idnits 2.17.1 

draft-ietf-bmwg-protection-term-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** The document seems to lack a License Notice according IETF Trust
     Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009
     Section 6.b -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     (You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Feb 2009 rather than one of the newer Notices.  See
     https://trustee.ietf.org/license-info/.)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There is 1 instance of too long lines in the document, the longest one
     being 5 characters in excess of 72.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (October 2009) is 5306 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: '6' is defined on line 1367, but no explicit reference
     was found in the text

  == Outdated reference: A later version (-23) exists of
     draft-ietf-bmwg-igp-dataplane-conv-term-16

  ** Obsolete normative reference: RFC 3768 (ref. '11') (Obsoleted by RFC
     5798)


     Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	 Network Working Group                         S. Poretsky
2	 Internet Draft                                Allot Communications
3	 Expires: April 2010
4	 Intended Status: Informational                Rajiv Papneja
5	                                               Isocore

7	                                               J. Karthik
8	                                               S. Vapiwala
9	                                               Cisco Systems

11	                                               October 2009

13	                    Benchmarking Terminology
14	                   for Protection Performance
15	             <draft-ietf-bmwg-protection-term-07.txt >

17	Status of this Memo
18	   This Internet-Draft is submitted to IETF in full conformance with the
19	   provisions of BCP 78 and BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as Internet-
24	   Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.
33	   The list of Internet-Draft Shadow Directories can be accessed at
34	   http://www.ietf.org/shadow.html.

36	   This Internet-Draft will expire on April 15, 2010.

38	Copyright Notice
39	   Copyright (c) 2009 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents in effect on the date of
44	   publication of this document (http://trustee.ietf.org/license-info).
45	   Please review these documents carefully, as they describe your rights
46	   and restrictions with respect to this document.

48	Abstract
49	  This document provides common terminology and metrics for benchmarking
50	  the performance of sub-IP layer protection mechanisms. The performance
51	  benchmarks are measured at the IP-Layer, avoiding dependence on
52	  specific sub-IP protection mechanisms. The benchmarks and terminology
53	  can be applied in methodology documents for different sub-IP layer
54	  protection mechanisms such as Automatic Protection Switching (APS),
55	  Virtual Router Redundancy Protocol (VRRP), Stateful High Availability
56	  (HA), and Multi-Protocol Label Switching Fast Reroute (MPLS-FRR).

58	                          Protection Performance
59	 Table of Contents
60	        1. Introduction..............................................3
61	        2. Existing definitions......................................6
62	        3. Test Considerations.......................................7
63	           3.1. Paths................................................7
64	              3.1.1. Path............................................7
65	              3.1.2. Working Path....................................8
66	              3.1.3. Primary Path....................................8
67	              3.1.4. Protected Primary Path..........................8
68	              3.1.5. Backup Path.....................................9
69	              3.1.6. Standby Backup Path.............................10
70	              3.1.7. Dynamic Backup Path.............................10
71	              3.1.8. Disjoint Paths..................................10
72	              3.1.9. Point of Local repair (PLR).....................11
73	              3.1.10. Shared Risk Link Group (SRLG)..................11
74	           3.2. Protection Mechanisms................................12
75	              3.2.1. Link Protection.................................12
76	              3.2.2. Node Protection.................................12
77	              3.2.3. Path Protection.................................12
78	              3.2.4. Backup Span.....................................13
79	              3.2.5. Local Link Protection...........................13
80	              3.2.6. Redundant Node Protection.......................14
81	              3.2.7  State Control Interface.........................14
82	              3.2.8. Protected Interface.............................15
83	           3.3. Protection Switching.................................15
84	              3.3.1. Protection Switching System.....................15
85	              3.3.2. Failover Event..................................15
86	              3.3.3. Failure Detection...............................16
87	              3.3.4. Failover........................................17
88	              3.3.5. Restoration.....................................17
89	              3.3.6. Reversion.......................................18
90	           3.4. Nodes................................................18
91	              3.4.1. Protection-Switching Node.......................18
92	              3.4.2. Non-Protection Switching Node...................19
93	              3.4.3. Headend Node....................................19
94	              3.4.4. Backup Node.....................................19
95	              3.4.5. Merge Node......................................20
96	              3.4.6. Primary Node....................................20
97	              3.4.7. Standby Node....................................21
98	           3.5. Benchmarks...........................................21
99	              3.5.1. Failover Packet Loss............................21
100	              3.5.2. Reversion Packet Loss...........................22
101	              3.5.3. Failover Time...................................22
102	              3.5.4. Reversion Time..................................23
103	              3.5.5. Additive Backup Delay...........................23
104	           3.6 Failover Time Calculation Methods.....................24
105	              3.6.1 Time-Based Loss Method...........................24
106	              3.6.2 Packet-Loss Based Method.........................25
107	              3.6.3 Timestamp-Based Method...........................25
108	        4. Acknowledgments...........................................26
109	        5. IANA Considerations.......................................26
110	        6. Security Considerations...................................26
111	        7. References................................................26
112	        8. Authors' Addresses........................................27
113	                          Protection Performance

115	1. Introduction

117	   The IP network layer provides route convergence to protect data
118	   traffic against planned and unplanned failures in the internet. Fast
119	   convergence times are critical to maintain reliable network
120	   connectivity and performance.  Convergence Events [7] are recognized
121	   at the IP Layer so that Route Convergence [7] occurs.  Technologies
122	   that function at sub-IP layers can be enabled to provide further
123	   protection of IP traffic by providing the failure recovery at the
124	   sub-IP layers so that the outage is not observed at the IP-layer.
125	   Such sub-IP protection technologies include, but are not limited to,
126	   High Availability (HA) stateful failover, Virtual Router Redundancy
127	   Protocol (VRRP) [11], Automatic Link Protection (APS) for SONET/SDH,
128	   Resilient Packet Ring (RPR) for Ethernet, and Fast Reroute for
129	   Multi-Protocol Label Switching (MPLS-FRR) [8].

131	   1.1 Scope
132	   Benchmarking terminology was defined for IP-layer convergence in
133	   [7].  Different terminology and methodologies specific to
134	   benchmarking sub-IP layer protection mechanisms are required.  The
135	   metrics for benchmarking the performance of sub-IP protection
136	   mechanisms are measured at the IP layer, so that the results are
137	   always measured in reference to IP and independent of the specific
138	   protection mechanism being used. The purpose of this document is
139	   to provide a single terminology for benchmarking sub-IP protection
140	   mechanisms.

142	   A common terminology for Sub-IP layer protection mechanism
143	   benchmarking enables different implementations of a protection
144	   mechanism to be benchmarked and evaluated.  In addition,
145	   implementations of different protection mechanisms can be
146	   benchmarked and evaluated.  It is intended that there can exist
147	   unique methodology documents for each sub-IP protection mechanism
148	   based upon this common terminology document.  The terminology
149	   can be applied to methodologies that benchmark sub-IP protection
150	   mechanism performance with a single stream of traffic or
151	   multiple streams of traffic.  The traffic flow may be
152	   uni-directional or bi-directional as to be indicated in the
153	   methodology.

155	   1.2 General Model
156	   The sequence of events to benchmark the performance of Sub-IP
157	   Protection Mechanisms is as follows:

159	   1. Failover Event - Primary Path fails
160	   2. Failure Detection-  Failover Event is detected
161	   3. Failover - Backup Path becomes the Working Path due to Failover
162	                 Event
163	   4. Restoration - Primary Path recovers from a Failover Event
164	   5. Reversion (optional) - Primary Path becomes the Working Path

166	   These terms are further defined in this document.

168	                          Protection Performance

170	   Figures 1 through 5 show models that MAY be used when benchmarking
171	   Sub-IP Protection mechanisms, which MUST use a Protection Switching
172	   System that consists of a minimum of two Protection-Switching Nodes,
173	   an Ingress Node known as the Headend Node and an Egress Node known
174	   as the Merge Node.  The Protection Switching System MUST include
175	   either a Primary Path and Backup Path, as shown in Figures 1 through
176	   4, or a Primary Node and Standby Node, as shown in Figure 5.  A
177	   Protection Switching System may provide link protection, node
178	   protection, path protection, local link protection, and high
179	   availability, as shown in Figures 1 through 5 respectively.  A
180	   Failover Event occurs along the Primary Path or at the Primary Node.
181	   The Working Path is the Primary Path prior to the Failover Event and
182	   the Backup Path after the Failover Event.  A Tester is set outside
183	   the two paths or nodes as it sends and receives IP traffic along the
184	   Working Path.  The tester MUST record the IP packet sequence numbers,
185	   departure time, and arrival time so that the metrics of Failover
186	   Time, Additive Latency, Packet Reordering, Duplicate Packets, and
187	   Reversion Time can be measured.  The Tester may be a single device
188	   or a test system.  If Reversion is supported then the Working Path is
189	   the Primary Path after Restoration (Failure Recovery) of the Primary
190	   Path.

192	   Link Protection, as shown in Figure 1, provides protection when a
193	   Failover Event occurs on the link between two nodes along the Primary
194	   Path.  Node Protection, as shown in Figure 2, provides protection
195	   when a Failover Event occurs at a Node along the Primary Path.
196	   Path Protection, as shown in Figure 3, provides protection for link
197	   or node failures for multiple hops along the Primary Path.  Local
198	   Link Protection, as shown in Figure 4, provides Sub-IP Protection of
199	   a link between two nodes, without a Backup Node.  An example of such
200	   a Sub-IP Protection mechanism is SONET APS.  High Availability
201	   Protection, as shown in Figure 5, provides protection of a Primary
202	   Node with a redundant Standby Node.  State Control is provided
203	   between the Primary and Standby Nodes.  Failure of the Primary Node
204	   is detected at the Sub-IP layer to force traffic to switch to the
205	   Standby Node, which has state maintained for zero or minimal packet
206	   loss.

208	                      +-----------+
209	       +--------------|  Tester   |<-----------------------+
210	       |              +-----------+                        |
211	       | IP Traffic        | Failover           IP Traffic |
212	       |                   |  Event                        |
213	       |     ------------  |                 ----------    |
214	       +--->|  Ingress/  | V                | Egress/  |---+
215	            |Headend Node|------------------|Merge Node|  Primary
216	             ------------                    ----------    Path
217	                |                                ^
218	                |         ---------              |  Backup
219	                +--------| Backup  |-------------+   Path
220	                         |  Node   |
221	                          ---------
222	   Figure 1. System Under Test (SUT) for Sub-IP Link Protection
223	                          Protection Performance

225	                            +-----------+
226	       +--------------------|  Tester   |<-----------------+
227	       |                    +-----------+                  |
228	       | IP Traffic               | Failover    IP Traffic |
229	       |                          | Event                  |
230	       |                          V                        |
231	       |     ------------      --------      ----------    |
232	       +--->|  Ingress/  |    |MidPoint|    | Egress/  |---+
233	            |Headend Node|----|  Node  |----|Merge Node|  Primary
234	             ------------      --------      ----------    Path
235	                |                                ^
236	                |         ---------              |  Backup
237	                +--------| Backup  |-------------+   Path
238	                         |  Node   |
239	                          ---------

241	   Figure 2. System Under Test (SUT) for Sub-IP Node Protection

243	                               +-----------+
244	    +---------------------------|  Tester   |<----------------------+
245	    |                           +-----------+                       |
246	    | IP Traffic                      | Failover         IP Traffic |
247	    |                                 | Event                       |
248	    |                Primary Path     |                             |
249	    |     ------------      --------  |  --------     ----------    |
250	    +--->|  Ingress/  |    |MidPoint| V |Midpoint|   | Egress/  |---+
251	         |Headend Node|----|  Node  |---|  Node  |---|Merge Node|
252	          ------------      --------     --------     ----------
253	                |                                         ^
254	                |         ---------      --------         | Backup
255	                +--------| Backup  |----| Backup |--------+  Path
256	                         |  Node   |    |  Node  |
257	                          ---------      --------

259	   Figure 3. System Under Test (SUT) for Sub-IP Path Protection

261	                                  +-----------+
262	             +--------------------|  Tester   |<-------------------+
263	             |                    +-----------+                    |
264	             | IP Traffic               | Failover      IP Traffic |
265	             |                          | Event                    |
266	             |              Primary     |                          |
267	             |    +--------+  Path      v            +--------+    |
268	             |    |        |------------------------>|        |    |
269	             +--->| Ingress|                         | Egress |----+
270	                  |  Node  |- - - - - - - - - - - - >|  Node  |
271	                  +--------+      Backup Path        +--------+
272	                  ^                                           ^
273	                  |            IP-Layer Forwarding            |
274	                  +-------------------------------------------+

276	   Figure 4. System Under Test (SUT) for Sub-IP Local Link Protection
277	                          Protection Performance

279	                         +-----------+
280	       +-----------------|  Tester   |<--------------------+
281	       |                 +-----------+                     |
282	       | IP Traffic            | Failover       IP Traffic |
283	       |                       | Event                     |
284	       |                       V                           |
285	       |     ---------      --------      ----------       |
286	       +--->| Ingress |    |Primary |    | Egress/  |------+
287	            |   Node  |----|  Node  |----|Merge Node|  Primary
288	             ---------      --------      ----------    Path
289	                |        State |Control       ^
290	                |    Interface |(Optional)    |
291	                |          ---------          |
292	                +---------| Standby |---------+
293	                          |  Node   |
294	                           ---------

296	Figure 5. System Under Test (SUT) for Sub-IP Redundant Node Protection

298	2. Existing definitions
299	   This document uses existing terminology defined in other BMWG
300	   work.  Examples include, but are not limited to:

302	          Latency                   [Ref.[2], section 3.8]
303	          Frame Loss Rate           [Ref.[2], section 3.6]
304	          Throughput                [Ref.[2], section 3.17]
305	          Device Under Test (DUT)   [Ref.[3], section 3.1.1]
306	          System Under Test (SUT)   [Ref.[3], section 3.1.2]
307	          Offered Load              [Ref.[3], section 3.5.2]
308	          Out-of-order Packet       [Ref.[4], section 3.3.2]
309	          Duplicate Packet          [Ref.[4], section 3.3.3]
310	          Forwarding Delay          [Ref.[4], section 3.2.4]
311	          Jitter                    [Ref.[4], section 3.2.5]
312	          Packet Loss               [Ref.[7], Section 3.5]
313	          Packet Reordering         [Ref.[10], section 3.3]

315	   This document has the following frequently used acronyms:
316	      DUT  Device Under Test
317	      SUT  System Under Test

319	   This document adopts the definition format in Section 2 of RFC 1242
320	   [2].  Terms defined in this document are capitalized when used
321	   within this document.

323	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
324	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
325	   document are to be interpreted as described in BCP 14, RFC 2119 [5].
326	   RFC 2119 defines the use of these key words to help make the
327	   intent of standards track documents as clear as possible.  While this
328	   document uses these keywords, this document is not a standards track
329	   document.

331	                          Protection Performance

333	3. Test Considerations

335	  3.1. Paths

337	    3.1.1 Path

339	    Definition:
340	       A unidirectional sequence of nodes, <R1, ..., Rn>, and links
341	      <L12,... L(n-1)n> with the following properties:

343	       a. R1 is the ingress node and forwards IP packets, which input
344	       into DUT/SUT, to R2 as sub-IP frames over link L12.

346	       b. Ri is a node which forwards data frames to R[i+1] over Link
347	       Li[i+1] for all i, 1<i<n, based on information in the sub-IP
348	       layer.

350	       c. Rn is the egress node and it outputs sub-IP frames from
351	       DUT/SUT as IP packets.

353	    Discussion:
354	       The path is defined in the sub-IP layer in this document, unlike
355	       an IP path in RFC 2026 [1].   One path may be regarded as being
356	       equivalent to one IP link between two IP nodes, i.e., R1 and Rn.
357	       The two IP nodes may have multiple paths for protection.  A
358	       packet will travel on only one path between the nodes.  Packets
359	       belonging to a microflow [9] will traverse one or more paths.
360	       The path is unidirectional.  For example, the link between R1
361	       and R2 in the direction from R1 to R2 is L12.  For traffic
362	       flowing in the reverse direction from R2 to R1, the link is L21.
363	       Example paths are the SONET/SDH path and the label switched path
364	       for MPLS.

366	    Measurement units:
367	       n/a

369	    Issues:
370	       "A bidirectional path", which transmits traffic in both
371	       directions along the same nodes, consists of two unidirectional
372	       paths.  Therefore, the two unidirectional paths belonging to
373	       "one bidirectional path" will be treated independently when
374	       benchmarking for "a bidirectional path".

376	    See Also:
377	       Working Path
378	       Primary Path
379	       Backup Path
380	                          Protection Performance

382	    3.1.2. Working Path

384	    Definition:
385	       The path that the DUT/SUT is currently using to forward
386	       packets.

388	    Discussion:
389	       A Primary Path is the Working Path before occurrence of a
390	       Failover Event.  A Backup Path SHALL become the Working Path
391	       after a Failover Event.

393	    Measurement units:
394	       n/a

396	    Issues:

398	    See Also:
399	       Path
400	       Primary Path
401	       Backup Path

403	   3.1.3.  Primary Path

405	       Definition:
406	       The preferred path for forwarding traffic between two or
407	       more nodes.

409	       Discussion:
410	       The Primary Path is the Path that traffic traverses
411	       prior to a Failover Event.

413	       Measurement units:
414	          n/a

416	        Issues:
417	          None

419	        See Also:
420	          Path
421	          Failover Event

423	    3.1.4.  Protected Primary Path

425	       Definition:
426	       A Primary Path that is protected with a Backup Path.

428	       Discussion:
429	       A Protected Primary Path MUST include at least one Protection
430	       Switching Node.

432	                          Protection Performance

434	       Measurement units:
435	          n/a

437	       Issues: None

439	       See Also:
440	          Path
441	          Primary Path

443	    3.1.5.  Backup Path

445	       Definition:
446	       A path that exists to carry data traffic only if a Failover
447	       Event occurs on a Primary Path.

449	       Discussion:
450	       The Backup Path SHALL become the Working Path upon a Failover
451	       Event.  A Path MAY have one or more Backup Paths.  A Backup
452	       Path MAY protect one or more Primary Paths.  There are various
453	       types of Backup Paths:

455	          a. dedicated recovery Backup Path (1+1), which has 100%
456	          redundancy for a specific ordinary path,

458	          b. shared Backup Path (1:N), which is dedicated to the
459	          protection for more than one specific Primary Path

461	          c. associated shared Backup Path (M:N) for which a specific
462	          set of Backup Paths protects a specific set of more than one
463	          Primary Path.

465	       A Backup Path may be signaled or unsignaled.  The Backup Path
466	       MUST be created prior to the Failover Event.

468	       Measurement units:
469	          n/a

471	       Issues:

473	       See Also:
474	          Path
475	          Working Path
476	          Primary Path
477	                          Protection Performance

479	     3.1.6.  Standby Backup Path

481	        Definition:
482	        A Backup Path that is established prior to a Failover Event
483	        to protect a Primary Path.

485	        Discussion:
486	        The Standby Backup Path and Dynamic Backup Path provide
487	        protection, but are established at different times.

489	        Measurement units: n/a

491	        Issues: None

493	        See Also:
494	           Backup Path
495	           Primary Path
496	           Failover Event

498	     3.1.7. Dynamic Backup Path

500	        Definition:
501	        A Backup Path that is established upon occurrence of a
502	        Failover Event.

504	        Discussion:
505	        The Standby Backup Path and Dynamic Backup Path provide
506	        protection, but are established at different times.

508	        Measurement units: n/a

510	        Issues: None

512	        See Also:
513	            Backup Path
514	            Standby Backup Path
515	            Failover Event

517	     3.1.8. Disjoint Paths

519	        Definition:
520	        A pair of paths that do not share a common link.

522	        Discussion:
523	        Two paths are disjoint if they do not share a common node other
524	        than the ingress and egress.

526	                          Protection Performance

528	        Measurement units: n/a

530	        Issues: None

532	        See Also:
533	           Path
534	           Primary Path
535	           SRLG

537	     3.1.9. Point of Local Repair (PLR)
538	         Definition:
539	         A node capable of Failover along the Primary Path that is
540	         also the ingress node for the Backup Path to protect another
541	         node or link.

543	         Discussion:
544	         Any node along the Primary Path from the ingress node to
545	         the penultimate egress node MAY be a PLR.  The PLR MAY use
546	         a single Backup Path for protecting one or more Primary
547	         Paths.  There can be multiple PLRs along a Primary Path.
548	         The PLR MUST be an ingress to a Backup Path.  The PLR can
549	         be any node along the Primary Path except the egress node
550	         of the Primary Path.  The PLR MAY simultaneously be a
551	         Headend Node when it is serving the role as ingress to
552	         the Primary Path and the Backup Path.  If the PLR is
553	         also the Headend Node, then the Backup Path is a Disjoint
554	         Path from the ingress to the Merge Node.

556	         Measurement units: n/a

558	         Issues: None

560	         See Also:
561	             Primary Path
562	             Backup Path
563	             Failover

565	     3.1.10. Shared Risk Link Group (SRLG)
566	         Definition:
567	         SRLG is a set of links which share a physical resource.

569	         Discussion:
570	         SRLG is considered the set of links to be avoided when
571	         the primary and secondary paths are considered disjoint.
572	         The SRLG will fail as a group if the shared resource fails.

574	         Measurement units: n/a

576	         Issues: None

578	         See Also:
579	             Path
580	             Primary Path
581	                          Protection Performance

583	   3.2. Protection
584	     3.2.1. Link Protection
585	         Definition:
586	         A Backup Path that is signaled to at least one Backup Node
587	         to protect for failure of interfaces and links along a
588	         Primary Path.

590	         Discussion:
591	         Link Protection may or may not protect the entire Primary
592	         Path.  Link protection is shown in Figure 1.

594	         Measurement units: n/a

596	         Issues: None

598	         See Also:
599	             Primary Path
600	             Backup Path

602	     3.2.2. Node Protection
603	         Definition:
604	         A Backup Path that is signaled to at least one Backup Node
605	         to protect for failure of interfaces, links, and nodes
606	         along a Primary Path.

608	         Discussion:
609	         Node Protection may or may not protect the entire Primary
610	         Path.  Node Protection also provides Link Protection.
611	         Node Protection is shown in Figure 2.

613	         Measurement units: n/a

615	         Issues: None

617	         See Also:
618	             Link Protection

620	     3.2.3. Path Protection
621	        Definition:
622	        A Backup Path that is signaled to at least one Backup Node
623	        to provide protection along the entire Primary Path.

625	        Discussion:
626	        Path Protection provides Node Protection and Link Protection
627	        for every node and link along the Primary Path.  A Backup
628	        Path providing Path Protection MUST have the same ingress
629	        node as the Primary Path.  Path Protection is shown in
630	        Figure 3.

632	        Measurement units: n/a

634	        Issues: None
635	                          Protection Performance

637	        See Also:
638	             Primary Path
639	             Backup Path
640	             Node Protection
641	             Link protection

643	     3.2.4. Backup Span

645	        Definition:
646	        The number of hops used by a Backup Path.

648	        Discussion:
649	        The Backup Span is an integer obtained by counting the
650	        number of nodes along the Backup Path.

652	        Measurement units:
653	             number of nodes

655	        Issues:
656	             None

658	        See Also:
659	             Primary Path
660	             Backup Path

662	     3.2.5. Local Link Protection

664	        Definition:
665	        A Backup Path that is a redundant path between two nodes
666	        which does not use a Backup Node.

668	        Discussion:
669	        Local Link Protection MUST be provided as a Backup Path
670	        between two nodes along the Primary Path without the use
671	        of a Backup Node.  Local Link Protection is provided by
672	        Protection Switching Systems such as SONET APS.  Local
673	        Link Protection is shown in Figure 4.

675	        Measurement units: None

677	        Issues: None

679	        See Also:
680	        Backup Path
681	        Backup Node
682	                          Protection Performance

684	     3.2.6. Redundant Node Protection

686	        Definition:
687	        A Protection Switching System with a Primary Node
688	        protected by a Standby Node along the Primary Path.

690	        Discussion:
691	        Redundant Node Protection is provided by Protection
692	        Switching Systems such as VRRP and HA.  The protection
693	        mechanisms occur at Sub-IP layers to switch traffic from
694	        a Primary Node to Backup Node upon a Failover Event at
695	        the Primary Node.  Traffic continues to traverse the
696	        Primary Path through the Standby Node.  The failover MAY
697	        be stateful, in which the state information MAY be
698	        exchanged in-band or over an out-of-band state control
699	        interface.  The Standby Node MAY be active or passive.
700	        Redundant Node Protection is shown in Figure 5.

702	        Measurement units: None

704	        Issues: None

706	        See Also:
707	        Primary Path
708	        Primary Node
709	        Standby Node

711	     3.2.7. State Control Interface

713	        Definition:
714	        An out-of-band control interface used to exchange state
715	        information between the Primary Node and Standby Node.

717	        Discussion:
718	        The State Control Interface MAY be used for Redundant Node
719	        Protection.  The State Control Interface MUST be out-of-band.
720	        It is possible to have Redundant Node Protection in which
721	        there is no state control or state control is provided
722	        in-band.  The State Control Interface between the Primary
723	        and Standby Node MAY be one or more hops.

725	        Measurement units: None

727	        Issues: None

729	        See Also:
730	        Primary Node
731	        Standby Node
732	                          Protection Performance

734	     3.2.8. Protected Interface

736	        Definition:
737	        An interface along the Primary Path that is protected by
738	        a Backup Path.

740	        Discussion:
741	        A Protected Interface is an interface protected by a
742	        Protection Switching System that provides Link
743	        Protection, Node Protection, Path Protection, Local
744	        Link Protection, and Redundant Node Protection.

746	        Measurement units: None

748	        Issues: None

750	        See Also:
751	           Primary Path
752	           Backup Path

754	   3.3. Protection Switching

756	     3.3.1.  Protection Switching System

758	        Definition:
759	          A DUT/SUT that is capable of Failure Detection and Failover
760	          from a Primary Path to a Backup Path or Standby Node when a
761	          Failover Event occurs.

763	        Discussion:
764	          The Protection Switching System MUST include either a
765	          Primary Path and Backup Path, as shown in Figures 1 through
766	          4, or a Primary Node and Standby Node, as shown in Figure
767	          5.  The Backup Path MAY be a Standby Backup Path or a
768	          dynamic Backup Path.  The Protection Switching System
769	          includes the mechanisms for both Failure Detection and
770	          Failover.

772	        Measurement units: n/a

774	        Issues: None

776	        See Also:
777	             Primary Path
778	             Backup Path
779	             Failover

781	     3.3.2.  Failover Event

783	       Definition:
784	       The occurrence of a planned or unplanned action in the network
785	       that results in a change in the Path that data traffic traverses.

787	                          Protection Performance

789	       Discussion:
790	       Failover Events include, but are not limited to, link failure
791	       and router failure.  Routing changes are considered Convergence
792	       Events [7] and are not Failover Events.  This restricts
793	       Failover Events to sub-IP layers. Failover may be at the PLR or
794	       at the ingress. If the failover is at the ingress it is
795	       generally on a disjoint path from the ingress to egress.

797	       Failover Events may results from failures such as link failure
798	       or router failure.  The change in path after Failover MAY have
799	       a Backup Span of one or more nodes.  Failover Events are
800	       distinguished from routing changes and Convergence Events [7]
801	       by the detection of the failure and subsequent protection
802	       switching at a sub-IP layer.  Failover occurs at a Point of
803	       Local Repair (PLR) or Primary Node.

805	       Measurement units:
806	          n/a

808	       Issues: None

810	       See Also:
811	          Path
812	          Failure Detection
813	          Disjoint Path

815	     3.3.3.  Failure Detection

817	       Definition:
818	       The process to identify at a sub-IP layer a Failover Event
819	       at a Primary Node or along the Primary Path.

821	       Discussion:
822	       Failure Detection occurs at the Primary Node or ingress node
823	       of the Primary  Path.  Failure Detection occurs via a sub-IP
824	       mechanism such as detection of a link down event or timeout for
825	       receipt of a control packet. A failure may be completely
826	       isolated. A failure may affect a set of links which share a
827	       single SRLG (e.g. port with many sub-interfaces). A failure may
828	       affect multiple links that are not part of SRLG.

830	       Measurement units: n/a

832	       Issues:

834	       See Also:
835	         Primary Path
836	                          Protection Performance

838	     3.3.4.  Failover

840	        Definition:
841	        The process to switch data traffic from the protected Primary
842	        Path to the Backup Path upon Failure Detection of a Failover
843	        Event.

845	        Discussion:
846	        Failover to a Backup Path provides Link Protection, Node
847	        Protection, or Path Protection.  Failover is complete when
848	        Packet Loss [7], Out-of-order Packets [4], and Duplicate
849	        Packets [4] are no longer observed.  Forwarding Delay [4]
850	        may continue to be observed.

852	        Measurement units:
853	            n/a

855	        Issues:

857	        See Also:
858	             Primary Path
859	             Backup Path
860	             Failover Event

862	     3.3.5.  Restoration

864	        Definition:
865	        The state of failover recovery in which the Primary Path
866	        has recovered from a Failover Event, but is not yet
867	        forwarding packets because the Backup Path remains the
868	        Working Path.

870	        Discussion:
871	        Restoration MUST occur while the Backup Path is the
872	        Working Path.  The Backup Path is maintained as the
873	        Working Path during Restoration.  Restoration produces
874	        a Primary Path that is recovered from failure, but is
875	        not yet forwarding traffic.  Traffic is still being
876	        forwarded by the Backup Path functioning as the Working
877	        Path.

879	        Measurement units:
880	            n/a

882	        Issues:

884	        See Also:
885	            Primary Path
886	            Failover Event
887	            Failure Recovery
888	            Working Path
889	            Backup Path
890	                          Protection Performance

892	     3.3.6.  Reversion

894	        Definition:
895	        The state of failover recovery in which the Primary Path has
896	        become the Working Path so that it is forwarding packets.

898	        Discussion:
899	        Protection Switching Systems may or may not support Reversion.
900	        Reversion, if supported, MUST occur after Restoration.
901	        Packet forwarding on the Primary Path resulting from Reversion
902	        may occur either fully or partially over the Primary Path.  A
903	        potential problem with Reversion is the discontinuity in end to
904	        end delay when the Forwarding Delays [4] along the Primary Path
905	        and Backup Path are different, possibly causing Out of Order
906	        Packets [4], Duplicate Packets [4], and increased Jitter [4].

908	        Measurement units: n/a

910	        Issues: None

912	        See Also:
913	            Protection Switching System
914	            Working Path
915	            Primary Path

917	   3.4. Nodes

919	     3.4.1.  Protection-Switching Node

921	         Definition:
922	         A node that is capable of participating in a Protection
923	         Switching System.

925	         Discussion:
926	         The Protection Switching Node MAY be an ingress or egress for
927	         a Primary Path or Backup Path, such as used for MPLS Fast
928	         Reroute configurations.  The Protection Switching Node MAY
929	         provide Redundant Node Protection as a Primary Node in a
930	         Redundant chassis configuration with a Standby Node, such as
931	         used for VRRP and HA configurations.

933	         Measurement units:
934	             n/a

936	         Issues:

938	         See Also:
939	             Protection Switching System
940	                          Protection Performance

942	     3.4.2.  Non-Protection Switching Node

944	         Definition:
945	         A node that is not capable of participating in a Protection
946	         Switching System, but MAY exist along the Primary Path or
947	         Backup Path.

949	         Discussion:

951	         Measurement units:
952	             n/a

954	         Issues:

956	         See Also:
957	             Protection Switching System
958	             Primary Path
959	             Backup Path

961	     3.4.3.  Headend Node
962	        Definition:
963	        The ingress node of the Primary Path.

965	        Discussion:
966	        The Headend Node may also be a PLR when it is serving in
967	        the dual role as the ingress to the Backup Path.

969	        Measurement units: n/a

971	        Issues:

973	        See Also:
974	             Primary Path
975	             Point of Local Repair (PLR)
976	             Failover

978	     3.4.4.  Backup Node
979	        Definition:
980	        A node along the Backup Path.

982	        Discussion:
983	        The Backup Node can be any node along the Backup Path.
984	        There MAY be one or more Backup Nodes along the Backup Path.
985	        A Backup Node MAY be the ingress, mid-point, or egress of
986	        the Backup Path.  If the Backup Path has only one Backup
987	        Node, then that Backup Node is the ingress and egress of the
988	        Backup Path.

990	                          Protection Performance

992	        Measurement units: n/a

994	        Issues:

996	        See Also:
997	             Backup Path

999	       3.4.5.  Merge Node
1000	         Definition:
1001	             A node along the Primary Path where Backup Path terminates.

1003	         Discussion:
1004	             The Merge Node can be any node along the Primary Path
1005	             except the ingress node of the Primary Path.  There can be
1006	             multiple Merge Nodes along a Primary Path.  A Merge Node
1007	             can be the egress node for a single or multiple Backup
1008	             Paths.  The Merge Node MUST be the egress to the Backup
1009	             Path.  The Merge Node MAY also be the egress of the
1010	             Primary Path or Point of Local Repair (PLR).

1012	         Measurement units:
1013	             n/a

1015	         Issues:

1017	         See Also:
1018	             Primary Path
1019	             Backup Path
1020	             PLR
1021	             Failover

1023	     3.4.6. Primary Node

1025	        Definition:
1026	        A node along the Primary Path that is capable of Failover to a
1027	        redundant Standby Node.

1029	        Discussion:
1030	        The Primary Node MAY be used for Protection Switching Systems
1031	        that provide Redundant Node Protection, such as VRRP and HA

1033	        Measurement units: n/a

1035	        Issues:

1037	        See Also:
1038	             Protection Switching System
1039	             Redundant Node Protection
1040	             Standby Node
1041	                          Protection Performance

1043	     3.4.7.  Standby Node

1045	        Definition:
1046	        A redundant node to a Primary Node that forwards traffic along
1047	        the Primary Path upon Failure Detection of the Primary Node.

1049	        Discussion:
1050	        The Standby Node MUST be used for Protection Switching
1051	        Systems that provide Redundant Node Protection, such as VRRP
1052	        and HA.  The Standby Node MUST provide protection along the
1053	        same Primary Path.  If the failover is to a Disjoint Path then
1054	        it is a Backup Node.  The Standby Node MAY be configured
1055	        for 1:1 or N:1 protection.

1057	        The communication between the Primary Node and Standby Node
1058	        MAY be in-band or across an out-of-band State Control
1059	        interface.  The Standby Node MAY be geographically dispersed
1060	        from the Primary Node.  When geographically dispersed, the
1061	        number of hops of separation may increase failover time.

1063	        The Standby Node MAY be passive or active.  The Passive Standby
1064	        Node is not offered traffic and does not forward traffic until
1065	        Failure Detection of the Primary Node.  Upon Failure Detection
1066	        of the Primary Node, traffic offered to the Primary Node is
1067	        instead offered to the Passive Standby Node.  The Active
1068	        Standby Node is offered traffic and forwards traffic along the
1069	        Primary Path while the Primary Node is also active.  Upon
1070	        Failure Detection of the Primary Node, traffic offered to the
1071	        Primary Node is switched to the Active Standby Node.

1073	        Measurement units: n/a

1075	        Issues:

1077	        See Also:
1078	             Primary Node
1079	             State Control Interface

1081	     3.5.  Benchmarks
1082	      3.5.1.  Failover Packet Loss
1083	        Definition:
1084	        The amount of packet loss produced by a Failover Event until
1085	        Failover completes, where the measurement begins when the last
1086	        unimpaired packet is received by the Tester on the Protected
1087	        Primary Path and ends when the first unimpaired packet is
1088	        received by the Tester on the Backup Path.

1090	                          Protection Performance

1092	        Discussion:
1093	        Packet loss can be observed as a reduction of forwarded
1094	        traffic from the maximum forwarding rate.  Failover Packet
1095	        Loss includes packets that were lost, reordered, or delayed.
1096	        Failover Packet Loss MAY reach 100% of the offered load.

1098	        Measurement units:
1099	          Number of Packets

1101	        Issues:  None

1103	        See Also:
1104	           Failover Event
1105	           Failover

1107	      3.5.2.   Reversion Packet Loss

1109	        Definition:
1110	        The amount of packet loss produced by Reversion, where the
1111	        measurement begins when the last unimpaired packet is received
1112	        by the Tester on the Backup Path and ends when the first
1113	        unimpaired packet is received by the Tester on the Protected
1114	        Primary Path .

1116	        Discussion:
1117	        Packet loss can be observed as a reduction of forwarded
1118	        traffic from the maximum forwarding rate.  Reversion Packet
1119	        Loss includes packets that were lost, reordered, or delayed.
1120	        Reversion Packet Loss MAY reach 100% of the offered load.

1122	         Measurement units: Number of Packets

1124	         Issues:  None

1126	         See Also:
1127	           Reversion

1129	      3.5.3. Failover Time

1131	        Definition:
1132	         The amount of time it takes for Failover to successfully
1133	         complete.

1135	        Discussion:
1136	        Failover Time can be calculated using the Time-Based Loss
1137	        Method (TBLM), Packet-Loss Based Method (PLBM), or
1138	        Timestamp-Based Method (TBM).  It is RECOMMENDED that the
1139	        TBM is used.

1141	                          Protection Performance

1143	        Measurement units:
1144	           milliseconds

1146	        Issues: None

1148	        See Also:
1149	           Failover
1150	           Failover Time
1151	           Time-Based Loss Method (TBLM)
1152	           Packet-Loss Based Method (PLBM)
1153	           Timestamp-Based Method (TBM)

1155	      3.5.4.  Reversion Time

1157	        Definition:
1158	        The amount of time it takes for Reversion to complete so
1159	        that the Primary Path is restored as the Working Path.

1161	        Discussion:
1162	        Reversion Time can be calculated using the Time-Based Loss
1163	        Method (TBLM), Packet-Loss Based Method (PLBM), or
1164	        Timestamp-Based Method (TBM).  It is RECOMMENDED that the
1165	        TBM is used.

1167	        Measurement units:
1168	           milliseconds

1170	        Issues: None

1172	        See Also:
1173	           Reversion
1174	           Primary Path
1175	           Working Path
1176	           Reversion Packet Loss
1177	           Time-Based Loss Method (TBLM)
1178	           Packet-Loss Based Method (PLBM)
1179	           Timestamp-Based Method (TBM)

1181	      3.5.5.  Additive Backup Delay

1183	        Definition:
1184	        The amount of increased Forwarding Delay [4] resulting
1185	        from data traffic traversing the Backup Path instead of
1186	        the Primary Path.

1188	        Discussion:
1189	        Additive Backup Delay is calculated using Equation 1 as
1190	        shown below:

1192	        (Equation 1)
1193	        Additive Backup Delay =
1194	                  Forwarding Delay(Backup Path) -
1195	                  Forwarding Delay(Primary Path).

1197	                          Protection Performance

1199	        Measurement units:
1200	           milliseconds

1202	        Issues:
1203	        Additive Backup Latency MAY be a negative result.
1204	        This is theoretically possible, but could be indicative
1205	        of a sub-optimum network configuration .

1207	        See Also:
1208	           Primary Path
1209	           Backup Path
1210	           Primary Path Latency
1211	           Backup Path Latency

1213	     3.6 Failover Time Calculation Methods

1215	     3.6.1 Time-Based Loss Method (TBLM)

1217	      Definition:
1218	      The method to calculate Failover Time (or Reversion Time) using a
1219	      time scale on the Tester to measure the interval of Failover
1220	      Packet Loss.

1222	      Discussion:
1223	      The Tester MUST provide statistics which show the duration of
1224	      failure on a time scale based on occurrence of packet loss on
1225	      a time scale.  This is indicated by the duration of non-zero
1226	      packet loss.  The TBLM includes failure detection time and
1227	      time for data traffic to begin traversing the Backup Path.
1228	      Failover Time and Reversion Time are calculated using the
1229	      TBLM as shown in Equation 2:

1231	      (Equation 2)
1232	          (Equation 2a)
1233	          TBLM Failover Time = Time(Failover) - Time(Failover Event)

1235	          (Equation 2b)
1236	          TBLM Reversion Time = Time(Reversion) - Time(Restoration)

1238	      Measurement units:
1239	         seconds

1241	      Issues:
1242	         None

1244	      See Also:
1245	         Failover
1246	         Packet-Loss Based Method
1247	                          Protection Performance

1249	     3.6.2 Packet-Loss Based Method (PLBM)

1251	      Definition:
1252	      The method used to calculate Failover Time (or Reversion Time)
1253	      from the amount of Failover Packet Loss.

1255	      Discussion:
1256	      PLBM includes failure detection time and time for data traffic to
1257	      begin traversing the Backup Path.  Failover Time can be
1258	      calculated using PLBM from the amount Failover Packet Loss as
1259	      shown below in Equation 3. Note: If traffic is sent to more than 1
1260	      destination, PLBM gives the average loss over the measured destinations

1262	      (Equation 3)
1263	           (Equation 3a)
1264	           PLBM Failover Time =
1265	              Number of packets lost /
1266	                       (Offered Load rate * 1000)

1268	           (Equation 3b)
1269	           PLBM Restoration Time =
1270	              Number of packets lost /
1271	                       (Offered Load rate * 1000)

1273	           Units are packets/(packets/second) = seconds

1275	      Measurement units:
1276	         seconds

1278	      Issues:
1279	         None

1281	      See Also:
1282	         Failover
1283	         Time-Based Loss Method

1285	     3.6.3 Timestamp-Based Method (TBM)

1287	      Definition:
1288	      The method to calculate Failover Time (or Reversion Time)
1289	      using a time scale to quantify the interval between
1290	      unimpaired packets arriving in the test stream.

1292	      Discussion:
1293	      The purpose of this method is to quantify the duration of
1294	      failure or reversion on a time scale based on the
1295	      observation of unimpaired packets,  The TBM is calculated
1296	      from Equation 2 with the values obtained from the timestamp
1297	      in the packet payload, rather than from the Tester clock as
1298	      is used for the values when using the TBLM.

1300	      Unimpaired packets are normal packets that are not lost,
1301	      reordered, or duplicated.  A reordered packet is defined in
1302	                          Protection Performance

1304	      [10, section 3.3].  A duplicate packet is defined in
1305	      [4, section 3.3.3].  A lost packet is defined in
1306	      [7, Section 3.5].  Unimpaired packets may be detected by checking
1307	      a sequence number in the payload, where the sequence number equals
1308	      the next expected number for an unimpaired packet.  A sequence gap
1309	      or sequence reversal indicates impaired packets.

1311	      For calculating Failover Time, the TBM includes failure
1312	      detection time and time for data traffic to begin traversing the
1313	      Backup Path.  For calculating Reversion Time, the TBM includes
1314	      Reversion Time and time for data traffic to begin traversing the
1315	      Primary Path.

1317	      Measurement units:
1318	         seconds

1320	      Issues: None

1322	      See Also:
1323	         Failover
1324	         Failover Time
1325	         Reversion
1326	         Reversion Time

1328	4. Acknowledgements
1329	     We would like thank the BMWG and particularly Al Morton and Curtis
1330	     Villamizar for their reviews, comments, and contributions to this
1331	     work.

1333	5. IANA Considerations
1334	     This document requires no IANA considerations.

1336	6. Security Considerations

1338	   Documents of this type do not directly affect the security of
1339	   Internet or corporate networks as long as benchmarking is not
1340	   performed on devices or systems connected to production networks.
1341	   Security threats and how to counter these in SIP and the media
1342	   layer is discussed in RFC3261, RFC3550, and RFC3711 and various
1343	   other drafts.  This document attempts to formalize a set of
1344	   common methodology for benchmarking performance of failover
1345	   mechanisms in a lab environment.

1347	7. References
1348	7.1. Normative References
1349	     [1] Bradner, S., "The Internet Standards Process -- Revision 3",
1350	         RFC 2026, October 1996.

1352	     [2] Bradner, S., Editor, "Benchmarking Terminology for
1353	         Network Interconnection Devices", RFC 1242, July 1991.

1355	     [3] Mandeville, R., "Benchmarking Terminology for LAN
1356	         Switching Devices", RFC 2285, February 1998.

1358	                          Protection Performance

1360	     [4] Poretsky, S., et al., "Terminology for Benchmarking
1361	         Network-layer Traffic Control Mechanisms", RFC 4689,
1362	         November 2006.

1364	     [5] Bradner, S., "Key words for use in RFCs to Indicate
1365	         Requirement Levels", RFC 2119, July 1997.

1367	     [6] Not used.

1369	     [7] Poretsky, S., Imhoff, B., "Benchmarking Terminology for IGP
1370	         Convergence", draft-ietf-bmwg-igp-dataplane-conv-term-16,
1371	         work in progress, October 2009.

1373	     [8] Pan., P. et al, "Fast Reroute Extensions to RSVP-TE for LSP
1374	         Paths", RFC 4090, May 2005.

1376	     [9] Nichols, K., et al, "Definition of the Differentiated
1377	         Services Field (DS Field) in the IPv4 and IPv6 Headers",
1378	         RFC 2474, December 1998.

1380	     [10] Morton, A., et al, "Packet Reordering Metrics", RFC 4737,
1381	          November 2006.

1383	     [11] Hinden, R., "Virtual Router Redundancy Protocol", RFC 3768,
1384	          April 2004.

1386	7.2. Informative References
1387	     None

1389	8.  Authors' Addresses

1391	   Scott Poretsky
1392	   Allot Communications
1393	   67 South Bedford Street, Suite 400
1394	   Burlington, MA 01803
1395	   USA
1396	   Phone: + 1 508 309 2179
1397	   Email: sporetsky@allot.com

1399	   Rajiv Papneja
1400	   Isocore
1401	   12359 Sunrise Valley Drive
1402	   Reston, VA 22102
1403	   USA
1404	   Phone: 1 703 860 9273
1405	   Email: rpapneja@isocore.com
1406	                          Protection Performance

1408	   Jay Karthik
1409	   Cisco Systems
1410	   300 Beaver Brook Road
1411	   Boxborough, MA 01719
1412	   USA
1413	   Phone: +1 978 936 0533
1414	   Email: jkarthik@cisco.com

1416	   Samir Vapiwala
1417	   Cisco System
1418	   300 Beaver Brook Road
1419	   Boxborough, MA 01719
1420	   USA
1421	   Phone: +1 978 936 1484
1422	   Email: svapiwal@cisco.com