Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

PPT Version

advertisement 
BFD protocol update
IETF 62
David Ward
mailto:dward@cisco.com
What has changed in the base?
• We have a new, incompatible change in
the state machine (more later)
• We added SHA-1 authentication
• Explained how to enable|disable
authentication w/o resetting the session
• Added Diags for concatenated links
What has changed in single hop?
• We specified what to do during
Graceland Restart
– In particular what the IGPs are to do
• Stated that don’t have to use TTL 255
when using auth
YAND
• On the list we discussed hacking single
hop vs a new draft
• WG chairs would like a draft describing
how to ‘generically’ bootstrap a BFD
session vs explicitly stating more
protocols in single hop draft.
• Will become WG item
Concatenated Paths and BFD
• Two diagnostic codes are defined for this purpose:
– Concatenated Path Down (toward the interworking system)
– Reverse Concatenated Path Down (away from the
interworking system).
• Note that the BFD session is not taken down.
• Note that if the BFD session subsequently fails, the
diagnostic code will be overwritten with a code
detailing the cause of the failure, so it is up to the
interworking agent to perform this procedure again
Security Stuff
• We were forced^H^H^H^H^H^H asked to add SHA-1
• We were told to make sure that we can enable|disable
auth w/o dropping the session
– We removed the requirement that both sides have to have
strict drops
– Although outside the scope of the spec we give some hints
on how to develop it.
– If it is confusing or really not wanted (it is rather easy to code
and interoperate) - we are willing to revert though it seems
unnecessary
BFD V1
• Why? What is the problem w/ V0?
• Daves send many thanks to Richard Spencer!
• BFD as spec'ed has the following problems:
The fundamental problem is that BFD has two
separate wait states (Init and Failing) and is thus
bi-stable, and there is not enough information
available (the IHU bit) to detect this case.
BFD V1 Problem slide 2
• Worse, if the two ends use different timers during
session establishment (say, 1 sec on one end and 5
sec on the other) the deadlock scenario is guaranteed
to happen repeatedly (unrecoverably.)
• If there is a unidirectional failure, the deadlock
scenario is guaranteed to happen 50% of the time
(depending on who gets their packet across first) with
the timer expiring to get the one guy out of Init state;
then the dice roll again.
BFD V1 Solution
• The good news is that by adding a bit in the
protocol, we get rid of a state.
– makes sense from a global information theory
perspective.
• This is much better, simpler, and is
demonstrably correct by inspection.
– It also comes up in less packets, and handles the
unidirectional failure well (it actually takes one less
packet to come up in that scenario.)
BFD V1 Solution slide 2
• It's the same as every protocol you've seen,
with the addition of the loop in the DOWN state
as long as the neighbor is in UP state
– Thus forcing the neighbor to acknowledge the
failure before advancing.
– This is sufficient to ensure both sides see the
session failure.
– ISIS and OSPF have more or less the same state
machine, except that they will advance directly from
DOWN to UP without having ever sent a packet,
thus depriving the neighbor of the knowledge of the
flap - we can’t do that
V1 slide 2.1
• The Mandatory Section of a BFD Control packet has
the following format:
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vers | Diag
|Sta|P|F|C|A|D|R| Detect Mult |
Length
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
My Discriminator
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Your Discriminator
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Desired Min TX Interval
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Required Min RX Interval
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Required Min Echo RX Interval
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
V1 slide 2.2
• As said before … no more IHU, no more Failing state
State (Sta) Values are:
0 -- AdminDown
1 -- Down
2 -- Init
3 -- Up
• Each system communicates its state in the State
(Sta) field in the BFD Control packet
– No more ambiguity
V1 State Machine slide 2.3
• Down state means that the session is down (or
has just been created.)
– A session remains in Down state until the remote
system indicates that it agrees that the session is
down by sending a BFD Control packet with the
State field set to anything other than Up.
– If that packet signals Down state, the session
advances to Init state; if that packet signals Init
state, the session advances to Up state.
V1 State Machine slide 2.4
• Init state means that the remote system is
communicating, and the local system desires to
bring the session up, but the remote system
does not yet realize it.
– A session will remain in Init state until either a BFD
Control Packet is received that is signalling Init or
Up state
– or until the detection time expires, meaning that
communication with the remote system has been
lost
V1 State Machine slide 2.5
•
Up state means that the BFD session has
successfully been established, and implies that
connectivity between the systems is working.
– The session will remain in the Up state until either
connectivity fails, or the session is taken down
administratively.
– If either the remote system signals Down state, or
the detection timeexpires, the session advances to
Down state
V1 State Machine slide 2.6
• AdminDown state means that the session is
being held administratively down.
– This causes the remote system to enter Down state,
and remain there until the local system exits
AdminDown state.
BFD V1 Solution slide 3
• There will not be any fancy versioning
machinery added to the protocol
• V1 will become the default
• V1 assumed unless hear V0 (another version)
and revert
– V1 will not specify that you have to be BW
compatible
– The protocol is not widely deployed for a versioning
requirement
BFD-ISIS interaction (see ISIS WG)
What is the Problem?
•
The control plane (ISIS) can run even though
there is a forwarding plane failure.
– The BFD session will dutifully fail in these
conditions, but ISIS will come back up anyhow
(because it can't differentiate this scenario from
having a neighbor that doesn't run BFD.)
BFD-ISIS interaction.2 (ISIS WG)
What is the Solution?
• The ISIS router will advertise that BFD is running on an
interface in a TLV in the IIH.
• If no advertisement, don’t attempt a BFD session w/
that neighbor.
• When receiving an IIH from a neighbor on an interface
with BFD enabled, and if the IIH contains the BFD
enabled TLV:
– Then the establishment of a BFD session with that neighbor
will be required before allowing the adjacency to the neighbor
to reach the UP state.
– Will require 3-way on p2p
Doc status
• New Base spec when embargo lifted
– Yes, it is actually written already
– We plan to have a review period and the LC before next
meeting
• New single hop draft w/ more nits picked
– We will last call after a review period
• New generic bootstrap draft - agree to take on as WG
doc
– We will LC after a review period
• MIB will be updated to reflect changes
– We will LC after a review period but before Paris
• BFD - LSPping will be LC’ed
• Review periods will be 3 wks and LC will be 3 wks
Related documents
Proactive fault detection in E-VPN
Proactive fault detection in E-VPN
CPD-11.840 Military Leave of Absence
CPD-11.840 Military Leave of Absence
Introduction to BFD on ASR9000 - DOC-16260
Introduction to BFD on ASR9000 - DOC-16260
Seamless BFD
Seamless BFD
Isis and Osiris - Stratford High School
Isis and Osiris - Stratford High School
Network Packet Generator - High Speed Digital Systems Lab
Network Packet Generator - High Speed Digital Systems Lab
view
view
An Analytics Approach to Traffic Analysis in Network Virtualization
An Analytics Approach to Traffic Analysis in Network Virtualization
Security Warrior Know Your Enemy Cyrus Peikari & Anton Chuvakin
Security Warrior Know Your Enemy Cyrus Peikari & Anton Chuvakin
Layer 3 Switching - Columbus State University
Layer 3 Switching - Columbus State University
2013-09-ISIS-Evaluation - American Public Human Services
2013-09-ISIS-Evaluation - American Public Human Services
PPt
PPt
Download
advertisement