Re: Request for RTGWG Working Group adoption for draft-bashandy-rtgwg-segment-routing-ti-lfa

[Stewart Bryant <stewart.bryant@gmail.com>]

On 09/07/2018 20:53, Ahmed Bashandy wrote:
> Thanks for the comments
> See the reply inline at #Ahmed
>
> Ahmed
>
> On 5/29/18 3:35 AM, Alexander Vainshtein wrote:
>>
>> Robert, Chris and all,
>>
>> I agree with Robert that it is up to the authors of an individual 
>> submission what they consider in or out of scope of the draft.
>>
>> However, I agree with Chris that the authors of an individual draft 
>> asking for its adoption by a specific WG should do their best to 
>> address the comments they have received from the WG members.
>>
> #Ahmed: Thanks a lot

SB> I am not sure what that reply means.

>> From my POV this did not happen in the case of the draft in question 
>> – for the following reasons:
>>
>> 1.In his early RTG-DIR review 
>> <https://datatracker.ietf.org/doc/review-bashandy-rtgwg-segment-routing-ti-lfa-00-rtgdir-early-bryant-2017-05-31/> 
>> of the draft Stewart  has pointed to the following issues with the 
>> -00 version of the draft (needless to say, I defer to Stewart 
>> regarding resolution of these issues):
>>
>> a.*No IPR disclosures for draft-bashandy*in spite of 3 IPR 
>> disclosures for its predecessor draft-francois.  I have not seen any 
>> attempts to address this issue – at least, search of IPR disclosures 
>> for draft-bashandy did not yield any results today
>>
> #Ahmed: Since draft-bashandy inherits draft-francois, then the IPR of 
> the latter applies to the former. But if there is a spec that requires 
> re-attaching the IPR of an inherited draft to the inheriting draft, it 
> would be great to point it out or point out some other draft where 
> that occurred so that I can follow the exact procedure.

SB> There is (at least now) an IPR disclosure. Hopefully this covers all 
of the applicable IPR. We should move on.

>> b.*Selecting the post-convergence path *(inheritance from 
>> draft-francois) does not provide for any benefits for traffic that 
>> will not pass via the PLR */after convergence/*.
>>
>> i.The authors claim to have addressed this issue by stating that 
>> “Protection applies to traffic which traverses the Point of Local 
>> Repair (PLR). Traffic which does NOT traverse the PLR remains 
>> unaffected.”
>>

SB> It is not as simple as that, and I think that the draft needs to 
provide greater clarity.

I think there will be better examples, but consider

               12
       +--------------+
       |              |
A-----B-----C---//---D----E
         10  | |
             F--------G

Traffic injected at C will initially go C-D-E at cost 2, will be 
repaired C-F-G-D-E at cost 4 and will remain on that path post 
convergence. This congruence of path is what TI-LFA claims.

However, a long standing concern about traffic starting further back in 
the network needs to be more clearly addressed in the draft to clearly 
demonstrate the scope of applicability.

For traffic starting at A, before failure the path is A-B-C-D-E cost 13

TI-LFA will repair to make the path A-B-C-F-G-D-E cost 15 because TI-LFA 
optimises based on local repairs computed at C.

After repair the path will be A-B-D-E cost 14.

So the draft needs to make it clear to the reader that TI-LFA only 
provides benefit to traffic which traverses the PLR before and after 
failure. Traffic which does not pass through the PLR after the failure 
will need to be traffic engineered separately from traffic that passes 
though the PLR in both cases.


>> ii.From my POV this is at best a misleading statement because it does 
>> not really address Stewart’s comment which was about traffic that 
>> */traversed the PLR before convergence/* but */would not traverse it 
>> after convergence/*.
>>
>> iii.This is not a fine distinction: actually it indicates that 
>> selecting post-convergence path for repair is more or less  useless 
>> (unless the traffic originates at the PLR).
>>
> #Ahmed: Thanks for pointing out this *additional benefit* of providing 
> a post-convergence back path. If a flow starts to use the PLR after a 
> failure, then the presence of a post convergence backup path on the 
> PLR extends the benefits of using the post-convergence path to flows 
> that did not use the PLR prior the topology change. I will modify the 
> statement in the introduction to indicate that :)

SB> Sorry, I don't understand that point, please could you provide a 
network fragment that illustrates the advantage?

>
>> c.*Selecting the post-convergence path is detrimental to scalability 
>> of the solution*. Please note that in RFC 7490 
>> <https://tools.ietf.org/html/rfc7490> “the Q-space of E with respect 
>> to link S-E is used as a proxy for the Q-space of each destination” 
>>  in order to provide a scalable solution – but this clearly is not 
>> the case of draft-bashandy if post-convergence paths are used. To the 
>> best of my understanding, the authors did not, so far, do anything to 
>> address this comment.
>>
> #Ahmed: I fail to see why there is a scalability problem. 
> draft-bashandy-rtgwg-segment-routing-ti-lfa just prefers particular 
> node(s) in the Q space if that node(s) is (are) along the post 
> convergence path.
> But if I am missing something, it would be great to point out exactly 
> what aspect of scalability you are concerned about so that we can 
> address it

SB> The point is that traffic is constrained to a subset of Q-space on 
the false assumption that it needs to traverse that part of Q-space post 
convergence. The network fragment above clearly illustrates the point.

<snip>
>>
>>           
>>
>>         > 
>>
>>         > The work has four basic components, the concept of resolving the
>>
>>         > problem of P and Q being non-adjacent, the use of SR to solve the
>>
>>         > non-adjacency, the use of the post convergence path following failure
>>
>>         > and the applicability of these techniques to an SR network. The first
>>
>>         > and second points seem of utility in non-SR networks, and so I am
>>
>>         > surprised that they are not called out as such, in the first case
>>
>>         > perhaps with consideration to strategically places RSVP tunnels, or
>>
>>         > binding segments.
>>
>>         The draft already mentions that the work builds on top of existing FRR work. For example
>>
>>         the second statement of the abstract already says
>>
>>            builds on proven IP-FRR concepts being
>>
>>            LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding
>>
>>            (DLFA).
>>
>>         The statement about the possibility of using RSVP is clearly outside the scope of document as mentioned in first paragraph of the introduction.
>>
SB> In the introduction you set out the context of the work so I don't 
think that RSVP should
be dismissed so lightly since what you are doing is pretty much what an 
RSVP tunnel
repair would do, including taking into account the traffic volumes. 
Setting out why the
complexity of this repair technique outweighs the complexity of RSVP is 
part of the
deployment consideration process, and you ought to provide a balanced 
view so that
the reader can evaluate the issues for themselves.

>>           
>>
>>         > 
>>
>>         > The issue of mapping repair path to the post convergence path to the
>>
>>         > something that has always concerned me in this concept. It is true
>>
>>         > that traffic that always passes through the PLR will experience the
>>
>>         > properties the authors describe, but not all traffic will pass through
>>
>>         > the PLR post convergence. The post failure path will be topology
>>
>>         > dependent, and may take a different path from the point of ingress.
>>
>>         #Ahmed
>>
>>         The fourth paragraph in the introduction clearly mentions that we are protecting the traffic passing through the PLR.
>>
... See above. It only applies to a subset of that traffic.

>>           
>>
>>         > 
>>
>>         > I am also concerned that the authors do not discuss the need for loop
>>
>>         > free convergence, since although traffic going through the repair path
>>
>>         > will be loop-free, traffic arriving at the PLR might not be.. Consider
>>
>>         > for example a topology fragment that looks like a clock with a router
>>
>>         > at each minute. Traffic enters at 9 o'clock, leave at 3 o'clock and
>>
>>         > goes via 12 o'clock and 12 o'clock fails.  The routers 9..12 will
>>
>>         > re-converge at different times and this may give rise to the
>>
>>         > micro-looping of traffic trying to get to the PLR. A summary of the
>>
>>         > problem and a pointer to the companion draft may be sufficient.
>>
>>         #Ahmed
>>
>>         The last statement in the first paragraph in the introduction refers the reader to the uloop avoidance draft which handles non-local failures
>>

SB> The question I have had for a long time, is whether traffic patterns 
are such that deployment of this
makes any sense without co-deployment of the uloop draft. The 
implication as always been that it
does, but that puts the onus on the operator to validate that position 
against all first and probably all
second failures for each evolution of their topology.
>>
>>         > 
>>
>>         > There is no discussion of multiple failures, nor as far as I can see
>>
>>         > of failures that are worse than anticipated. This is an important
>>
>>         > point that needs to be established early. Some methods, (MRT)
>>
>>         > intrinsically address multiple failures, others (NV) intrinsically
>>
>>         > exclude them. Simple LFA needs a supervisor to quickly abandon all
>>
>>         > hope when they occur.
>>
>>         #Ahmed
>>
>>         As specified in the 3rd paragraph of the introduction the scope of the document is limited to single link, single node, and single local SRLG failure.
>>
>>           
>>
SB> Given that there *will* be multiple failures from time to time, the 
text needs to provide
advice the matter.

>>         > 
>>
>>         > In an SR network the paths used are not the shortest paths, they are a
>>
>>         > collection of shortest paths, so there needs to be some discussion on
>>
>>         > the interaction between the SR paths and repair paths to consider
>>
>>         > whether it is unconditionally safe against forwarding loops.. It would
>>
>>         > presumably be so if the authors borrowed the concept of repair
>>
>>         > addresses rather than normal forwarding addresses from not-via, but I
>>
>>         > don't think they have done this.
>>
>>         #Ahmed
>>
>>         Again the second statement of the 1st paragraph of the Introduction says
>>
>>           
>>
>>            By relying on segment routing this document provides
>>
>>                   a local repair mechanism for standard IGP shortest path
>>
>>           
>>
>>         So the scope of the document is quite clear
>>

SB> Reflecting on this, I cannot think of a case where you would 
generate a forwarding loop, provided
you ensure that no path between SR nodes crosses the failure, including 
ECMP paths.

SB> Please can you confirm that ECMP through the failure is prohibited 
by the algorithm?

>>           
>>
>>         > 
>>
>>         > There should also be some discussion on the original path constraints
>>
>>         > that are applicable to the repair. Presumably the ingress node
>>
>>         > constrained the traffic to go though failed node F for a reason. If
>>
>>         > the repair is unconstrained that reason could be violated, but this is
>>
>>         > not discussed in the text.
>>
>>         #Ahmed
>>
>>         Same response as the response to the previous comment. The scope is standard IGP shortest paths
>>
>>           
>>
SB> So this can never be used to repair an SR path?

I think you either need to state that as a constraint, or specify how 
you fulfil the requirements of the
node creating the original SR path, or you need to state that when 
TI-LFA is being used to repair an SR
path the path constraints are in not in general respected.

>>           
>>
>>         > 
>>
>>         > 
>>
>>         > In the Security section you say:
>>
>>         > 
>>
>>         >     The behavior described in this document is internal functionality
>>
>>         >     to a router that result in the ability to guarantee an upper bound
>>
>>         >     on the time taken to restore traffic flow upon the failure of a
>>
>>         >     directly connected link or node. As such no additional security
>>
>>         >     risk is introduced by using the mechanisms proposed in this
>>
>>         >     document.
>>
>>         > 
>>
>>         > 
>>
>>         > SB> I am not sure that the above is correct. There may be a security
>>
>>         > reason
>>
>>         > SB> why a packet was steered along a path which breaks when you use
>>
>>         > this
>>
>>         > SB> technique.
>>
>>         #Ahmed
>>
>>         The security consideration section has been modified to to indicate that
>>
>>         the traffic is being steered over the post convergence path and hence there
>>
>>         is no security risk because this is the path that the operator intended to use
>>
>>         after the failure through the metrics configured on the links.
>>
SB> I think we have a counter example.

>>         In fact by expediting
>>
>>         rerouting the traffic over the intended post convergence path without waiting
>>
>>         for IGP reconvergence, we have introduced a minor security enhancement by reducing
>>
>>         misforwarding and/or traffic drop
>>
>>           
>>
>>           
>>
>>           
>>
>>         > 
>>
>>         > In the conclusion you say:
>>
>>         > 
>>
>>         >     The
>>
>>         >     mechanism is able to calculate the backup path irrespective of the
>>
>>         >     topology as long as the topology is sufficiently redundant.
>>
>>         > 
>>
>>         > 
>>
>>         > SB> That is certainly true in classic. I am not sure this is
>>
>>         > universally
>>
>>         > SB> true under SR which includes the use of non-shortest path and
>>
>>         > SB> binding segments.
>>
>>           
>>
>>         #Ahmed
>>
>>         Again the document is restricted to IGP shortest path as mentioned in the introduction
>>

SB> The security section needs to state that if this is used to repair 
an SR path additional
security considerations apply.

It sounds like it needs to state that in the event of multiple failures 
the result is
undetermined.

>>         s
>>
>>           
>>
>>         > Minor issues:
>>
>>         > 
>>
>>         >     For each destination in the network, TI-LFA prepares a data-plane
>>
>>         >     switch-over to be activated upon detection of the failure of a
>>
>>         >     link used to reach the destination.
>>
>>         > 
>>
>>         > SB> To make the scaling clearer to the reader, I think you need
>>
>>         > SB> to make it clear that for each protected link, you determine
>>
>>         > SB> the repair needed to reach every destination reachable over that
>>
>>         > SB> link. You sort of say that, but it's a bit hidden.
>>
>>         #Ahmed
>>
>>         I do not understand the difference between the text in the draft and the
>>
>>         text that you are proposing. We think that our text is quite clear
>>
>>           
>>
>>           
>>
>>         >     We provide the TI-LFA approach that achieves guaranteed coverage
>>
>>         >     against link, node, and local SRLG failure, in any IGP network,
>>
>>         >     relying on the flexibility of SR.
>>
>>         > 
>>
>>         > SB> Should that be any SINGLE link.... failure?
>>
>>         #Ahmed
>>
>>         As mentioned above few times above, the introduction clearly mentions *single*
>>
SB> Yes, but the point is so important that you cannot over emphasise it.

>>           
>>
>>           
>>
>>         > In the text (and the text that follows)
>>
>>         > 
>>
>>         >     To do so, S applies a "NEXT" operation on Adj(S-F) and then two
>>
>>         >     consecutive "PUSH" operations: first it pushes a node segment for
>>
>>         > F,
>>
>>         >     and then it pushes a protection list allowing to reach F while
>>
>>         >     bypassing S-F.
>>
>>         > 
>>
>>         > You need to reference the SR operations.
>>
>>         #Ahmed
>>
>>         This paragraph is in Section 5.2.1. The latest version refers to the SR draft
>>

SB> I think the point remains.

>>           
>>
>>         > 
>>
>>         > Also you are considering Adj segments, and presumably they were there
>>
>>         > for a reason, but you do not discuss that.
>>
>>         #Ahmed
>>
>>         Section 5.2 discusses protecting adjacency segments
>>
>>           
>>
>>           
>>
>>         > 
>>
>>         > In 5.3.1 and 5.3.2 you have a list of conditions, but do not make it
>>
>>         > clear whether any or all must be true.
>>
>>         > 
>>
>>         #Ahmed
>>
>>         The intention is for all of the conditions to be true. I will make it clear in the next version
>>
>>           
>>
SB> Thank you.
>>
>>           
>>
>>         > Nits
>>
>>         > 
>>
>>         > 1. Introduction
>>
>>         > 
>>
>>         >     Segment Routing aims at supporting services with tight SLA
>>
>>         >     guarantees [1]. This document provides a local repair mechanism
>>
>>         >     relying on SR-capable of restoring end-to-end connectivity in the
>>
>>         >     case of a sudden failure of a network component.
>>
>>         > 
>>
>>         > SB> Grammar needs a little work in the last sentence.
>>
>>         #Ahmed
>>
>>         Addressed in the latest version of the document
>>
SB> Thank you.
>>
>>           
>>
>>           
>>
>>         > In Fig 1, I assume that the blobs are network fragments.
>>
>>         > 
>>
>>         > In the conclusion you say:
>>
>>         >     This document proposes a mechanism that is able to pre-calculate a
>>
>>         >     backup path for every primary path so as to be able to protect
>>
>>         >     against the failure of a directly connected link or node.
>>
>>         > SB> you need to add SRLG
>>
>>         #Ahmed
>>
>>         Addressed in the latest version of the draft
>>
SB> Thanks you.

- Stewart