wdiff rfc8327.alt-original rfc8327.txt

Global Routing Operations
Internet Engineering Task Force (IETF) W. Hargrave
Internet-Draft
Request for Comments: 8327 LONAP
Intended status:
BCP: 214 M. Griswold
Category: Best Current Practice M. Griswold
Expires: April 1, 2018 20C
ISSN: 2070-1721 J. Snijders
NTT
N. Hilliard
INEX
September 28, 2017
February 2018

Mitigating the Negative Impact of Maintenance through
BGP Session Culling
draft-ietf-grow-bgp-session-culling-05

Abstract

This document outlines an approach to mitigate the negative impact on
networks resulting from maintenance activities. It includes guidance
for both IP networks and Internet Exchange Points (IXPs). The
approach is to ensure BGP-4 sessions that will be affected by the
maintenance are forcefully torn down before the actual maintenance
activities commence.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working memo documents an Internet Best Current Practice.

This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.

Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on April 1, 2018.
https://www.rfc-editor.org/info/rfc8327.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. BGP Session Culling . . . . . . . . . . . . . . . . . . . . . 3
3.1. Voluntary BGP Session Teardown Recommendations . . . . . 3
3.1.1. Maintenance Considerations . . . . . . . . . . . . . 4
3.2. Involuntary BGP Session Teardown Recommendations . . . . 4
3.2.1. Packet Filter Packet-Filter Considerations . . . . . . . . . . . . 4
3.2.2. Hardware Considerations . . . . . . . . . . . . . . . 5
3.3. Procedural Considerations . . . . . . . . . . . . . . . . 6
4. Acknowledgments . . . . Security Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . 6
7.1. Normative References . . . . . . . . . . 6
Appendix A. Example Packet Filters . . . . . . . . 6
7.2. Informative References . . . . . . . 7
A.1. Example Configuration for Cisco IOS, IOS XR, and Arista
EOS . . . . . . . . . . . . 7
Appendix A. Example packet filters . . . . . . . . . . . . . . . 7
A.1. Cisco IOS, IOS XR & Arista EOS Firewall
A.2. Example Configuration for Nokia SR OS . . . . . . . . . . 8
Acknowledgments . . . . . . . . . . . . . . . . . 7
A.2. Nokia SR OS Filter Example Configuration . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 9

1. Introduction

BGP Session Culling is the practice of ensuring BGP sessions are
forcefully torn down before maintenance activities on a lower layer lower-layer
network commence, which commence -- activities that otherwise would affect the flow
of data between the BGP speakers. BGP Session Culling ensures that lower layer network is the
practice of ensuring BGP sessions are forcefully torn down before
commencing maintenance activities cause (that otherwise would affect the
flow of data between the BGP speakers) on a lower-layer network.

BGP Session Culling minimizes the minimum possible amount of disruption, disruption that lower-
layer network maintenance activities cause, by
causing making BGP speakers to
preemptively converge onto alternative paths while the lower layer lower-layer
network's forwarding plane remains fully operational.

The grace period required for a successful application of BGP Session
Culling is the sum of the time needed to detect the loss of the BGP
session,
session plus the time required for the BGP speaker to converge onto
alternative paths. The first value is often governed by the BGP Hold
Timer (section (see Section 6.5 of [RFC4271]), which is commonly between 90
and 180 seconds. The second value is implementation specific, but it
could be as much as 15 minutes when a router with a slow control-plane control
plane is receiving a full set of Internet routes.

Throughout this document document, the "Caretaker" is defined to be in control
of the lower layer lower-layer network, while "Operators" directly administrate
the BGP speakers. Operators and Caretakers implementing BGP Session
Culling are encouraged to avoid using a fixed grace period, but and
instead to monitor forwarding plane forwarding-plane activity while the culling is
taking place and to consider it complete once traffic levels have
dropped to a minimum (Section 3.3).

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.

3. BGP Session Culling

From the viewpoint of the Operator, there are two types of BGP
Session Culling:

Voluntary BGP Session Teardown: The Operator initiates the tear down teardown
of the potentially affected BGP session by issuing an
Administrative Shutdown.

Involuntary BGP Session Teardown: The Caretaker of the lower layer lower-layer
network disrupts (higher layer) (higher-layer) BGP control-plane traffic, causing
the BGP Hold Timers of the affected BGP session to expire,
subsequently triggering rerouting of end user end-user traffic.

3.1. Voluntary BGP Session Teardown Recommendations

Before an Operator commences activities which that can cause disruption to
the flow of data through the lower layer lower-layer network, an Operator can
reduce loss of traffic by issuing an administrative shutdown to all
BGP sessions running across the lower layer lower-layer network and wait a few
minutes for data-plane traffic to subside.

While architectures exist to facilitate quick network reconvergence
(such as BGP PIC [I-D.ietf-rtgwg-bgp-pic]), Prefix Independent Convergence (PIC) [BGP_PIC]), an
Operator cannot assume the remote side has such capabilities. As
such, a grace period between the Administrative Shutdown and the
impacting maintenance activities is warranted.

After the maintenance activities have concluded, the Operator is
expected to restore the BGP sessions to their original Administrative
state.

3.1.1. Maintenance Considerations

Initiators of the administrative shutdown Administrative Shutdown MAY consider using Graceful
Shutdown [I-D.ietf-grow-bgp-gshut] [RFC8326] to facilitate smooth drainage of traffic prior to
session tear down, and the Shutdown Communication [RFC8203] to inform
the remote side on the nature and duration of the maintenance
activities.

3.2. Involuntary BGP Session Teardown Recommendations

In the case where multilateral interconnection between BGP speakers
is facilitated through a switched layer-2 Layer 2 fabric, such as commonly
seen at Internet Exchange Points (IXPs), different operational
considerations can apply.

Operational experience shows that many Operators are unable to carry
out the Voluntary BGP Session Teardown recommendations, because of
the operational cost and risk of coordinating the two configuration
changes required. This has an adverse affect on Internet
performance.

In the absence of notifications from the lower layer (e.g. (e.g., Ethernet
link down) consistent with the planned maintenance activities in a
switched layer-2 Layer 2 fabric, the Caretaker of the fabric could choose to
cull BGP sessions on behalf of the Operators connected to the fabric.

Such culling of control-plane traffic will preempt the loss of end-
user traffic, traffic by causing the expiration of BGP Hold Timers ahead of
the moment where the expiration would occur without intervention from
the fabric's Caretaker.

In this scenario, BGP Session Culling is accomplished as described in
the next sub-section, subsection, through the application of a combined layer-3 Layer 3
and layer-4 Layer 4 (Layer 3/4) packet filter deployed in the Caretaker's
switched fabric.

3.2.1. Packet Filter Packet-Filter Considerations

The peering LAN prefixes used by the IXP form the control plane, and
the following considerations apply to the packet filter packet-filter design:

o The packet filter MUST only affect BGP traffic specific to the
layer-2
Layer 2 fabric, i.e. i.e., traffic forming part of the control plane of
the system described, rather than multihop BGP traffic which that merely
transits.

o The packet filter MUST only affect BGP, i.e. TCP/179. i.e., TCP port 179.

o The packet filter SHOULD make provision for the bidirectional
nature of BGP, i.e. that i.e., sessions may be established in either
direction.

o The packet filter MUST affect all Address Family Identifiers.

Appendix A contains examples of correct packet filters for various
platforms.

3.2.2. Hardware Considerations

Not all hardware is capable of deploying combined Layer 3 / Layer 4 3/4 filters
on Layer 2 ports, and ports; even on platforms which that claim support for such a
feature, limitations may exist or hardware resource allocation
failures may occur during filter deployment deployment, which may cause
unexpected results. These problems may include:

o Platform inability to apply layer Layer 3/4 filters on ports which that
already have layer Layer 2 filters applied.

o Layer 3/4 filters supported for IPv4 but not for IPv6.

o Layer 3/4 filters supported on physical ports, but not on 802.3ad IEEE
802.1AX Link Aggregate ports. ports [IEEE802.1AX].

o Failure of the Caretaker to apply filters to all 802.3ad IEEE 802.1AX Link
Aggregate ports. ports [IEEE802.1AX].

o Limitations in ACL Access Control List (ACL) hardware mechanisms
causing filters not to be applied.

o Fragmentation of ACL lookup memory causing transient ACL
application problems which that are resolved after ACL removal / removal/
reapplication.

o Temporary service loss during hardware programming programming.

o Reduction in hardware ACL capacity if the platform enables
lossless ACL application.

It is advisable for the Caretaker to be aware of the limitations of
their hardware, hardware and to thoroughly test all complicated configurations
in advance to ensure that problems don't occur during production
deployments.

3.3. Procedural Considerations

The Caretaker of the lower layer lower-layer network can monitor data-plane
traffic (e.g. (e.g., interface counters) and carry out the maintenance
without impact to traffic once session culling is complete.

It is recommended that the packet filters are only be deployed for the
duration of the maintenance only and immediately be removed immediately after the
maintenance.
maintenance is completed. To prevent unnecessarily unnecessary troubleshooting, it
is RECOMMENDED that Caretakers notify the affected Operators before
the maintenance takes place, place and make it explicit that the Involuntary
BGP Session Culling methodology will be applied.

4. Security Considerations

There are no security considerations.

5. IANA Considerations

This document has no actions for IANA.

6. References

7.1.

6.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>.

7.2. Informative References

[I-D.ietf-grow-bgp-gshut]
Francois, P., Decraene,

[RFC8174] Leiba, B., Pelsser, C., Patel, K., and C.
Filsfils, "Graceful BGP session shutdown", draft-ietf-
grow-bgp-gshut-11 (work "Ambiguity of Uppercase vs Lowercase in progress), September 2017.

[I-D.ietf-rtgwg-bgp-pic] RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.

6.2. Informative References

[BGP_PIC] Bashandy, A., Ed., Filsfils, C., and P. Mohapatra, "BGP
Prefix Independent Convergence", draft-ietf-rtgwg-bgp-pic-05
(work Work in progress), May Progress, draft-
ietf-rtgwg-bgp-pic-06, November 2017.

[IEEE802.1AX]
IEEE, "IEEE Standard for Local and metropolitan area
networks -- Link Aggregation", IEEE Std 802.1AX-2014,
DOI 10.1109/IEEESTD.2014.7055197, December 2014,
<http://ieeexplore.ieee.org/servlet/
opac?punumber=6997981>.

[RFC8203] Snijders, J., Heitz, J., and J. Scudder, "BGP
Administrative Shutdown Communication", RFC 8203,
DOI 10.17487/RFC8203, July 2017,
<https://www.rfc-editor.org/info/rfc8203>.

7.3. URIs

[1] https://github.com/bgp/bgp-session-culling-config-examples

[RFC8326] Francois, P., Ed., Decraene, B., Ed., Pelsser, C., Patel,
K., and C. Filsfils, "Graceful BGP Session Shutdown",
RFC 8326, DOI 10.17487/8326, February 2018,
<https://www.rfc-editor.org/info/rfc8326>.

Appendix A. Example Packet Filters

This section includes examples of packet filters

Example packet filters for "Involuntary performing
Involuntary BGP Session Teardown" Teardown at an IXP using peering LAN prefixes
192.0.2.0/24 and 2001:db8:2::/64 as its control plane.

A repository of configuration examples for a number of assorted
platforms can be found at https://github.com/bgp/bgp-session-culling-
config-examples [1].
<https://github.com/bgp/bgp-session-culling-config-examples>.

A.1. Example Configuration for Cisco IOS, IOS XR & XR, and Arista EOS Firewall Example Configuration

ipv6 access-list acl-ipv6-permit-all-except-bgp
10 deny tcp 2001:db8:2::/64 eq bgp 2001:db8:2::/64
20 deny tcp 2001:db8:2::/64 2001:db8:2::/64 eq bgp
30 permit ipv6 any any
!
ip access-list acl-ipv4-permit-all-except-bgp
10 deny tcp 192.0.2.0/24 eq bgp 192.0.2.0/24
20 deny tcp 192.0.2.0/24 192.0.2.0/24 eq bgp
30 permit ip any any
!
interface Ethernet33
description IXP Participant Affected by Maintenance
ip access-group acl-ipv4-permit-all-except-bgp in
ipv6 access-group acl-ipv6-permit-all-except-bgp in
!

A.2. Example Configuration for Nokia SR OS Filter Example Configuration

ip-filter 10 create
filter-name "ACL IPv4 Permit All Except BGP"
default-action forward
entry 10 create
match protocol tcp
dst-ip 192.0.2.0/24
src-ip 192.0.2.0/24
port eq 179
exit
action
drop
exit
exit
exit

ipv6-filter 10 create
filter-name "ACL IPv6 Permit All Except BGP"
default-action forward
entry 10 create
match next-header tcp
dst-ip 2001:db8:2::/64
src-ip 2001:db8:2::/64
port eq 179
exit
action
drop
exit
exit
exit

interface "port-1/1/1"
description "IXP Participant Affected by Maintenance"
ingress
filter ip 10
filter ipv6 10
exit
exit

Acknowledgments

The authors would like to thank the following people for their
contributions to this document: Saku Ytti, Greg Hankins, James
Bensley, Wolfgang Tremmel, Daniel Roesen, Bruno Decraene, Tore
Anderson, John Heasley, Warren Kumari, Stig Venaas, and Brian
Carpenter.

Authors' Addresses

Will Hargrave
LONAP Ltd
5 Fleet Place
London EC4M 7RD
United Kingdom

Email: will@lonap.net

Matt Griswold
20C
1658 Milwaukee Ave # 100-4506
Chicago, IL 60647
United States of America

Email: grizz@20c.com

Job Snijders
NTT Communications
Theodorus Majofskistraat 100
Amsterdam 1065 SZ
The Netherlands

Email: job@ntt.net

Nick Hilliard
INEX
4027 Kingswood Road
Dublin 24
Ireland

Email: nick@inex.ie