Internet Engineering Task Force (IETF) C. PignataroInternet-DraftRequest for Comments: 7880 D. Ward Updates: 5880(if approved)CiscoIntended status:Category: Standards Track N. AkiyaExpires: November 7, 2016ISSN: 2070-1721 Big Switch Networks M. Bhatia Ionos Networks S. PallagattiMay 6,July 2016 Seamless Bidirectional Forwarding Detection (S-BFD)draft-ietf-bfd-seamless-base-11Abstract This document definesa simplified mechanism to useSeamless Bidirectional Forwarding Detection(BFD)(S- BFD), a simplified mechanism for using BFD with a largeportionsproportion of negotiation aspects eliminated, thus providing benefits such as quickprovisioningprovisioning, as well as improved control and flexibilitytofor network nodes initiatingthepath monitoring. This document updatesRFC5880. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described inRFC2119 [RFC2119].5880. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 7, 2016.http://www.rfc-editor.org/info/rfc7880. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3....................................................4 2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . 3.....................................................4 3. Seamless BFD Overview. . . . . . . . . . . . . . . . . . . . 5...........................................6 4. S-BFD Discriminators. . . . . . . . . . . . . . . . . . . . 6............................................7 4.1. S-BFD Discriminator Uniqueness. . . . . . . . . . . . . 6.............................7 4.2. Discriminator Pools. . . . . . . . . . . . . . . . . . . 7........................................7 5. Reflector BFD Session. . . . . . . . . . . . . . . . . . . . 7...........................................8 6. State Variables. . . . . . . . . . . . . . . . . . . . . . . 8.................................................9 6.1. New State Variables. . . . . . . . . . . . . . . . . . . 8........................................9 6.2. State Variable Initialization and Maintenance. . . . . . 9..............9 7. S-BFD Procedures. . . . . . . . . . . . . . . . . . . . . . 9...............................................10 7.1. Demultiplexing of S-BFD Control Packet. . . . . . . . . 9....................10 7.2. Responder Procedures. . . . . . . . . . . . . . . . . . 10......................................11 7.2.1. Responder Demultiplexing. . . . . . . . . . . . . . 10...........................11 7.2.2. Transmission of S-BFD Control Packet by SBFDReflector10......................................11 7.2.3. Additional SBFDReflector Behaviors. . . . . . . . . 11.................12 7.3. Initiator Procedures. . . . . . . . . . . . . . . . . . 12......................................13 7.3.1. SBFDInitiator State Machine. . . . . . . . . . . . . 12........................14 7.3.2. Transmission of S-BFD Control Packet by SBFDInitiator13......................................15 7.3.3. Additional SBFDInitiator Behaviors. . . . . . . . . 14.................15 7.4. Diagnostic Values. . . . . . . . . . . . . . . . . . . . 14.........................................16 7.5. The Poll Sequence. . . . . . . . . . . . . . . . . . . . 15.........................................16 8. Operational Considerations. . . . . . . . . . . . . . . . . 15.....................................16 8.1. Scaling Aspect. . . . . . . . . . . . . . . . . . . . . 15............................................17 8.2. Congestion Considerations. . . . . . . . . . . . . . . . 16.................................17 9. Co-existence with Classical BFD Sessions. . . . . . . . . . 16.......................17 10. S-BFD Echo Function. . . . . . . . . . . . . . . . . . . . . 16...........................................18 11. Security Considerations. . . . . . . . . . . . . . . . . . . 17.......................................19 12.IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 15.References. . . . . . . . . . . . . . . . . . . . . . . . . 19 15.1.....................................................20 12.1. Normative References. . . . . . . . . . . . . . . . . . 19 15.2......................................20 12.2. Informative References. . . . . . . . . . . . . . . . . 19...................................20 Appendix A. Loop Problem and Solution. . . . . . . . . . . . . 20.............................22 Acknowledgements ..................................................23 Contributors ......................................................23 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . 21................................................24 1. Introduction Bidirectional Forwarding Detection (BFD), as described in [RFC5880] and related documents, has efficiently generalized the failure detection mechanism for multiple protocols and applications. There are some improvements that can be made to better fit existing technologies. There is a possibility of evolving BFD to better fit new technologies. This document focuses on several aspects of BFD in order to further improve efficiency,toexpand failure detectioncoveragecoverage, andtoallow BFD usage for wider scenarios. Additional use cases are listed in[I-D.ietf-bfd-seamless-use-case].[RFC7882]. Specifically, this document defines Seamless Bidirectional Forwarding Detection(S-BFD)(S-BFD), a simplified mechanismto use Bidirectional Forwarding Detection (BFD)for using BFD with a largeportionsproportion of negotiation aspects eliminated, thus providing benefits such as quickprovisioningprovisioning, as well as improved control and flexibilitytofor network nodes initiatingthepath monitoring. S-BFD enables cases benefiting from the use of core BFD technologies in a fashion that leverages existing implementations and protocol machinery while providing a rather simplified and largely stateless infrastructure for continuity testing. One key aspect of the mechanism described in this document eliminates the time between a network node wanting to perform a continuity test and completing the continuity test. In traditional BFD terms, the initial state changes from DOWN to UP are virtually nonexistent. Removal of thisseam"seam" (i.e., time delay) in BFD providesapplicationsa smooth and continuous operationalexperience.experience for applications. Therefore, "Seamless BFD" (S-BFD) has been chosen as the name for this mechanism. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. The reader is expected to be familiar with the BFD [RFC5880], IP[RFC0791] [RFC2460][RFC791] [RFC2460], and MPLS [RFC3031]terminologiesterms and protocol constructs.ThisThe remainder of this section describes several newterminologiesterms introduced by S-BFD. o Classical BFD - BFD session types based on [RFC5880]. o S-BFD - Seamless BFD. o S-BFDcontrolControl packet - a BFDcontrolControl packet for the S-BFD mechanism. o S-BFDechoEcho packet - a BFDechoEcho packet for the S-BFD mechanism. o S-BFD packet - a BFDcontrolControl packet or a BFDechoEcho packet. o Entity - a function on a network nodethatto which the S-BFD mechanism allows remote network nodes to perform continuitytest to.tests. An entity can be abstract (e.g., reachability) or specific (e.g., IP addresses,router-IDs,Router-IDs, functions). o SBFDInitiator - an S-BFD session on a network node that performs a continuity test to a remote entity by sending S-BFD packets. o SBFDReflector - an S-BFD session on a network node that listens for incoming S-BFDcontrolControl packets to local entities and generates response S-BFDcontrolControl packets. o Reflector BFD session - synonymous with SBFDReflector. o S-BFDdiscriminatorDiscriminator - a BFDdiscriminatorDiscriminator allocated for a localentity and is being listened by an SBFDReflector.entity. An SBFDReflector listens for S-BFD Discriminators. o BFDdiscriminatorDiscriminator - a BFDdiscriminatorDiscriminator allocated for an SBFDInitiator. o Initiator - a network node hosting an SBFDInitiator. o Responder - a network node hosting an SBFDReflector. Figure 1 describes the relationship between S-BFDterminologies.terms. +---------------------+ +------------------------+ | Initiator | | Responder | | +-----------------+ | | +-----------------+ | | | SBFDInitiator |---S-BFDctrlCtrl pkt----->| SBFDReflector | | | | +-------------+ |<--S-BFDctrlCtrl pkt------| +-------------+ | | | | | BFDdiscrimDiscrim | | | | | |S-BFDdiscrim|Discrim| | | | | | | |---S-BFDechoEcho pkt---+ | | | | | | | +-------------+ | | | | | +----------^--+ | | | +-----------------+<-------------------+ +------------|----+ | | | | | | | | | +---v----+ | | | | | Entity | | | | | +--------+ | +---------------------+ +------------------------+ Figure 1: S-BFD Terminology Relationship 3. Seamless BFD Overview An S-BFD module on each network node allocates one or more S-BFDdiscriminatorsDiscriminators for localentities,entities and creates areflectorReflector BFD session. Allocated S-BFDdiscriminatorsDiscriminators may be advertised by applications (e.g., OSPF/IS-IS).RequiredThe required result is thatapplications,applications on other networknodes, possess the knowledge ofnodes will know about the S-BFDdiscriminatorsDiscriminators allocated by a remote node to remote entities. ThereflectorReflector BFDsession is to,session, upon receiving an S-BFDcontrolControl packet targeted to one of the local S-BFDdiscriminatorDiscriminator values, is to transmit a response S-BFDcontrolControl packet back to the initiator. Once the above setup is complete, any networknode, having the knowledge ofnode that knows about the S-BFDdiscriminatorDiscriminator allocated by a remote node to a remoteentity/entities,entity or entities can quickly perform a continuity test to the remote entity by simply sending S-BFDcontrolControl packets with a corresponding S-BFDdiscriminatorDiscriminator value in the"your discriminator"Your Discriminator field. This is exemplified in Figure 2. <------- IS-IS Network -------> +---------+ | | A---------B---------C---------D ^ ^ | |SystemID SystemIDSystem-ID System-ID xxx yyy BFD Discrim BFD Discrim 123 456 Figure 2: S-BFD for IS-IS Network An S-BFD module in a system with IS-ISSystemIDSystem-ID xxx(node(Node A) allocates an S-BFDdiscriminatorDiscriminator 123, and IS-IS advertises the S-BFDdiscriminatorDiscriminator 123 in an IS-IS TLV. An S-BFD module in a system with IS-ISSystemIDSystem-ID yyy(node(Node D) allocates an S-BFDdiscriminatorDiscriminator 456, and IS-IS advertises the S-BFDdiscriminatorDiscriminator 456 in an IS-IS TLV. AreflectorReflector BFD session is created on both network nodes(node(Node A andnodeNode D). Whennetwork nodeNode A wants to check the reachabilityto network nodeof Node D,nodeNode A can send an S-BFDcontrol packet,Control packet destined tonode D,Node D with"your discriminator"the Your Discriminator field set to 456. When thereflectorReflector BFD session onnodeNode D receives this S-BFDcontrolControl packet, then a response S-BFDcontrolControl packet is sent back tonodeNode A, which allowsnodeNode A to complete the continuity test. When a node allocates multiple S-BFDdiscriminators,Discriminators, how remote nodes determine which of the discriminators is associated with a specific entity is currently unspecified. The use of multiple S-BFDdiscriminatorsDiscriminators by a single network node is therefore discouraged until a means of learning the mapping is defined. 4. S-BFD Discriminators 4.1. S-BFD Discriminator Uniqueness One important characteristic of an S-BFDdiscriminatorDiscriminator is that it MUST be unique within an administrative domain. If multiple network nodesallocatedallocate the same S-BFDdiscriminatorDiscriminator value, then S-BFDcontrolControl packets falsely terminating on a wrong network node can result in areflectorReflector BFD sessionto generategenerating a responseback, due to "your discriminator" matching.back because of a matching Your Discriminator value. This is clearly not desirable. 4.2. Discriminator Pools This subsection describes a discriminator pool implementation technique to minimize S-BFDdiscriminatorDiscriminator collisions.The resultThis technique will allow an implementation to better satisfy the S-BFDdiscriminatorDiscriminator uniqueness requirement defined in Section 4.1. o An SBFDInitiator is to allocate a discriminator from the BFDdiscriminatorDiscriminator pool. If the system also supports classical BFDthat runs on [RFC5880],(i.e., implements [RFC5880]), then the BFDdiscriminatorDiscriminator pool SHOULD be shared by SBFDInitiator sessions and classical BFD sessions. o An SBFDReflector is to allocate a discriminator from the S-BFDdiscriminatorDiscriminator pool. The S-BFDdiscriminatorDiscriminator pool SHOULD be a separate poolthanfrom the BFDdiscriminatorDiscriminator pool. The remainder of this subsection describes the reasons for the suggestions above. Locally allocated S-BFDdiscriminatorDiscriminator values forentities, listened byentities that SBFDReflectorsessions,sessions are listening for may bearbitraryarbitrarily allocated or derived from values provided by applications. These values may be protocol IDs (e.g., System-ID, Router-ID) or network targets (e.g., IP address). To avoid derived S-BFDdiscriminatorDiscriminator values already being assigned to other BFD sessions (i.e., SBFDInitiator sessions and classical BFD sessions), it is RECOMMENDED that the discriminator pool for SBFDReflector sessions be separate from other BFD sessions. Even when following theseparate"separate discriminatorpoolpool" approach, a collision is still possible betweenone S-BFD application to anotherdifferent S-BFDapplication,applications that may be using different values and algorithms to derive S-BFDdiscriminatorDiscriminator values. Ifthetwo applications are using S-BFD for the same purpose (e.g., network reachability), then the colliding S-BFDdiscriminatorDiscriminator value can be shared. If the two applications are using S-BFD for a different purpose, then the collision must be addressed. The use of multiple S-BFDdiscriminatorsDiscriminators by a single network node, however, is discouraged (see Section 3). 5. Reflector BFD Session Each network node creates one or morereflectorReflector BFD sessions. ThisreflectorReflector BFD session is a session that transmits S-BFDcontrolControl packets in response to received S-BFDcontrolControl packets with"your discriminator"the Your Discriminator field having S-BFDdiscriminatorsDiscriminators allocated for local entities. Specifically, thisreflectorReflector BFD session has the following characteristics: o MUST NOT transmit any S-BFD packets based on local timer expiry. o MUST transmit an S-BFDcontrolControl packet in response to a received S-BFDcontrolControl packet having a valid S-BFDdiscriminatorDiscriminator in the"your discriminator"Your Discriminator field, unless prohibited by local policies (e.g., administrative, security,rate-limiter, etc.)rate-limiter). o MUST be capable of sending only two states: UP andADMINDOWN.AdminDown. OnereflectorReflector BFD session may be responsible for handling received S-BFDcontrolControl packets targeted to all locally allocated S-BFDdiscriminators,Discriminators, or a fewreflectorReflector BFD sessions may each be responsible for a subset of locally allocated S-BFDdiscriminators.Discriminators. This policy is a localmatter,matter and is outside the scope of this document. Note that incoming S-BFDcontrolControl packets may be based on IPv4,IPv6IPv6, or MPLSbased [I-D.ietf-bfd-seamless-ip], and[RFC7881]. Note also that other options are possible andcanmay be defined in future documents. How such S-BFDcontrolControl packets reach an appropriatereflectorReflector BFD session is also a localmatter,matter and is outside the scope of this document. 6. State Variables S-BFD introduces new statevariables,variables and modifies the usage of existing ones. 6.1. New State Variables A new state variable is added to the base specification in support of S-BFD. o bfd.SessionType: This is a new state variable that describes the type ofthisa particular session. Allowable values for S-BFD sessions are: * SBFDInitiator - an S-BFD session on a network node that performs a continuity test to a target entity by sending S-BFD packets. * SBFDReflector - an S-BFD session on a network node that listens for incoming S-BFDcontrolControl packets to local entities and generates response S-BFDcontrolControl packets. The bfd.SessionType variable MUST be initialized to the appropriate type when an S-BFD session is created. 6.2. State Variable Initialization and MaintenanceA state variable definedState variables (defined in Section 6.8.1 of[RFC5880][RFC5880]) need to be initialized or manipulateddifferentlydifferently, depending on the session type. o bfd.DemandMode: This variable MUST be initialized to 1 for session typeSBFDInitiator,SBFDInitiator and MUST be initialized to 0 for session type SBFDReflector. This is done to prevent loops (see Appendix A). 7. S-BFD Procedures 7.1. Demultiplexing of S-BFD Control Packet An S-BFD packet MUST be demultiplexed withlower layerlower-layer information (e.g., dedicated destination UDP port[I-D.ietf-bfd-seamless-ip],[RFC7881], associatedchannel type [I-D.ietf-pals-seamless-vccv]).Channel Type [RFC7885]). The following procedure SHOULD be executed on both initiator andreflector.reflector: If the packet is an S-BFD packet If the S-BFD packet is for an SBFDReflectorPacketThe packet MUST be looked up to locate a corresponding SBFDReflector session based on the value from the"your discriminator"Your Discriminator field in the table describing S-BFDdiscriminators.Discriminators. ElsePacketThe packet MUST be looked up to locate a corresponding SBFDInitiator session or classical BFD session based on the value from the"your discriminator"Your Discriminator field in the table describing BFDdiscriminators.Discriminators. If nomatchmatch, then the received packet MUST be discarded. If the session is an SBFDInitiatorDestinationsession The destination of the packet (i.e., the destination IP address) SHOULD bevalidated to beverified as being forself.itself. ElsePacketThe packet MUST bediscardeddiscarded. ElseProcedureThe procedure described in Section 6.8.6 of [RFC5880] MUST be applied. More details on S-BFDcontrolControl packet demultiplexing aredescribedprovided in relevant S-BFDdata planedata-plane documents. 7.2. Responder Procedures A network node that receives S-BFDcontrolControl packets transmitted by an initiator is referred to as the responder. The responder, upon reception of S-BFDcontrolControl packets, is toperform necessary relevant validationsverify the validity of the packets, as described in [RFC5880]. 7.2.1. Responder Demultiplexing An S-BFD packet MUST be demultiplexed withlower layerlower-layer information. The following procedure SHOULD be executed by the responder: If"your discriminator"the Your Discriminator field is not one of theentryentries allocated for local entitiesPacketThe packet MUST be discarded. ElsePacketThe packet is determined to be handled by areflectorReflector BFD session responsible for that S-BFDdiscriminator.Discriminator. If allowable per local policyallows(e.g., administrative, security,rate- limiter, etc.) Chosen reflectorrate-limiter) The chosen Reflector BFD session SHOULD transmit a response BFDcontrolControl packet using the procedures described in Section 7.2.2. 7.2.2. Transmission of S-BFD Control Packet by SBFDReflectorContentsThe contents of S-BFDcontrolControl packets sent by an SBFDReflector MUST be set as per Section 6.8.7 of [RFC5880]. There are a few fields thatneedsneed to be set differently from[RFC5880][RFC5880], as follows: State (Sta) Set to bfd.SessionState (either UP orADMINDOWNAdminDown only). Clarification ofreflectorReflector BFD session state is described in Section 7.2.3. Demand (D) Set to 0, toidentifyindicate that the S-BFD packet is sent by the SBFDReflector. Detect Mult Value to be copied from"Detection Multiplier" filedthe Detection Multiplier field of the received BFD packet. My Discriminator Value to be copied from"your discriminator" filedthe Your Discriminator field of the received BFD packet. Your Discriminator Value to be copied from"my discriminator" filedthe My Discriminator field of the received BFD packet. Desired Min TX Interval Value to be copied from"Desiredthe Desired Min TXInterval" filedInterval field of the received BFD packet. Required Min RX Interval Set toa bfd.RequiredMinRxInterval, value describingbfd.RequiredMinRxInterval. Value indicating the minimum interval, inmicrosecondsmicroseconds, between receivedSBFDS-BFD Control packets. Further details aredescribedprovided in Section 7.2.3. Required Min Echo RX Interval If the device supports looping back S-BFDechoEcho packets Set to the minimum required S-BFD Echo packet receive interval for this session. Else Set to 0. 7.2.3. Additional SBFDReflector Behaviors o S-BFDcontrolControl packets transmitted by the SBFDReflector MUST have"RequiredRequired Min RXInterval"Interval set to a value that expresses, in microseconds, the minimum interval between incoming S-BFDcontrolControl packets that this SBFDReflector can handle. The SBFDReflector can control how fastSBFInitiatorsSBFDInitiators will be sending S-BFDcontrolControl packets toselfthemselves by ensuring"Requiredthat Required Min RXInterval"Interval indicates a value based on the current load. o When the SBFDReflector receives an S-BFDcontrolControl packet from an SBFDInitiator, then the SBFDReflector needs to determine what "state" to send in the response S-BFDcontrolControl packet. If the monitored local entity is in service, then the"state"state MUST be set to UP. If the monitored local entity is "temporarily out of service", then the"state"state SHOULD be set toADMINDOWN.AdminDown. o If an SBFDReflector receives an S-BFDcontrolControl packet with the Demand (D) bit cleared, the packet MUST be discarded (see Appendix A). 7.3. Initiator Procedures S-BFDcontrolControl packets transmitted by an SBFDInitiator MUST set"your discriminator"the Your Discriminator field to an S-BFDdiscriminatorDiscriminator corresponding to the remote entity. Every SBFDInitiator MUST have a locally unique"my discriminator"My Discriminator value allocated from the BFDdiscriminatorDiscriminator pool. Figure 3 describes the high-level concept of continuitytesttesting using S-BFD. R2 allocates XX as the S-BFDdiscriminatorDiscriminator foritsnetwork reachabilitypurpose,purposes and advertises XX to neighbors.ASCII artFigure 3 shows R1 and R4 performing a continuity test to R2. +--- md=50/yd=XX (ping) ----+ | | |+-- md=XX/yd=50 (pong) --+ | || | | |v | v R1 ==================== R2[*] ========= R3 ========= R4 | ^ |^ | | || | +-- md=60/yd=XX (ping) --+| | | +---- md=XX/yd=60 (pong) ---+ [*] Reflector BFD session on R2. === Links connecting network nodes. --- S-BFDcontrolControl packet traversal. Figure 3: S-BFD Continuity Test 7.3.1. SBFDInitiator State Machine An SBFDInitiator may be apersistent"persistent" session on the initiator with a timer for S-BFDcontrolControl packet transmissions (stateful SBFDInitiator). An SBFDInitiator may also be a module, ascriptscript, or a tool on the initiator that transmits one or more S-BFDcontrolControl packets "when needed" (stateless SBFDInitiator). For stateless SBFDInitiators, a complete BFD state machine may not be applicable. For stateful SBFDInitiators, the states and the state machine described in [RFC5880] will not function due to the SBFDReflector session only sending the UP andADMINDOWNAdminDown states (i.e., the SBFDReflector session does not send the INIT state). The following diagram provides the RECOMMENDED state machine for stateful SBFDInitiators. The notation on each arc represents the state of the SBFDInitiator (as received in the State field in the S-BFDcontrolControl packet) or indicates the expiration of the Detection Timer. See Figure 4. +--+ ADMIN DOWN, | | TIMER | V +------+ UP +------+ | |-------------------->| |----+ | DOWN | | UP | | UP | |<--------------------| |<---+ +------+ ADMIN DOWN, +------+ TIMER Figure 4: SBFDInitiatorFSMFinite State Machine Note that the above state machine is different from the base BFD specification [RFC5880]. This is because the INIT state is no longer applicable for the SBFDInitiator. Another important difference is the transition of the state machine from the DOWN state to the UP state when a packet withStatean UP state setting is received by the SBFDInitiator. The definitions of the states andtheevents have the samemeaningmeanings as those defined in the base BFD specification [RFC5880]. 7.3.2. Transmission of S-BFD Control Packet by SBFDInitiatorContentsThe contents of S-BFDcontrolControl packets sent by an SBFDInitiator MUST be set as per Section 6.8.7 of [RFC5880]. There are a few fieldswhich needsthat need to be set differently from[RFC5880][RFC5880], as follows: Demand (D)D bit is usedUsed toidentifyindicate that the S-BFD packet originated fromSBFDInitiator and is alwaysthe SBFDInitiator. Always set to 1. Your Discriminator Set to bfd.RemoteDiscr. bfd.RemoteDiscr is set todiscriminatorthe Discriminator value of the remote entity. It MAY be learnt from routing protocols or configured locally. Required Min RX Interval Set to 0. Required Min Echo RX Interval Set to 0. 7.3.3. Additional SBFDInitiator Behaviors o If the SBFDInitiator receives a valid S-BFDcontrolControl packet in response to a transmitted S-BFDcontrolControl packet to a remote entity, then the SBFDInitiator SHOULD conclude that the S-BFDcontrolControl packet reached the intended remote entity. o When an SBFDInitiator receives a response S-BFDcontrolControl packet, if the state specified isADMINDOWN,AdminDown, the SBFDInitiator MUST NOT concludeloss ofthat the reachabilitytoof the corresponding remoteentity,entity is lost and MUST back off the packet transmission interval for the remote entity to an interval no faster than 1 second. o When a sufficient number of S-BFD packets have not arrived as they should, the SBFDInitiator SHOULD declare loss of reachability to the remote entity. The criteria for declaring loss of reachability and the action that would be triggered as a result are outside the scope of this document; the action MAY include logging an error. oRelating to aboveRegarding the third bullet item, it is critical for an implementation to understand the latency to/from thereflectorReflector BFD session on the responder. In other words, for the very first S-BFD packet transmitted by the SBFDInitiator, an implementation MUST NOT expect a response S-BFD packet to be received for a time equivalent to the sum of the latencies: initiator to responder and responder back to initiator. o If the SBFDInitiator receives an S-BFDcontrolControl packet with the Demand (D) bit set, the packet MUST be discarded (see Appendix A). 7.4. Diagnostic ValuesDiagnosticThe diagnostic value in both directions MAY be set to a certain value, to attempt to communicate further information to both ends.ImplementationImplementations MAY usealready existingthe already-existing diagnostic values defined in Section 4.1 of [RFC5880]. However, detailsof suchregarding this topic are outside the scope of this specification. 7.5. The Poll Sequence The PollsequenceSequence MAY be used in both directions. The PollsequenceSequence MUST operate in accordance with [RFC5880]. An SBFDReflector MAY use the PollsequenceSequence to slow downthatthe rate at which S-BFDcontrolControl packets are generated from an SBFDInitiator. This is done by theSBFDReflectorSBFDReflector, using the procedures described in Section 7.2.3 and setting the Poll (P) bit in the reflected S-BFDcontrolControl packet. The SBFDInitiator is to then send the next S-BFDcontrolControl packet with the Final (F) bit set. If an SBFDReflector receives an S-BFDcontrolControl packet withPoll (P)the P bit set, then the SBFDReflector MUST respond with an S-BFDcontrolControl packet withPoll (P)the P bit cleared andFinal (F)the F bit set. 8. Operational Considerations S-BFD provides a smooth and continuous (i.e., seamless) operational experience as an Operations, Administration, and Maintenance (OAM) mechanism for connectivitycheckchecking and connection verification. This is achieved by providing a simplified mechanism with a largeportionsproportion of negotiation aspects eliminated, resulting inafaster and simpler provisioning. Because of this simplified mechanism, due to amisconfiguration,misconfiguration an SBFDInitiator could send S-BFDcontrolControl packets to a target that does not exist or that is outside the S-BFD administrative domain. As explained in Section 7.3.1, an SBFDInitiator can be a"persistent"persistent initiator or a "when needed" one. When an S-BFD"persistent"persistent SBFDInitiator is used,ita deployment SHOULDbe controlledensure that S-BFDcontrol packetControl packets do not propagate for an extended period of time outside of the administrative domain that uses it. Further, operational measures SHOULD be taken toidentifydetermine if responses to S-BFD packets are notresponded tosent for an extended period oftime,time and then remediate the situation. These potential concerns are largely mitigated by dynamic advertisement mechanisms forS-BFD,S-BFD and with automation checks before applying configurations. 8.1. Scaling Aspect This mechanism brings forth one noticeable difference in terms of the scaling aspect: the number ofSBFDReflector.SBFDReflectors. This specification eliminates the need for egress nodes to have fully active BFD sessions when only one side desires to perform continuity tests. With the introduction ofreflectorthe Reflector BFD concept, egress is no longerisrequired to create any active BFDsession per path/LSP/functionsessions on a per-path/LSP/ function basis.Due toBecause of this, the total number of BFD sessions in a network is reduced. 8.2. Congestion Considerations When S-BFD performs failuredetection by consumingdetection, it consumes resources, including bandwidth and CPU processing.ItTo avoid congestion, it is therefore imperative that operators correctly provision the rates at which S-BFDis transmitted to avoid congestion.packets are transmitted. When BFD is used across multiple hops, a congestion control mechanism MUST be implemented, and when congestion is detected, the BFD implementation MUST reduce the amount of traffic it generates. The exact mechanism used to detect congestion is outside the scope of thisspecification,specification but may include the detection of lost BFDcontrolControl packets or other means. The SBFDReflector can limit the rate at whichan SBFInitiatorsSBFDInitiators will be sending S-BFDcontrolControl packets by utilizingthe "RequiredRequired Min RXInterval",Interval, but at the expense ofincreasing thedetectiontime.time (i.e., detection time will increase). 9. Co-existence with Classical BFD SessionsInitialDemultiplexing requirements for the initial packetdemultiplexing requirement isare described in Section 7.1. Because of this, the S-BFD mechanism can co-exist with classical BFD sessions. 10. S-BFD Echo Function The concept of the S-BFD Echo function is similar to the BFD Echo function described in [RFC5880]. S-BFDechoEcho packets have the destination ofself, thus"self"; thus, S-BFDechoEcho packets are self-generated and self-terminated after traversing a link/path. S-BFDechoEcho packets are expected tou-turnU-turn on the target node in the data plane and MUST NOT be processed by anyreflectorReflector BFD sessions on the target node. When using the S-BFD Echo function, it is RECOMMENDED that: o Both S-BFDcontrolControl packets and S-BFDechoEcho packets be sent. o Both S-BFDcontrolControl packets and S-BFDechoEcho packets have the same semantics in the forward direction to reach the target node. In other words, it is not preferable to send just S-BFDechoEcho packets without also sending S-BFDcontrolControl packets. There are two reasons behind this suggestion: o S-BFDcontrolControl packets can verify the reachabilitytoof the intended targetnode, whichnode; this allows one to have confidence that S-BFDechoEcho packets areu-turningU-turning on the expected target node. o S-BFDcontrolControl packets can detect when the target node is going out of service (i.e.,viaby receivingback ADMINDOWNAdminDown state). S-BFD Echo packets can bespoofed,spoofed and canu-turnU-turn in a transit node before reaching the expected target node. When the S-BFD Echo function is used, it is RECOMMENDED in this specification that both S-BFDcontrolControl packets and S-BFDechoEcho packets be sent. While the additional use of S-BFDcontrolControl packets alleviates these two concerns, some form of authentication MAY still be included. The usage of the"RequiredRequired Min Echo RXInterval"Interval field is described inSection 7.3.2Sections 7.2.2 andSection 7.2.2.7.3.2. Because of the stateless nature of SBFDReflector sessions, a value specified in the"RequiredRequired Min Echo RXInterval"Interval field is not very meaningfulatto the SBFDReflector.ThusThus, it is RECOMMENDED that the"RequiredRequired Min Echo RXInterval"Interval field simply be set to zerofromby the SBFDInitiator. The SBFDReflector MAY set the Required Min Echo RX Interval field to an appropriate value to control the rate at which it wants toreceives SBFD echoreceive S-BFD Echo packets. The following aspects of S-BFD Echo functions are left as implementationdetails,details and are outside the scope of this document: o Format of the S-BFDechoEcho packet (e.g., data beyond UDP header). o Procedures on when and how to use the S-BFD Echo function. 11. Security ConsiderationsSameThe same security considerations as those described in [RFC5880] apply to this document. Additionally, implementing the following measures will strengthen security aspects of the mechanism described by this document: o The SBFDInitiator MAY pick a sequence number to be set in "sequenceNumber"number" inauthentication sectionthe Authentication Section, based on the configured authenticationmode configured.mode. o The SBFDReflector MUST NOT use the crypto sequence number to make a decision about accepting the packet. This is because the SBFDReflector does not maintain S-BFD peerstate,state and because the SBFDReflector can receive S-BFD packets from multiple SBFDInitiators. Consequently, BFD authentication can beusedused, but not the sequence number. o The SBFDReflector MAY use the Auth Key ID in the incoming packet to verify theauthentication data.Authentication Data. o The SBFDReflector MUST accept the packet if authentication is successful. o The SBFDReflector MUST compute the AuthenticationdataData and MUST use the same sequence number that it received in the S-BFDcontrolControl packetthatto which it isresponding to.responding. o The SBFDInitiator SHOULD accept an S-BFDcontrolControl packet with a sequence number within the permissiblewindow.range. One potential approach is the procedure explained in[I-D.ietf-bfd-generic-crypto-auth].[BFD-GEN-AUTH]. Using the above method, oSBFDReflectorSBFDReflectors continue to remainstatelessstateless, despite using security. oSBFDReflectorSBFDReflectors are not susceptible to replayattacksattacks, as they always respond to S-BFDcontrolControl packets irrespective of the sequence number carried. o An attacker cannot impersonate theresponderresponder, since the SBFDInitiator will only accept S-BFDcontrolControl packets that come with the sequence number that it had originally used when sending the S-BFDcontrolControl packet. Additionally, the use of strong forms of authentication is strongly encouraged for S-BFD. The use of Simple Password authentication [RFC5880] potentially puts other services atrisk,risk if S-BFD packets can be intercepted andifthose password values are reused for other services. Considerationsaboutrelated to loop problems are covered in Appendix A. 12.IANA Considerations No action is required by IANA for this document. 15.References15.1.12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, <http://www.rfc-editor.org/info/rfc5880>.15.2.12.2. Informative References[I-D.ietf-bfd-generic-crypto-auth][BFD-GEN-AUTH] Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, "BFD Generic Cryptographic Authentication",draft-ietf- bfd-generic-crypto-auth-06 (workWork inprogress),Progress, draft-ietf-bfd-generic-crypto-auth-06, April 2014.[I-D.ietf-bfd-seamless-ip] Akiya, N., Pignataro, C., and D. Ward, "Seamless Bidirectional Forwarding Detection (S-BFD) for IPv4, IPv6 and MPLS", draft-ietf-bfd-seamless-ip-04 (work in progress), April 2016. [I-D.ietf-bfd-seamless-use-case] Aldrin, S., Pignataro, C., Mirsky, G., and N. Kumar, "Seamless Bidirectional Forwarding Detection (S-BFD) Use Cases", draft-ietf-bfd-seamless-use-case-06 (work in progress), April 2016. [I-D.ietf-pals-seamless-vccv] Govindan, V. and C. Pignataro, "Seamless BFD for VCCV", draft-ietf-pals-seamless-vccv-03 (work in progress), April 2016. [RFC0791][RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI10.17487/RFC0791,10.17487/RFC791, September 1981, <http://www.rfc-editor.org/info/rfc791>. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December 1998, <http://www.rfc-editor.org/info/rfc2460>. [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol Label Switching Architecture", RFC 3031, DOI 10.17487/RFC3031, January 2001, <http://www.rfc-editor.org/info/rfc3031>. [RFC7881] Pignataro, C., Ward, D., and N. Akiya, "Seamless Bidirectional Forwarding Detection (S-BFD) for IPv4, IPv6, and MPLS", RFC 7881, DOI 10.17487/RFC7881, July 2016, <http://www.rfc-editor.org/info/rfc7881>. [RFC7882] Aldrin, S., Pignataro, C., Mirsky, G., and N. Kumar, "Seamless Bidirectional Forwarding Detection (S-BFD) Use Cases", RFC 7882, DOI 10.17487/RFC7882, July 2016, <http://www.rfc-editor.org/info/rfc7882>. [RFC7885] Govindan, V. and C. Pignataro, "Seamless Bidirectional Forwarding Detection (S-BFD) for Virtual Circuit Connectivity Verification (VCCV)", RFC 7885, DOI 10.17487/RFC7885, July 2016, <http://www.rfc-editor.org/info/rfc7885>. Appendix A. Loop Problem and Solution Consider a scenario where we have two nodes and both are S-BFD capable. Node A (IP 2001:db8::1) ----------------- Node B (IP 2001:db8::2) | | Man in the Middle(MiM)(MITM) Assumenodethat Node A reserved a discriminator 0x01010101 for target identifier 2001:db8::1 and has a reflector session in listening mode.Similarly nodeSimilarly, Node B reserved a discriminator 0x02020202 for its target identifier 2001:db8::2 and also has a reflector session in listening mode. SupposeMiMthat a MITM sends a spoofed packet withMyDiscMy Discriminator = 0x01010101,YourDiscYour Discriminator = 0x02020202, source IP as2001:db8::12001:db8::1, anddestdestination IP as 2001:db8::2. When this packet reaches Node B, the reflector session on Node B will swap the discriminators and IP addresses of the received packet and reflect it back, sinceYourDiscthe Your Discriminator value of the received packetmatched withmatches the reserved discriminator of Node B. The reflected packet that reached Node A will haveMyDdisc=0x02020202My Discriminator = 0x02020202 andYourDisc=0x01010101.Your Discriminator = 0x01010101. SinceYourDiscthe Your Discriminator value of the received packetmatchedmatches the reserved discriminator of Node A, Node A will swap the discriminators andreflectsreflect the packet back to Node B. Since the reflectors must set the TTL of the reflected packets to 255, the above scenario will result in an infinite loopwithbecause of just one malicious packet injected fromMiM.the MITM. The solution is to avoid the loop problemusesby using the"D"D bit (Demand mode bit). TheInitiatorinitiator always sets the'D' bitD bit, and the reflector always clears it. Thiswayway, we canidentifydetermine if a received packet was a reflected packet and avoid reflecting it back.13.Acknowledgements The authors would like to thank Jeffrey Haas, Greg Mirsky, Marc Binderberger, and Alvaro Retana for performing thorough reviews and providing a number of suggestions. The authors would also like to thank Girija Raghavendra Rao, Les Ginsberg, Srihari Raghavan, Vanitha Neelamegam, and Vengada Prasad Govindan from Cisco Systems for providing valuable comments. Finally, the authors would also like to thank John E. Drake and Pablo Frank for providing comments and suggestions.14.Contributors The following are key contributors to this document: Tarek Saad, Cisco Systems, Inc. Siva Sivabalan, Cisco Systems, Inc. Nagendra Kumar, Cisco Systems, Inc. Mallik Mudigonda, Cisco Systems, Inc. Sam Aldrin, Google Authors' Addresses Carlos Pignataro Cisco Systems, Inc. Email: cpignata@cisco.com Dave Ward Cisco Systems, Inc. Email: wardd@cisco.com Nobo Akiya Big Switch Networks Email: nobo.akiya.dev@gmail.com Manav Bhatia Ionos Networks Email: manav@ionosnetworks.com Santosh Pallagatti Email: santosh.pallagatti@gmail.com