFD as the significantly increased risk of the spoofing attack on leaves. > The BFD Control packet is expected to be received by a leave from one of > the following: > > - multicast path; > - directly connected; > - p2mp/mp2mp MPLS LSP. > > For the first scenario, as I understand, a host must first use multicast > control protocol to join the multicast path. > For the second - it is reasonable to assume, as in VRRP and PIM-SM drafts > I've referenced earlier, that BFD control packet be required to have IP TTL > == 1 and mcast IP address of link scope. > And the third, I think, is similar to #1 above. > > If these considerations are technically accurate, I'll work on the text > for Assumptions section. > > Regards, > Greg > > > On Thu, Jun 7, 2018 at 5:02 PM, Bob Briscoe <ietf@bobbriscoe.net> wrote: > >> Greg, >> >> Your responses are AOK now. >> >> *Remaining Security Vulnerability* >> >> I think you may have misunderstood my point about vulnerability to source >> address spoofing without a 3WHS. When you said in response: >> >> >> Would you suggest additional text to a use case where the new >> demultiplexing is not sufficent to protect from source address spoofing? >> >> >> I said: >> >> [BB]: I seem to have become co-opted into redesigning this protocol. I'd >> prefer to limit my involvement to reviewing :) >> >> >> If this wasn't clear, I meant, "I believe this protocol has a security >> problem that needs to be fixed. But it's your job to fix it, not mine." >> >> If you can't fix it, I suggested that you need to at least add a section >> listing all the limitations when a multipoint scheme has no back channel >> (the others being no feedback on timing control and no way to set up >> asymmetric authentication). >> >> >> Apologies, if the following is already obvious to you, but it is safer to >> be over-cautious: >> The text you originally quoted in response to my point about 3WHS uses >> the source address as part of the identification of a session. That is the >> problem (not a solution). If a malicious host M masquerading as the source >> S spoofs the source address of S in its packets, the tails will not be able >> to tell that these packets are not from S. >> >> A 3WHS (e.g. as in TCP) is a simple way to address this vulnerability, by >> the tails using the routing system to send a packet to the location where >> the source claims to be sending from. I.e. the tail returns a packet to >> address S with some random information in it (in TCP's case, the initial >> sequence number). If S genuinely initiated the handshake, it will reflect >> the random info to the tail in the 3rd way of the handshake. If M is >> masquerading as S, it will not receive the 2nd way of the handshake. And it >> won't be able to spoof the 3rd way without the random info. >> >> Without a 3WHS, multipoint BFD does not check that the source address is >> genuine. >> >> >> *Some (mostly editorial) comments from scanning the diff:* >> >> In the intro, the para starting "As an option, the tail may notify the >> head..." is prerequisite info that needs to come before the para ending >> "even without the existence of some kind of a return path to the head." >> >> s/in the received by MultipointTail BFD Control packet/ >> /in the received MultipointTail BFD Control packet/ >> >> s/entire/the entire/ (twice) >> >> Section 6 (Assumptions) has no flow of logic between the new text and the >> pre-existing text. It would be better to switch the order of the paras. >> >> >> Otherwise, I think my comments are becoming increasingly less useful, so >> I'll stop. I don't know enough about the whole ecosystem around this draft >> to be any more helpful, I think. >> >> >> Bob >> >> >> On 05/06/18 03:23, Greg Mirsky wrote: >> >> Hi Bob, >> thank you for further clarifications and the new ideas. Please find my >> follow-up in-line and tagger GIM2>>. >> I'll check for nits and grammar and will publish the new version shortly. >> >> Regards, >> Greg >> >> On Tue, May 29, 2018 at 3:22 AM, Bob Briscoe <ietf@bobbriscoe.net >> <ietf@bobbriscoe..net>> wrote: >> >>> Greg, >>> >>> >>> On 26/05/18 20:49, Greg Mirsky wrote: >>> >>> Hi Bob, >>> thank you for the thorough review, detailed questions and helpful >>> comments. Please find my answers in-line and tagged GIM>>. >>> I've updated the working version of the draft based on your comments and >>> suggestions. Appreciate your feedback whether all questions have been >>> addressed. >>> Attached please find the diff of -16 and the working version and the >>> copy of the working version of the draft. >>> >>> Regards, >>> Greg >>> >>> On Mon, May 21, 2018 at 5:20 PM, Bob Briscoe <ietf@bobbriscoe.net> >>> wrote: >>> >>>> Reviewer: Bob Briscoe >>>> Review result: Not Ready >>>> >>>> Altho this is a TSV-ART review, I did not find many transport-related >>>> issues to >>>> focus on, except a need to justify why lack of information for adapting >>>> the >>>> transmit interval is not an issue. >>>> >>>> Nonetheless, I did find a few other non-trivial technical issues, >>>> including 2 >>>> security issues, enumerated below (I mis-spent some of my early >>>> research career >>>> working on a multicast session control and security, for which we used >>>> beaconing control channels). However, I only have passing prior >>>> knowledge of >>>> BFD, so my critique might be off-beam. >>>> >>>> ==Main Technical Concerns=== >>>> >>>> 1/ Mandatory return path? >>>> RFC5880 is the base RFC that this draft updates. RFC5880 says that >>>> "unidirectional links" are in scope, but only as long as there is a >>>> return path. >>>> >>>> The introduction of this bfd-multipoint draft seems to contradict that, >>>> making >>>> a return path optional: " >>>> As an option, the tail may notify the head of the lack of multipoint >>>> connectivity. Details of tail notification to the head are outside >>>> the scope of this document. >>>> " >>>> It's allowable for irrelevant details to be outside the scope, but >>>> surely it >>>> needs to be clear whether at least the existence of a return path is >>>> mandatory. >>>> >>> GIM>> Thank you for highlighting this issue. I think that the second >>> paragraph of Introduction is the appropriate place to note that this >>> mechanism does not require existence of a return path from tails to the >>> head. Would the following be acceptable: >>> NEW TEXT: >>> Use of BFD in >>> Demand mode enables a tail monitor availability of a multipoint path >>> even without the existence of some kind of a return path to the head. >>> >>>> >>>> 2/ Mechanism for verifying connectivity, or not? >>>> The introduction seems to contradict itself: >>>> " >>>> As multipoint transmissions are inherently unidirectional, this >>>> mechanism purports only to verify this unidirectional connectivity. >>>> " >>>> " >>>> Term "connectivity" in this document is not being used in the context >>>> of connectivity verification in transport network but as an >>>> alternative to "continuity", i.e. existence of a forwarding path >>>> between the sender and the receiver. >>>> " >>>> How can this mechanism verify connectivity, but not be used in the >>>> context of >>>> connectivity verification in the transport network? >>>> >>> GIM>> This draft defines the base specification for multipoint BFD. In >>> order for multipoint BFD to support the transport-like connectivity >>> verification we need to do work similar to described in RFC 6428. >>> >>> [BB]: Caveat: I am having to talk in generalizations, cos I don't >>> actually know how you are going to get this protocol to work in a wide >>> range of circumstances, given inherent problems like multipoint feedback >>> implosion {Note 1}. >>> >>> My point was that, having broken up the drafts in this way, this draft >>> on its own no longer defined a workable protocol. Therefore, it needed some >>> references to other drafts (even if they are placeholders), so that the >>> extent of the pre-requisite collection of work is clear. The refs you give >>> later go a long way to fixing this issue. >>> >>> If each pre-requisite protocol is intended to only represent one >>> example, the citation can say that and the ref can be informative. But with >>> zero examples for all the prerequisite parts, all the reader sees is a >>> dismembered octopus, not a protocol. >>> >>> >>> >>>> 3/ Use case >>>> The introduction seems to be written rather academically. Surely, in >>>> cases >>>> where there is never a return path, only the tails will ever be able to >>>> verify >>>> connectivity. The head could continue transmitting BFD packets (and data >>>> packets) for years without ever knowing whether it is connected to >>>> anything. >>>> Knowledge of connectivity is surely of little use if it excludes the >>>> link >>>> sender, which is the node that always controls routing. >>>> >>>> If there are scenarios where it is useful for tails but not the head to >>>> be able >>>> to verify connectivity, can you please give a concrete example? >>>> >>> GIM>> One example could be a multicast system with 1+1 protection. >>> Without multipoint BFD tails would not be able to detect the failure of the >>> muticast path from the head. Other examples discussed in several drafts: >>> >>> - BESS WG draft MVPN fast upstream failover >>> <https://tools.ietf.org/html/draft-ietf-bess-mvpn-fast-failover-03> >>> - Individual draft BFD for Multipoint Networks and VRRP Use Case >>> <https://tools.ietf.org/html/draft-mirsky-bfd-p2mp-vrrp-use-case-01> >>> - Individual draft BFD for Multipoint Networks and PIM-SM Use Case >>> <https://tools.ietf.org/html/draft-mirsky-pim-bfd-p2mp-use-case-00> >>> >>> I am not sure how references to non-WG drafts affect the progress of >>> this document. Appreciate your suggestion. >>> >>> [BB]: In my experience, informative refs to non-WG drafts as use-cases >>> would be OK during doc development. However, if a non-WG draft fails to >>> proceed, its citation has to be removed later. So choose those that are >>> most likely to proceed. >>> >>> Nonetheless, if you cite some specs that turn this into a workable >>> protocol (see previous issue) use-cases might not be necessary. >>> >> GIM2>> I've added reference to use of this mechanism in BGP/MPLS MVPN. >> >>> >>> >>> >>> >>>> 4/ Interval adaptation >>>> Text is needed to describe why it is not an issue for the head to be >>>> unaware >>>> whether it needs to adapt its transmit interval. Otherwise, this seems >>>> potentially problematic. >>>> >>> GIM>> Very interesting, thank you. I wouldn't say that the case when a >>> tail cannot process incoming mpBFD control packets at the offered rate is >>> entirely non-issue. Such scenario must be handled by the implementation and >>> may be controlled by local policy, e.g., close the MultipointTail session. >>> >>> [BB]: Fair enough. >>> >>> In some scenarios, this issue will not necessarily be so unlikely tho: >>> * If asymmetric crypto is used to solve the group message authentication >>> problem (see later), the processing burden on any lightweight endpoints >>> might lead to message verification leaving less available processor >>> resource than needed for the host's other tasks. >>> * Each tail might be joined to a very large number of multipoint >>> sessions. >>> >>> Where would you suggest to add the text? >>> >>> I would suggest a new section listing potential issues when there is no >>> back channel. >>> >> GIM2>> I've tried to start the new section but decided to insert the note >> in the first paragraph of Timer Manipulation section. Hope that is >> acceptable. >> >>> >>> >>> >>> >>>> 5/ Inability to authenticate the sender with symmetric keys >>>> In unicast scenarios, symmetric keys can be used for message >>>> authentication, >>>> because each end knows there is only one other node with the shared >>>> key. But, >>>> in multipoint scenarios, all the tails would share the key, so a shared >>>> key >>>> does not authenticate who sent the message - any tail can spoof the >>>> head from >>>> the viewpoint of the other tails. >>>> >>>> Therefore text is needed to say that: >>>> * multipoint message authentication is limited to cases where all tails >>>> are >>>> trusted not to spoof the head, if shared keys are used. * otherwise >>>> asymmetric >>>> message authentication would be needed, e.g. TESLA [RFC4082] >>>> >>> GIM>> Thank you for the suggested text. Would the Security >>> Considerations section be appropriate place: >>> >>> [BB]: Well, the point limits the applicability of the assumption about >>> security in 5. 'Assumptions', so this would fit well there. >>> Then "Security Considerations" should point to everywhere in the doc >>> that discusses security, such as this (to save time for security reviewers). >>> >>> NEW TEXT: >>> Use of shared keys to authenticate BFD Control packet in multipoint >>> scenarios is limited because tail can spoof the head from the >>> viewpoint of the other tails. Thus, if shared keys are used, all >>> tails MUST be trusted not to spoof the head. >>> >>> [BB]: Normally a MUST is applied to implementations. It would be rather >>> odd to require users/operators to satisfy a spec requirement, particularly >>> requiring them to trust each other. I think this should be written as an >>> applicability statement not a normative requirement. >>> >> GIM2>> I've adopted text suggested by Spencer and moved the paragraph to >> section Assumption. >> >>> >>> >>> Otherwise, asymmetric >>> message authentication would be needed, e.g., Timed Efficient Stream >>> Loss-Tolerant Authentication (TESLA) as described in [RFC4082]. >>> >>> >>> [BB]: If you are going to allow for cases where all tails are trusted >>> not to spoof the head, then the assumption written in section 5 is no >>> longer correct. >>> >>> [FYI, RFC4082 is only a generic description. Many RFCs have been written >>> to authenticate specific protocols along TESLA lines.] >>> >>> >>>> A related nit: Section 5 says all tails are assumed to have a common >>>> authentication key. In cases with symmetric message authentication, >>>> surely the >>>> head also needs the same key. >>>> >>> GIM>> Thank you. Please check the updated text: >>> NEW TEXT: >>> If authentication is in use, the head and all tails must be >>> configured to have a common authentication key in order for the tails >>> to validate received the multipoint BFD Control packets. >>> >>> [BB]: Yup. Except delete "received the". >>> Also see above about whether this is now a correct assumption. >>> >> GIM2>> I think that s/must/may/ will keep the Assumption valid. >> >>> >>> >>> >>>> 6/ Source address spoofing >>>> A 3-way handshake makes a protocol robust against simple source address >>>> spoofing. Without a 3WHS, surely the spec. needs to highlight this >>>> vulnerability or discuss ways to address it or why it is not an issue. >>>> >>> GIM>> Because mpBFD control packets cannot be demultiplexed by tail >>> based on the value of Your Discriminator field as per RFC 5880, >>> the new procedure outlined in Section 4.7: >>> IP and MPLS multipoint tails MUST demultiplex BFD packets based on a >>> combination of the source address, My Discriminator and the identity >>> of the multipoint tree which the Multipoint BFD Control packet was >>> received from. Together they uniquely identify the head of the >>> multipoint path. >>> and described in details in Section 4.13.2: >>> If the Multipoint (M) bit is set >>> >>> If the Your Discriminator field is nonzero, the packet MUST be >>> discarded. >>> >>> Select a session as based on source address, My Discriminator >>> and the identity of the multipoint tree which the Multipoint >>> BFD Control packet was received. If a session is found, and >>> bfd.SessionType is not MultipointTail, the packet MUST be >>> discarded. If a session is not found, a new session of type >>> MultipointTail MAY be created, or the packet MAY be discarded. >>> This choice is outside the scope of this specification. >>> >>> Would you suggest additional text to a use case where the new >>> demultiplexing is not sufficent to protect from source address spoofing? >>> >>> >>> [BB]: I seem to have become co-opted into redesigning this protocol. I'd >>> prefer to limit my involvement to reviewing :) >>> >>> >>> >>>> 7/ Scope >>>> On eight occasions an issue is raised, but resolution is stated as >>>> outside the >>>> scope of this document. It is OK to limit the scope of a spec, for >>>> example to >>>> allow for multiple solutions to each issue. But at least one solution >>>> must >>>> already exist for each of these eight issues. So, at least one example >>>> solution >>>> ought to be cited in each case. If any issues are open, then this >>>> should not be >>>> on the standards track. >>>> >>>> It would be more useful to state why each issue is out of scope. This >>>> would be >>>> helped by stating from the start what the scope of the document is. >>>> >>> GIM>> I've listed all eight occasions with the explanation for each one: >>> >>> 1. Details of tail notification to the head are outside the scope of >>> this document. - Notifications by tails addressed in >>> draft-ietf-bfd-multipoint-active-tail >>> <https://datatracker.ietf.org/doc/draft-ietf-bfd-multipoint-active-tail/>. >>> Will add as informational reference. >>> >>> [BB]: Good. >>> >>> Nonetheless, given you have confirmed that a reverse path is optional, >>> the doc still needs to address the case where there is no reverse path. >>> >> GIM2>> Introduction notes: >> Use of BFD in Demand mode enables a tail monitor availability >> of a multipoint path even without the existence of some kind of a >> return path to the head. >> >> >>> {Note 1} For the active tail draft, you might find the following ideas >>> for scaling multipoint feedback useful: >>> >>> *Statistical feedback:* >>> Nonnenmacher, Jö. & Biersack, E.W., "Scalable Feedback for Large Groups >>> <https://dl.acm.org/citation.cfm?id=312251>," IEEE/ACM Transactions on >>> Networking 7(3):375--386 (June 1999) >>> >>> FUHRMANN, T., AND WIDMER, J. "On the scaling of feedback algorithms for >>> very large multicast groups <https://dl.acm.org/citation.cfm?id=2294709>," >>> Computer Communications 24, 5-6 (March 2001), 539 547; >>> WIDMER, J., AND FUHRMANN, T. Extremum feedback for very large multicast >>> groups. Tech. Rep. TR 12-2001, Prakfische Informatik IV, University of >>> Mannheim, Germany, May 2001. >>> >>> Also, anycast can be used to select different representative feedback >>> tails, e.g. for a certain time, which might overlap with the periods for >>> which a few other tails are selected using subsequent anycasts. >>> >>> *Logical 'AND' feedback:* >>> Burbridge, T., Soppera, A., Briscoe, R. and Jacquet, A. "Method and >>> device for co-ordinating networked group members >>> <https://worldwide.espacenet.com/publicationDetails/biblio?II=0&ND=3&adjacent=true&locale=en_EP&FT=D&date=20060406&CC=US&NR=2006075022A1&KC=A1#>" >>> Patent WO2004059479, (Jul 2004; Priority 24 Dec 2002) >>> [AFAICT this patent is still being maintained, so use of it in a >>> protocol would require an IPR declaration.] >>> >>> >>> >>> 1. Details of how the head keeps track of tails and how tails alert >>> their connectivity to the head are outside scope of this document. - Same >>> as #1. >>> >>> [BB]: And my response is same as #1. >>> >>> >>> 1. Bootstrapping BFD session to multipoint MPLS LSP in case of >>> penultimate hop popping is outside the scope of this document. - It may use >>> control plane as in MVPN draft. Will add as informational reference. >>> >>> [BB]: Good. >>> >>> >>> 1. Use of other types of encapsulation of the BFD control message >>> over multipoint LSP is outside the scope of this document. - This in >>> reference to ACH encapsulation that is discussed in >>> draft-mirsky-mpls-p2mp-bfd >>> <https://tools.ietf.org/html/draft-mirsky-mpls-p2mp-bfd-03>. Should >>> it be added as informational reference? What would be the imacpt of >>> progressing this specification? >>> >>> [BB]: See earlier comment about citing individual drafts (I don't have >>> enough BFD knowledge to give a BFD-specific answer). >>> >>> Also, in my review I should also have said: when creating new >>> encapsulations, pls see the common transport issues related to >>> encapsulation: >>> https://trac.ietf.org/trac/tsv/wiki/tsvdir-common-issues#Tun >>> nelingprotocolsandTransportRelatedIssues >>> >>> >>> >>> 1. Change in the value of bfd.RequiredMinRxInterval is outside the >>> scope of this document. - Same as #1. >>> >>> [BB]: And my response is same as #1. >>> >>> >>> 1. If a session is not found, a new session of type MultipointTail >>> MAY be created, or the packet MAY be discarded. This choice is outside the >>> scope of this specification. - I propose to add "based on local policy" to >>> the last sentence. >>> >>> [BB]: On what basis will local policy decide? It's my job as a reviewer >>> to ensure that this spec does not contain any loose ends (open issues). >>> >> GIM2>> It could be based on the maximum number of MultipointTail sessions >> and number of active MultipointTail sessions on the node. I'd clarify it as: >> This choice MAY be controlled by the local policy, e.g. maximum number >> of >> MultipointTail sessions and number of active MultipointTail sessions, >> and is outside the scope of this specification. >> >> >>> >>> >>> 1. The exact method of selection is application-specific and is thus >>> outside the scope of this specification. - This is copied from RFC 5880: >>> "The exact method of selection is application specific and is thus outside >>> the scope of this specification." as the section is to replace Section >>> 6.8.6. >>> >>> [BB]: OK. >>> >>> >>> 1. If a matching session is not found, a new session of type >>> PointToPoint MAY be created, or the packet MAY be discarded. This choice is >>> outside the scope of this specification. - Same as #6. >>> >>> >>> [BB]: And my response is same as #6. >>> [Sry, my embedded comments have broken your numbered list.] >>> >>> >>> >>> >>> >>> >>>> There is also one issue that is "for further discussion". Does this >>>> mean the >>>> document is not ready yet? >>>> >>> GIM>> I think that the question left for further discussion is >>> non-technical: >>> The semantic difference between Down and AdminDown state is for >>> further discussion. >>> I propose to remove the sentence altogether. >>> >>> [BB]: OK. >>> >>> >>> >>>> 8/ Incremental deployment >>>> >>>> Section 4.4.1. "New State Variable Values" defines bfd.SessionType = >>>> PointToPoint as well as a couple of Multipoint alternatives. Presumably >>>> this >>>> spec does not require all existing PointToPoint systems to support this >>>> state >>>> value. Is the implication that only Multipoint systems that happen to >>>> be in >>>> PointToPoint mode should use this state? >>>> >>> GIM>> You're aboultely right, existing implementations of BFD don't need >>> to support bfd.SessionType variable. Only implementations that support the >>> base BFD, single-hop or multi-hop, and this specification, mpBFD, should >>> support bfd.SessionType and set it to PointToPoint value when BFD is in >>> single-hop or multi-hop mode. When in mpBFD mode, bfd.SessionType will be >>> set to either MultipointHead or MultipointClient. >>> >>> [BB]: Doesn't something need to be written (or referenced) to clarify >>> all this? AFAIR, this spec. never made clear that multipoint is a fork in >>> implementations. >>> >> GIM2>> And so is S-BFD. (Note, bfd.SessionType introduced in RFC 7880 >> S-BFD but missed to define PointToPoint value). >> >>> >>> >>> >>> >>>> ==Nits== >>>> >>>> * Sometimes 'tree' is used to mean a multipoint path in general. I >>>> suspect >>>> 'path' was intended. >>>> >>> GIM>> I've found six occasions of "tree" and s/tree/path/ >>> >>>> >>>> 4.8. Packet consumption on tails >>>> s/Node/Nodes/ >>>> s/packet/packets/ >>>> s/demultiplex/demultiplexed/ >>>> >>> GIM>> Accepted all three. >>> >>>> >>>> 4.9. Bringing Up and Shutting Down Multipoint BFD Service >>>> " >>>> a newly >>>> started head (that does not have any previous state information >>>> available) SHOULD start with... >>>> " >>>> ... >>>> " >>>> ... (so long as the restarted head >>>> is using the same or a larger value of bfd.DesiredMinTxInterval than >>>> it did previously). >>>> " >>>> If it has no state available, how can it know whether a value is larger >>>> than >>>> previously? >>>> >>> GIM>> You are right, the BFD system at the head would not know the >>> previous value of bfd.DesiredMinTxInterval. This text is to caution >>> operator from decreasing bfd.DesiredMinTxInterval upon restart of the >>> BFD system. >>> >>>> >>>> 4.9. Bringing Up and Shutting Down Multipoint BFD Service >>>> There are a number of "SHOULD"s and "SHOULD NOT"s that do not state or >>>> give >>>> examples of circumstances in which the "SHOULD" would not be >>>> appropriate. If >>>> there are none, "MUST" would be more appropriate. >>>> >>> GIM>> In the first paragraph SHOULD may not be followed if the >>> implementation can differentiate between the very first start and restarts >>> of BFD system. If it is the first start of BFD system, the head MAY >>> directly progress to Up state skipping Down state. >>> The last paragraph describes graceful shuttdown. The head MAY shut the >>> BFD mp session abruptly by just stopping transmission of BFD Control >>> packets. >>> >>> [BB]: I assume you will say all this in the next rev, not just in this >>> email. >>> >> GIM2>> Appended the following: >> NEW TEXT: >> Alternatively, the head MAY stop transmitting BFD Control packets >> and not send any more BFD Control packets with the new state (Down or >> AdminDown). Tails >> will declare the multipoint session down only after the detection time >> interval runs out. >> >>> >>> >>> >>>> 4.10. Timer Manipulation >>>> " >>>> Because of the one-to-many mapping, a session of type MultipointHead >>>> SHOULD NOT initiate a Poll Sequence in conjunction with timer value >>>> changes. However, to indicate a change in the packets, >>>> MultipointHead session MUST send packets with the P bit set. >>>> MultipointTail session MUST NOT reply if the packet has M and P bits >>>> set and bfd.RequiredMinRxInterval set to 0. >>>> " >>>> The initial "SHOULD NOT" needs to be written another way. Perhaps >>>> " >>>> ...a session of type MultipointHead >>>> does not initiate a Poll Sequence >>>> " >>>> The head's normative action is defined by the following "MUST", then >>>> the tail's >>>> "MUST NOT reply" is what prevents the poll sequence happening. >>>> >>> GIM>> A Poll Sequence starts with the initiator setting Poll bit. Unless >>> the peer sends BFD Control packet with Finl bit set the poll sequence would >>> continue indefinetely. The initial SHOULD NOT, in my opinion, correctly >>> points that the mechanism of Poll Sequence not to be used by MultipointHead >>> when changing transmission interval. I think that MUST in the first >>> paragraph can be downgraded to MAY because the MultipointHead doesn't need >>> to use transition period when changing the transmission interval to lower >>> level, i.e., decreasing frequency. May I propose the following: >>> OLD TEXT: >>> Because of the one-to-many mapping, a session of type MultipointHead >>> SHOULD NOT initiate a Poll Sequence in conjunction with timer value >>> changes. However, to indicate a change in the packets, >>> MultipointHead session MUST send packets with the P bit set. >>> NEW TEXT: >>> Because of the one-to-many mapping, a session of type MultipointHead >>> SHOULD NOT initiate a Poll Sequence in conjunction with timer value >>> changes. However, to indicate a change in the packets, >>> MultipointHead session MAY send packets with the P bit set during >>> transition period. >>> >>> [BB]: If I were an implementer, I would not know what this is saying I >>> ought to implement. The spec needs to answer this question: If the head >>> changes the packets what happens differently if it sets the P bit vs. if it >>> doesn't? >>> >> GIM2>> I think we can expect that the implementer is familiar with RFC >> 5880 and, very likely, has implemented it one or more times already. >> >>> >>> >>>> 4.11. Detection Times >>>> Delete "in the calculation" (repetition). >>>> >>> GIM>> Done. >>> >>>> >>>> 4.13.1. Reception of BFD Control Packets >>>> Some actions seem to be only relevant to PointToPoint sessions, but >>>> they are >>>> stated for all session types. Specifically: "the transmission of Echo >>>> packets, >>>> if any, MUST cease." "the Poll Sequence MUST be terminated." "MUST >>>> cease the >>>> periodic transmission of BFD Control packets" "MUST send periodic BFD >>>> Control >>>> packets" >>>> >>>> " >>>> If bfd.SessionType is PointToPoint, update the Detection Time as >>>> described in section 6.8..4 of [RFC5880]. If bfd.SessionType is >>>> MultipointTail, >>>> " >>>> The second sentence above ought to start on a new line as an Else if. >>>> >>> GIM>> Hope I got it right: >>> If bfd.SessionType is PointToPoint, update the Detection Time as >>> described in section 6.8.4 of [RFC5880]. >>> >>> Else >>> >>> If bfd.SessionType is MultipointTail, then update the Detection >>> Time as the product of the last received values of Desired Min >>> TX Interval and Detect Mult, as described in Section 5.11 of >>> this specification. >>> >>>> >>>> 4.13.2. Demultiplexing BFD Control Packets >>>> " >>>> This section is part of the replacement for [RFC5880] section 6.8.6, >>>> separated for clarity. >>>> " >>>> Do you mean "This section replaces the sentence: "If the Multipoint (M) >>>> bit is >>>> nonzero, the packet MUST be discarded." in [RFC5880] section 6.8.6? >>>> >>>> The statements under "If the Multipoint (M) bit is set" are not >>>> formatted like >>>> the rest of the if-else logic, and I think an Else is missing at the >>>> start of >>>> the statement after the nested "If".. >>>> >>> GIM>> Agree, the paragraph is not structured properly. How about this >>> formating: >>> If the Multipoint (M) bit is set >>> >>> If the Your Discriminator field is nonzero, the packet MUST be >>> discarded. >>> >>> Select a session as based on source address, My Discriminator >>> and the identity of the multipoint path which the Multipoint >>> BFD Control packet was received. >>> >>> If a session is found, and bfd.SessionType is not >>> MultipointTail, the packet MUST be discarded. >>> >>> Else >>> >>> If a session is not found, a new session of type >>> MultipointTail MAY be created, or the packet MAY be >>> discarded. This choice is outside the scope of this >>> specification. >>> >>> [BB]: As long as this represents the logic you want, fine. The point is >>> that the indentation is the only clue to whether one 'if' is conditional on >>> a previous 'if', or not. >>> >>> HTH >>> >>> Bob >>> >>> >>> >>> >>> -- >>> ________________________________________________________________ >>> Bob Briscoe http://bobbriscoe.net/ <http://bobbriscoe..net/> >>> >>> >> >> -- >> ________________________________________________________________ >> Bob Briscoe http://bobbriscoe.net/ >> >> > > > _______________________________________________ > Tsv-art mailing listTsv-art@ietf.orghttps://www.ietf.org/mailman/listinfo/tsv-art > > > -- > ________________________________________________________________ > Bob Briscoe http://bobbriscoe.net/ > >
- Re: Tsvart last call review of draft-ietf-bfd-mul… Carlos Pignataro (cpignata)
- Re: [Tsv-art] Tsvart last call review of draft-ie… Jeffrey Haas
- Re: [Tsv-art] Tsvart last call review of draft-ie… Greg Mirsky
- Re: Tsvart last call review of draft-ietf-bfd-mul… Bob Briscoe
- Re: Tsvart last call review of draft-ietf-bfd-mul… Greg Mirsky
- Re: [Tsv-art] Tsvart last call review of draft-ie… Bob Briscoe
- Re: Tsvart last call review of draft-ietf-bfd-mul… Jeffrey Haas
- Re: Tsvart last call review of draft-ietf-bfd-mul… Carlos Pignataro (cpignata)
- Tsvart last call review of draft-ietf-bfd-multipo… Bob Briscoe
- Re: Tsvart last call review of draft-ietf-bfd-mul… Greg Mirsky
- Re: Tsvart last call review of draft-ietf-bfd-mul… Bob Briscoe
- Re: [Tsv-art] Tsvart last call review of draft-ie… Spencer Dawkins at IETF
- Re: [Tsv-art] Tsvart last call review of draft-ie… Greg Mirsky
- Re: Tsvart last call review of draft-ietf-bfd-mul… Greg Mirsky