Alvaro Retana's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
Alvaro Retana via Datatracker <noreply@ietf.org> Wed, 14 December 2022 15:11 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: rtg-bfd@ietf.org
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C80C14F740; Wed, 14 Dec 2022 07:11:14 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Alvaro Retana via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-bfd-unsolicited@ietf.org, bfd-chairs@ietf.org, rtg-bfd@ietf.org, Jeffrey Haas <jhaas@pfrc.org>
Subject: Alvaro Retana's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
X-Test-IDTracker: no
X-IETF-IDTracker: 9.3.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alvaro Retana <aretana.ietf@gmail.com>
Message-ID: <167103067462.48163.5620864981176514078@ietfa.amsl.com>
Date: Wed, 14 Dec 2022 07:11:14 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/yR9N5BL56EUzYKTP4xvuq0fP51c>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2022 15:11:14 -0000
Alvaro Retana has entered the following ballot position for draft-ietf-bfd-unsolicited-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bfd-unsolicited/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- This document attempts to do two things: specify "unsolicited BFD" and define a YANG model for its management. I am happy to include both in the same document, but the specification of the protocol mechanisms falls short and results in a document that lacks clarity. While YANG is the preferred management mechanism, it should be possible to implement and manage the feature without the model. Most of my concerns are from Section 2 (line numbers from idnits): 154 Passive unsolicited BFD support MUST be disabled by default, and MUST 155 require explicit configuration to be enabled. On the passive side, 156 the desired BFD parameters SHOULD be configurable. The passive side 157 MAY also choose to use the parameters that the active side uses in 158 its BFD Control packets. The "My Discriminator", however, MUST be 159 chosen to allow multiple unsolicited BFD sessions. (A) "the desired BFD parameters SHOULD be configurable" Which parameters are those? The YANG model uses bfd-types:base-cfg-parms, which only includes a basic set. The point here is that this document's specification part is incomplete because it doesn't specify which parameters "SHOULD be configurable". (B) The YANG model offers global and per-interface configuration options. The specification doesn't discuss hierarchical configuration or whether one type should take precedence over the other. [Related to Rob's DISCUSS.] This point was discussed on the mailing list, where it was pointed out that per-interface configuration should override global configuration [1], but that discussion is not reflected in the document. [1] https://mailarchive.ietf.org/arch/msg/rtg-bfd/GI_eNtxcEeh2_vTl9zfq7K6V1X4 171 When the passive side receives an incoming BFD Control packet on a 172 numbered interfaces, the source address of that packet MUST belong to 173 the subnet of the interface on which the BFD packet is received. The 174 source address of the BFD Control packet SHOULD be validated against 175 expected routing protocol peer addresses on that interface. (C) "SHOULD be validated" What does validating the source address "against expected routing protocol peer addresses on that interface" entail? Is it just a comparison? Please be explicit on what the normative behavior should be. When is it ok to not validate? Why is this behavior recommended and not required? If the validation is performed, is there an expected action if the source address does not correspond to an "expected routing protocol peer addresses on that interface"? Where does this "expected" list come from? On a LAN, it seems like any address would be valid since a router doesn't know the list of IGP neighbors beforehand. 177 The passive side MUST then start sending BFD Control packets and 178 perform the necessary procedure for bringing up, maintaining and 179 tearing down the BFD session. If the BFD session fails to get 180 established within certain specified time, or if an established BFD 181 session goes down, the passive side SHOULD stop sending BFD Control 182 packets and MAY delete the BFD session created until BFD Control 183 packets are initiated by the active side again. (D) "If the BFD session fails to get established within certain specified time..." [nit] s/within certain specified time/within a certain specified time Where does a "certain specified time" come from? Is it configurable? Does it correspond to any of the state variables in rfc5880? (E) "SHOULD stop sending BFD Control packets" When is it ok not to stop sending BFD control packets? Why would the node continue sending packets if the session is not established (or goes down)? Why is this behavior recommended and not required? 185 When an Unsolicited BFD session goes down, an implementation MAY 186 retain the session state for a period of time. Retaining this state 187 can be useful for operational purposes. (F) Not exactly a contradiction, but confusing normative statements (between this paragraph and the one before): "MAY delete" vs "MAY retain" for the same event ("BFD session goes down"). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (0) I support Rob's and Lars' DISCUSS positions. (1) The Introduction makes several claims that must be developed further or eliminated to avoid further confusion. (1a) 131 The procedure described in this document could be applied to BFD for 132 Multihop paths [RFC5883]. However, because of security risks, this 133 document applies only to BFD for single IP hops [RFC5881]. At first glance, I didn't see anything in rfc5883 that would prevent a node in the passive role from following this specification. What am I missing? Aren't the security risks already addressed in rfc5883? (1b) 135 Compared to the "Seamless BFD" [RFC7880], this proposal involves only 136 minor procedural enhancements to the widely deployed BFD itself. 137 Thus we believe that this proposal is inherently simpler in the 138 protocol itself and deployment. As an example, it does not require 139 the exchange of BFD discriminators over an out-of-band channel before 140 BFD session bring-up. Given that this proposal claims to be better (or at least simpler) than S-BFD, what should an operator consider when deciding which to use? Are they covering similar use cases? If this is so much better, why is rfc7880 not deprecated? (1c) 142 When BGP Add-Path [RFC7911] is deployed at an IXP using a Route 143 Server, multiple BGP paths (when they exist) can be made available to 144 the clients of the Route Server as described in [RFC7947]. The 145 "unsolicited BFD" can be used in BGP route selection by these clients 146 to eliminate paths with "inaccessible nexthops". I guess that this part ("inaccessible nexthops") refers to "unresolvable routes" (from §9.1.2.1/rfc4271). Is that the correct assumption? First, please be consistent with the terminology. The text above says that ""unsolicited BFD" can be used in BGP route selection". Where is the interaction of BFD (in general -- not just unsolicited BFD) and BGP specified? (2) I am confused by the indication that this document Updates rfc9314 because no change is proposed to that RFC. Instead, the YANG model augments the model in rfc9314 with optional (to the base BFD) functionality. In my opinion, this is different than a formal Update, which is why rfc5880/rfc5881 are not tagged as being Updated either. [Because the use of the Updates tag is not clearly defined, then I'm not making this comment part of my DISCUSS.] (3) The "BFD Protocol Security Considerations" (Section 7.1) also needs work: 458 The same security considerations and protection measures as those 459 described in [RFC5880] and [RFC5881] apply to this document. In 460 addition, with "unsolicited BFD" there is potential risk for 461 excessive resource usage by BFD from "unexpected" remote systems. To 462 mitigate such risks, the following measures are mandatory: [minor] For clarity, consider using rfc2119 language above: s/mandatory/REQUIRED Note that the last two bullets are conditional statements, which may not be aligned with the intent of making the measures mandatory. 464 * Limit the feature to specific interfaces, and to single-hop BFD 465 with "TTL=255" [RFC5082]. GTSM is already required in rfc5880/rfc5881. Does it need to be required again? 466 * Apply "policy" to allow BFD packets only from certain subnets or 467 hosts. [nit] s/allow BFD packets/process BFD packets Given the statement in the Introduction about this document applying only to single IP hops, it seems that "certain subnets" are unnecessary as all the addresses on connected interfaces should fall on the same subnet. 468 * Deploy the feature only in certain "trustworthy" environment, 469 e.g., at an IXP, or between a provider and its customers. If this measure is mandatory, please expand on what a ""trustworthy" environment" is. 470 * Use BFD authentication, see [RFC5880]. In some environments, e.g. 471 when using an IXP, BFD authentication can not be used because of 472 the lack of coordination into the operation of the two endpoints 473 of the BFD session. In other environments, e.g. when BFD is used 474 to track the next hop of static routes, it is possible to use BFD 475 authentication: this comes with the extra cost of configuring 476 matching key-chains at the two endpoints. If BFD authentication 477 is used, the Meticulous Keyed SHA1 mechanism SHOULD be used.
- Alvaro Retana's Discuss on draft-ietf-bfd-unsolic… Alvaro Retana via Datatracker
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-uns… Jeffrey Haas
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-uns… Alvaro Retana
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-uns… Jeffrey Haas
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-uns… Reshad Rahman
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-uns… Alvaro Retana