idnits 2.17.1 draft-ietf-rtgwg-backoff-algo-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year ** The document contains RFC2119-like boilerplate, but doesn't seem to mention RFC 2119. The boilerplate contains a reference [BCP14], but that reference does not seem to mention RFC 2119 either. -- The document date (February 26, 2018) is 2248 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'BCP14' is mentioned on line 39, but not defined == Outdated reference: A later version (-10) exists of draft-ietf-rtgwg-spf-uloop-pb-statement-06 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Decraene 3 Internet-Draft Orange 4 Intended status: Standards Track S. Litkowski 5 Expires: August 30, 2018 Orange Business Service 6 H. Gredler 7 RtBrick Inc 8 A. Lindem 9 Cisco Systems 10 P. Francois 12 C. Bowers 13 Juniper Networks, Inc. 14 February 26, 2018 16 SPF Back-off algorithm for link state IGPs 17 draft-ietf-rtgwg-backoff-algo-08 19 Abstract 21 This document defines a standard algorithm to temporarily postpone or 22 'back-off' link-state IGP Shortest Path First (SPF) computations. 23 This reduces the computational load and churn on IGP nodes when 24 multiple temporally close network events trigger multiple SPF 25 computations. 27 Having one standard algorithm improves interoperability by reducing 28 the probability and/or duration of transient forwarding loops during 29 the IGP convergence when the IGP reacts to multiple temporally close 30 IGP events. 32 Requirements Language 34 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 35 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 36 "OPTIONAL" in this document are to be interpreted as described in 37 [BCP14] [RFC2119] [RFC8174] when, and only when, they appear in all 38 capitals, as shown here. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on August 30, 2018. 57 Copyright Notice 59 Copyright (c) 2018 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 75 2. High level goals . . . . . . . . . . . . . . . . . . . . . . 3 76 3. Definitions and parameters . . . . . . . . . . . . . . . . . 4 77 4. Principles of SPF delay algorithm . . . . . . . . . . . . . . 5 78 5. Specification of the SPF delay state machine . . . . . . . . 6 79 5.1. State Machine . . . . . . . . . . . . . . . . . . . . . . 6 80 5.2. State . . . . . . . . . . . . . . . . . . . . . . . . . . 7 81 5.3. Timers . . . . . . . . . . . . . . . . . . . . . . . . . 8 82 5.4. FSM Events . . . . . . . . . . . . . . . . . . . . . . . 8 83 6. Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 10 84 7. Partial Deployment . . . . . . . . . . . . . . . . . . . . . 11 85 8. Impact on micro-loops . . . . . . . . . . . . . . . . . . . . 11 86 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 87 10. Security considerations . . . . . . . . . . . . . . . . . . . 11 88 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 89 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 90 12.1. Normative References . . . . . . . . . . . . . . . . . . 12 91 12.2. Informative References . . . . . . . . . . . . . . . . . 12 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 94 1. Introduction 96 Link state IGPs, such as IS-IS [ISO10589-Second-Edition], OSPF 97 [RFC2328] and OSPFv3 [RFC5340], perform distributed route computation 98 on all routers in the area/level. In order to have consistent 99 routing tables across the network, such distributed computation 100 requires that all routers have the same version of the network 101 topology (Link State DataBase (LSDB)) and perform their computation 102 essentially at the same time. 104 In general, when the network is stable, there is a desire to trigger 105 a new Shortest Path First (SPF) computation as soon as a failure is 106 detected in order to quickly route around the failure. However, when 107 the network is experiencing multiple failures over a short period of 108 time, there is a conflicting desire to limit the frequency of SPF 109 computations, which would allow a reduction in control plane 110 resources used by IGPs and all protocols/subsystems reacting on the 111 attendant route change, such as LDP [RFC5036], RSVP-TE [RFC3209], BGP 112 [RFC4271], Fast ReRoute computations (e.g., Loop Free Alternates 113 (LFA) [RFC5286]), FIB updates, etc. This also reduces network churn 114 and, in particular, reduces the side effects such as micro-loops 115 [RFC5715] that ensue during IGP convergence. 117 To allow for this, IGPs usually implement an SPF back-off algorithm 118 that postpones or backs-off the SPF computation. However, different 119 implementations have chosen different algorithms. Hence, in a multi- 120 vendor network, it's not possible to ensure that all routers trigger 121 their SPF computation after the same delay. This situation increases 122 the average and maximum differential delay between routers completing 123 their SPF computation. It also increases the probability that 124 different routers compute their FIBs based on different LSDB 125 versions. Both factors increase the probability and/or duration of 126 micro-loops as discussed in Section 8. 128 To allow multi-vendor networks to have all routers delay their SPF 129 computations for the same duration, this document specifies a 130 standard algorithm. Optionally, implementations may also offer 131 alternative algorithms. 133 2. High level goals 135 The high level goals of this algorithm are the following: 137 o Very fast convergence for a single event (e.g., link failure). 139 o Paced fast convergence for multiple temporally close IGP events 140 while IGP stability is considered acceptable. 142 o Delayed convergence when IGP stability is problematic. This will 143 allow the IGP and related processes to conserve resources during 144 the period of instability. 146 o Always try to avoid different SPF_DELAY Section 3 timer values 147 across different routers in the area/level. This requires 148 specific consideration as different routers may receive IGP 149 messages at different interval or even order, due to differences 150 both in the distance from the originator of the IGP event and in 151 flooding implementations. 153 3. Definitions and parameters 155 IGP events: The reception or origination of an IGP LSDB change 156 requiring a new routing table computation. Examples are a topology 157 change, a prefix change and a metric change on a link or prefix. 158 Note that locally triggering a routing table computation is not 159 considered as an IGP event since other IGP routers are unaware of 160 this occurrence. 162 Routing table computation: Computation of the routing table, by the 163 IGP implementation, using the IGP LSDB. No distinction is made 164 between the type of computation performed. e.g., full SPF, 165 incremental SPF, Partial Route Computation (PRC). The type of 166 computation is a local consideration. This document may 167 interchangeably use the terms routing table computation and SPF 168 computation. 170 SPF_DELAY: The delay between the first IGP event triggering a new 171 routing table computation and the start of that routing table 172 computation. It can take the following values: 174 INITIAL_SPF_DELAY: A very small delay to quickly handle a single 175 isolated link failure, e.g., 0 milliseconds. 177 SHORT_SPF_DELAY: A small delay to provide fast convergence in the 178 case of a single component failure (node, Shared Risk Link Group 179 (SRLG)..) that leads to multiple IGP events, e.g., 50-100 180 milliseconds. 182 LONG_SPF_DELAY: A long delay when the IGP is unstable, e.g., 2 183 seconds. Note that this allows the IGP network to stabilize. 185 TIME_TO_LEARN_INTERVAL: This is the maximum duration typically needed 186 to learn all the IGP events related to a single component failure 187 (e.g., router failure, SRLG failure), e.g., 1 second. It's mostly 188 dependent on failure detection time variation between all routers 189 that are adjacent to the failure. Additionally, it may depend on the 190 different IGP implementations/parameters across the network, related 191 to origination and flooding of their link state advertisements. 193 HOLDDOWN_INTERVAL: The time required with no received IGP events 194 before considering the IGP to be stable again and allowing the 195 SPF_DELAY to be restored to INITIAL_SPF_DELAY. e.g. a 196 HOLDDOWN_INTERVAL of 3 seconds. The HOLDDOWN_INTERVAL MUST be 197 defaulted and configured to be longer than the 198 TIME_TO_LEARN_INTERVAL. 200 4. Principles of SPF delay algorithm 202 For this first IGP event, we assume that there has been a single 203 simple change in the network which can be taken into account using a 204 single routing computation (e.g., link failure, prefix (metric) 205 change) and we optimize for very fast convergence, delaying the 206 routing computation by INITIAL_SPF_DELAY. Under this assumption, 207 there is no benefit in delaying the routing computation. In a 208 typical network, this is the most common type of IGP event. Hence, 209 it makes sense to optimize this case. 211 If subsequent IGP events are received in a short period of time 212 (TIME_TO_LEARN_INTERVAL), we then assume that a single component 213 failed, but that this failure requires the knowledge of multiple IGP 214 events in order for IGP routing to converge. Under this assumption, 215 we want fast convergence since this is a normal network situation. 216 However, there is a benefit in waiting for all IGP events related to 217 this single component failure so that the IGP can compute the post- 218 failure routing table in a single additional route computation. In 219 this situation, we delay the routing computation by SHORT_SPF_DELAY. 221 If IGP events are still received after TIME_TO_LEARN_INTERVAL from 222 the initial IGP event received in QUIET state Figure 1, then the 223 network is presumably experiencing multiple independent failures. In 224 this case, while waiting for network stability, the computations are 225 delayed for a longer time represented by LONG_SPF_DELAY. This SPF 226 delay is kept until no IGP events are received for HOLDDOWN_INTERVAL. 228 Note that in order to increase the consistency network wide, the 229 algorithm uses a delay (TIME_TO_LEARN_INTERVAL) from the initial IGP 230 event, rather than the number of SPF computation performed. Indeed, 231 as all routers may receive the IGP events at different times, we 232 cannot assume that all routers will perform the same number of SPF 233 computations. For example, assuming that the SPF delay is 50 ms, 234 router R1 may receive 3 IGP events (E1, E2, E3) in those 50 ms and 235 hence will perform a single routing computation. While another 236 router R2 may only receive 2 events (E1, E2) in those 50 ms and hence 237 will schedule another routing computation when receiving E3. 239 5. Specification of the SPF delay state machine 241 This section describes the abstract finite state machine (FSM) 242 intended to control the timing of the execution of SPF calculations 243 in response to IGP events. 245 5.1. State Machine 247 The FSM is initialized to the QUIET state with all three timers 248 timers (SPF_TIMER, HOLDDOWN_TIMER, LEARN_TIMER) deactivated. 250 The events which may change the FSM states are an IGP event or the 251 expiration of one timer (SPF_TIMER, HOLDDOWN_TIMER, LEARN_TIMER). 253 The following diagram briefly describes the state transitions. 255 +-------------------+ 256 +---->| |<-------------------+ 257 | | QUIET | | 258 +-----| |<---------+ | 259 7: +-------------------+ | | 260 SPF_TIMER | | | 261 expiration | | | 262 | 1: IGP event | | 263 | | | 264 v | | 265 +-------------------+ | | 266 +---->| | | | 267 | | SHORT_WAIT |----->----+ | 268 +-----| | | 269 2: +-------------------+ 6: HOLDDOWN_TIMER | 270 IGP event | expiration | 271 8: SPF_TIMER | | 272 expiration | | 273 | 3: LEARN_TIMER | 274 | expiration | 275 | | 276 v | 277 +-------------------+ | 278 +---->| | | 279 | | LONG_WAIT |------------>-------+ 280 +-----| | 281 4: +-------------------+ 5: HOLDDOWN_TIMER 282 IGP event expiration 283 9: SPF_TIMER expiration 285 Figure 1: State Machine 287 5.2. State 289 The naming and semantics of each state corresponds directly to the 290 SPF delay used for IGP events received in that state. Three states 291 are defined: 293 QUIET: This is the initial state, when no IGP events have occurred 294 for at least HOLDDOWN_INTERVAL since the previous routing table 295 computation. The state is meant to handle link failures very 296 quickly. 298 SHORT_WAIT: State entered when an IGP event has been received in 299 QUIET state. This state is meant to handle single component failure 300 requiring multiple IGP events (e.g., node, SRLG). 302 LONG_WAIT: State reached after TIME_TO_LEARN_INTERVAL. In other 303 words, state reached after TIME_TO_LEARN_INTERVAL in state 304 SHORT_WAIT. This state is meant to handle multiple independent 305 component failures during periods of IGP instability. 307 5.3. Timers 309 SPF_TIMER: The FSM abstract timer that uses the computed SPF delay. 310 Upon expiration, the Route Table Computation (as defined in 311 Section 3) is performed. 313 HOLDDOWN_TIMER: The FSM abstract timer that is (re)started whan an 314 IGP event is received and set to HOLDDOWN_INTERVAL. Upon expiration, 315 the FSM is moved to the QUIET state. 317 LEARN_TIMER: The FSM abstract timer that is started when an IGP event 318 is recevied while the FSM is in the QUIET state. Upon expiration, 319 the FSM is moved to the LONG_WAIT state. 321 5.4. FSM Events 323 This section describes the events and the actions performed in 324 response. 326 Transition 1: IGP event, while in QUIET state. 328 Actions on event 1: 330 o If SPF_TIMER is not already running, start it with value 331 INITIAL_SPF_DELAY. 333 o Start LEARN_TIMER with TIME_TO_LEARN_INTERVAL. 335 o Start HOLDDOWN_TIMER with HOLDDOWN_INTERVAL. 337 o Transition to SHORT_WAIT state. 339 Transition 2: IGP event, while in SHORT_WAIT. 341 Actions on event 2: 343 o Reset HOLDDOWN_TIMER to HOLDDOWN_INTERVAL. 345 o If SPF_TIMER is not already running, start it with value 346 SHORT_SPF_DELAY. 348 o Remain in current state. 350 Transition 3: LEARN_TIMER expiration. 352 Actions on event 3: 354 o Transition to LONG_WAIT state. 356 Transition 4: IGP event, while in LONG_WAIT. 358 Actions on event 4: 360 o Reset HOLDDOWN_TIMER to HOLDDOWN_INTERVAL. 362 o If SPF_TIMER is not already running, start it with value 363 LONG_SPF_DELAY. 365 o Remain in current state. 367 Transition 5: HOLDDOWN_TIMER expiration, while in LONG_WAIT. 369 Actions on event 5: 371 o Transition to QUIET state. 373 Transition 6: HOLDDOWN_TIMER expiration, while in SHORT_WAIT. 375 Actions on event 6: 377 o Deactivate LEARN_TIMER. 379 o Transition to QUIET state. 381 Transition 7: SPF_TIMER expiration, while in QUIET. 383 Actions on event 7: 385 o Compute SPF. 387 o Remain in current state. 389 Transition 8: SPF_TIMER expiration, while in SHORT_WAIT. 391 Actions on event 8: 393 o Compute SPF. 395 o Remain in current state. 397 Transition 9: SPF_TIMER expiration, while in LONG_WAIT. 399 Actions on event 9: 401 o Compute SPF. 403 o Remain in current state. 405 6. Parameters 407 All the parameters MUST be configurable at the protocol instance 408 granularity. They MAY be configurable at the area/level granularity. 409 All the delays (INITIAL_SPF_DELAY, SHORT_SPF_DELAY, LONG_SPF_DELAY, 410 TIME_TO_LEARN_INTERVAL, HOLDDOWN_INTERVAL) SHOULD be configurable at 411 the millisecond granularity. They MUST be configurable at least at 412 the tenth of second granularity. The configurable range for all the 413 parameters SHOULD at least be from 0 milliseconds to 60 seconds. 415 This document does not propose default values for the parameters 416 because these values are expected to be context dependent. 417 Implementations are free to propose their own default values. 418 However the HOLDDOWN_INTERVAL MUST be defaulted or configured to be 419 longer than the TIME_TO_LEARN_INTERVAL. 421 In order to satisfy the goals stated in Section 2, operators are 422 RECOMMENDED to configure delay intervals such that INITIAL_SPF_DELAY 423 <= SHORT_SPF_DELAY and SHORT_SPF_DELAY <= LONG_SPF_DELAY. 425 When setting (default) values, one should consider the customers and 426 their application requirements, the computational power of the 427 routers, the size of the network, and, in particular, the number of 428 IP prefixes advertised in the IGP, the frequency and number of IGP 429 events, the number of protocols reactions/computations triggered by 430 IGP SPF computation (e.g., BGP, PCEP, Traffic Engineering CSPF, Fast 431 ReRoute computations). 433 Note that some or all of these factors may change over the life of 434 the network. In case of doubt, it's RECOMMENDED that timer intervals 435 should be chosen conservatively (i.e., longer timer values). 437 For the standard algorithm to be effective in mitigating micro-loops, 438 it is RECOMMENDED that all routers in the IGP domain, or at least all 439 the routers in the same area/level, have exactly the same configured 440 values. 442 7. Partial Deployment 444 In general, the SPF delay algorithm is only effective in mitigating 445 micro-loops if it is deployed, with the same parameters, on all 446 routers in the IGP domain or, at least, all routers in an IGP area/ 447 level. The impact of partial deployment is dependent on the 448 particular event, topology, and the SPF algorithm(s) used on other 449 routers in the IGP area/level. In cases where the previous SPF 450 algorithm was implemented uniformly, partial deployment will increase 451 the frequency and duration of micro-loops. Hence, it is RECOMMENDED 452 that all routers in the IGP domain or at least within the same area/ 453 level be migrated to the SPF algorithm described herein at roughly 454 the same time. 456 Note that this is not a new consideration as over times, network 457 operators have changed SPF delay parameters in order to accommodate 458 new customer requirements for fast convergence, as permitted by new 459 software and hardware. They may also have progressively replaced an 460 implementation with a given SPF delay algorithm by another 461 implementation with a different one. 463 8. Impact on micro-loops 465 Micro-loops during IGP convergence are due to a non-synchronized or 466 non-ordered update of the forwarding information tables (FIB) 467 [RFC5715] [RFC6976] [I-D.ietf-rtgwg-spf-uloop-pb-statement]. FIBs 468 are installed after multiple steps such as flooding of the IGP event 469 across the network, SPF wait time, SPF computation, FIB distribution 470 across line cards, and FIB update. This document only addresses the 471 contribution from the SPF wait time. This standardized procedure 472 reduces the probability and/or duration of micro-loops when IGPs 473 experience multiple temporally close events. It does not prevent all 474 micro-loops. However, it is beneficial and is less complex and 475 costly to implement when compared to full solutions such as [RFC5715] 476 or [RFC6976]. 478 9. IANA Considerations 480 No IANA actions required. 482 10. Security considerations 484 The algorithm presented in this document does not compromise IGP 485 security. An attacker having the ability to generate IGP events 486 would be able to delay the IGP convergence time. The LONG_SPF_DELAY 487 state may help mitigate the effects of Denial-of-Service (DOS) 488 attacks generating many IGP events. 490 11. Acknowledgements 492 We would like to acknowledge Les Ginsberg, Uma Chunduri, Mike Shand 493 and Alexander Vainshtein for the discussions and comments related to 494 this document. 496 12. References 498 12.1. Normative References 500 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 501 Requirement Levels", BCP 14, RFC 2119, 502 DOI 10.17487/RFC2119, March 1997, 503 . 505 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 506 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 507 May 2017, . 509 12.2. Informative References 511 [I-D.ietf-rtgwg-spf-uloop-pb-statement] 512 Litkowski, S., Decraene, B., and M. Horneffer, "Link State 513 protocols SPF trigger and delay algorithm impact on IGP 514 micro-loops", draft-ietf-rtgwg-spf-uloop-pb-statement-06 515 (work in progress), January 2018. 517 [ISO10589-Second-Edition] 518 International Organization for Standardization, 519 "Intermediate system to Intermediate system intra-domain 520 routeing information exchange protocol for use in 521 conjunction with the protocol for providing the 522 connectionless-mode Network Service (ISO 8473)", ISO/ 523 IEC 10589:2002, Second Edition, Nov 2002. 525 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, 526 DOI 10.17487/RFC2328, April 1998, 527 . 529 [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., 530 and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP 531 Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001, 532 . 534 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 535 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 536 DOI 10.17487/RFC4271, January 2006, 537 . 539 [RFC5036] Andersson, L., Ed., Minei, I., Ed., and B. Thomas, Ed., 540 "LDP Specification", RFC 5036, DOI 10.17487/RFC5036, 541 October 2007, . 543 [RFC5286] Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for 544 IP Fast Reroute: Loop-Free Alternates", RFC 5286, 545 DOI 10.17487/RFC5286, September 2008, 546 . 548 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 549 for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, 550 . 552 [RFC5715] Shand, M. and S. Bryant, "A Framework for Loop-Free 553 Convergence", RFC 5715, DOI 10.17487/RFC5715, January 554 2010, . 556 [RFC6976] Shand, M., Bryant, S., Previdi, S., Filsfils, C., 557 Francois, P., and O. Bonaventure, "Framework for Loop-Free 558 Convergence Using the Ordered Forwarding Information Base 559 (oFIB) Approach", RFC 6976, DOI 10.17487/RFC6976, July 560 2013, . 562 Authors' Addresses 564 Bruno Decraene 565 Orange 567 Email: bruno.decraene@orange.com 569 Stephane Litkowski 570 Orange Business Service 572 Email: stephane.litkowski@orange.com 574 Hannes Gredler 575 RtBrick Inc 577 Email: hannes@rtbrick.com 578 Acee Lindem 579 Cisco Systems 580 301 Midenhall Way 581 Cary, NC 27513 582 USA 584 Email: acee@cisco.com 586 Pierre Francois 588 Email: pfrpfr@gmail.com 590 Chris Bowers 591 Juniper Networks, Inc. 592 1194 N. Mathilda Ave. 593 Sunnyvale, CA 94089 594 US 596 Email: cbowers@juniper.net