idnits 2.17.1 draft-iops-grow-bgp-session-culling-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 12, 2017) is 2595 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-ietf-idr-shutdown-07 == Outdated reference: A later version (-20) exists of draft-ietf-rtgwg-bgp-pic-01 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Global Routing Operations W. Hargrave 3 Internet-Draft LONAP 4 Intended status: Best Current Practice M. Griswold 5 Expires: September 13, 2017 20C 6 J. Snijders 7 NTT 8 N. Hilliard 9 INEX 10 March 12, 2017 12 Mitigating Negative Impact of Maintenance through BGP Session Culling 13 draft-iops-grow-bgp-session-culling-00 15 Abstract 17 This document outlines an approach to mitigate negative impact on 18 networks resulting from maintenance activities. It includes guidance 19 for both IP networks and Internet Exchange Points (IXPs). The 20 approach is to ensure BGP-4 sessions affected by the maintenance are 21 forcefully torn down before the actual maintenance activities 22 commence. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on September 13, 2017. 41 Copyright Notice 43 Copyright (c) 2017 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. BGP Session Culling . . . . . . . . . . . . . . . . . . . . . 3 60 2.1. Voluntary BGP Session Teardown Recommendations . . . . . 3 61 2.1.1. Maintenance Communication Considerations . . . . . . 3 62 2.2. Involuntary BGP Session Teardown Recommendations . . . . 3 63 2.2.1. Packet Filter Considerations . . . . . . . . . . . . 4 64 2.2.2. Hardware Considerations . . . . . . . . . . . . . . . 4 65 2.3. Monitoring Considerations . . . . . . . . . . . . . . . . 5 66 3. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 67 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 69 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 71 6.2. Informative References . . . . . . . . . . . . . . . . . 6 72 Appendix A. Example packet filters . . . . . . . . . . . . . . . 6 73 A.1. Juniper Junos Layer 2 Firewall Example Configuration . . 6 74 A.2. Arista EOS Firewall Example Configuration . . . . . . . . 8 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 77 1. Introduction 79 In network topologies where BGP speaking routers are directly 80 attached to each other, or use fault detection mechanisms such as BFD 81 [RFC5880], detecting and acting upon a link down event (for example 82 when someone yanks the physical connector) in a timely fashion is 83 straightforward. 85 However, in topologies where upper layer fast fault detection 86 mechanisms are unavailable and the lower layer topology is hidden 87 from the BGP speakers, operators rely on BGP Hold Timer Expiration 88 (section 6.5 of [RFC4271]) to initiate traffic rerouting. Common BGP 89 Hold Timer values are anywhere between 90 and 180 seconds, which 90 implies a window of 90 to 180 seconds during which traffic 91 blackholing will occur if the lower layer network is not able to 92 forward traffic. 94 BGP Session Culling is the practice of ensuring BGP sessions are 95 forcefully torn down before maintenance activities on a lower layer 96 network commence, which otherwise would affect the flow of data 97 between the BGP speakers. 99 2. BGP Session Culling 101 From the viewpoint of the IP network operator, there are two types of 102 BGP Session Culling: 104 Voluntary BGP Session Teardown: The operator initiates the tear down 105 of the potentially affected BGP session by issuing an 106 Administrative Shutdown. 108 Involuntary BGP Session Teardown: The caretaker of the lower layer 109 network disrupts BGP control-plane traffic in the upper layer, 110 causing the BGP Hold Timers of the affected BGP session to expire, 111 subsequently triggering rerouting of end user traffic. 113 2.1. Voluntary BGP Session Teardown Recommendations 115 Before an operator commences activities which can cause disruption to 116 the flow of data through the lower layer network, an operator would 117 do well to Administratively Shutdown the BGP sessions running across 118 the lower layer network and wait a few minutes for data-plane traffic 119 to subside. 121 While architectures exist to facilitate quick network reconvergence 122 (such as BGP PIC [I-D.ietf-rtgwg-bgp-pic]), an operator cannot assume 123 the remote side has such capabilities. As such, a grace period 124 between the Administrative Shutdown and the impacting maintenance 125 activities is warranted. 127 After the maintenance activities have concluded, the operator is 128 expected to restore the BGP sessions to their original Administrative 129 state. 131 2.1.1. Maintenance Communication Considerations 133 Initiators of the Administrative Shutdown are encouraged to use 134 Shutdown Communication [I-D.ietf-idr-shutdown] to inform the remote 135 side on the nature and duration of the maintenance activities. 137 2.2. Involuntary BGP Session Teardown Recommendations 139 In the case where multilateral interconnection between BGP speakers 140 is facilitated through a switched layer-2 fabric, such as commonly 141 seen at Internet Exchange Points (IXPs), different operational 142 considerations can apply. 144 Operational experience shows many network operators are unable to 145 carry out the Voluntary BGP Session Teardown recommendations, because 146 of the operational cost and risk of co-ordinating the two 147 configuration changes required. This has an adverse affect on 148 Internet performance. 150 In the absence of notifications from the lower layer (e.g. ethernet 151 link down) consistent with the planned maintenance activities in a 152 densely meshed multi-node layer-2 fabric, the caretaker of the fabric 153 could opt to cull BGP sessions on behalf of the stakeholders 154 connected to the fabric. 156 Such culling of control-plane traffic will pre-empt the loss of end- 157 user traffic, by causing the expiration of BGP Hold Timers ahead of 158 the moment where the expiration would occur without intervention from 159 the fabric's caretaker. 161 In this scenario, BGP Session Culling is accomplished through the 162 application of a combined layer-3 and layer-4 packet filter deployed 163 in the switched fabric itself. 165 2.2.1. Packet Filter Considerations 167 The packet filter should be designed and specified in a way that: 169 o only affect link-local BGP traffic i.e. forming part of the 170 control plane of the system described, rather than multihop BGP 171 which merely transits 173 o only affect BGP, i.e. TCP/179 175 o make provision for the bidirectional nature of BGP, i.e. that 176 sessions may be established in either direction 178 o affect all relevant AFIs 180 Appendix A contains examples of correct packet filters for various 181 platforms. 183 2.2.2. Hardware Considerations 185 Not all hardware is capable of deploying layer 3 / layer 4 filters on 186 layer 2 ports, and even on platforms which support the feature, 187 documented limitations may exist or hardware resource allocation 188 failures may occur during filter deployment which may cause 189 unexpected result. These problems may include: 191 o Platform inability to apply layer 3/4 filters on ports which 192 already have layer 2 filters applied. 194 o Layer 3/4 filters supported for IPv4 but not for IPv6. 196 o Layer 3/4 filters supported on physical ports, but not on 802.3ad 197 Link Aggregate ports. 199 o Failure of the operator to apply filters to all 802.3ad Link 200 Aggregate ports 202 o Limitations in ACL hardware mechanisms causing filters not to be 203 applied. 205 o Fragmentation of ACL lookup memory causing transient ACL 206 application problems which are resolved after ACL removal / 207 reapplication. 209 o Temporary service loss during hardware programming 211 o Reduction in hardware ACL capacity if the platform enables 212 lossless ACL application. 214 It is advisable for the operator to be aware of the limitations of 215 their hardware, and to thoroughly test all complicated configurations 216 in advance to ensure that problems don't occur during production 217 deployments. 219 2.3. Monitoring Considerations 221 The caretaker of the lower layer can monitor data-plane traffic (e.g. 222 interface counters) and carry out the maintenance without impact to 223 traffic once session culling is complete. 225 3. Acknowledgments 227 The authors would like to thank the following people for their 228 contributions to this document: Saku Ytti. 230 4. Security Considerations 232 There are no security considerations. 234 5. IANA Considerations 236 This document has no actions for IANA. 238 6. References 240 6.1. Normative References 242 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 243 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 244 DOI 10.17487/RFC4271, January 2006, 245 . 247 6.2. Informative References 249 [I-D.ietf-idr-shutdown] 250 Snijders, J., Heitz, J., and J. Scudder, "BGP 251 Administrative Shutdown Communication", draft-ietf-idr- 252 shutdown-07 (work in progress), March 2017. 254 [I-D.ietf-rtgwg-bgp-pic] 255 Bashandy, A., Filsfils, C., and P. Mohapatra, "BGP Prefix 256 Independent Convergence", draft-ietf-rtgwg-bgp-pic-01 257 (work in progress), June 2016. 259 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 260 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 261 . 263 Appendix A. Example packet filters 265 Example packet filters for "Involuntary BGP Session Teardown" at an 266 IXP with LAN prefixes 192.0.2.0/24 and 2001:db8:2::/64. 268 A.1. Juniper Junos Layer 2 Firewall Example Configuration 270 > show configuration firewall family ethernet-switching filter cull 271 term towards_peeringlan-v4 { 272 from { 273 ip-version { 274 ipv4 { 275 destination-port bgp; 276 ip-source-address { 277 192.0.2.0/24; 278 } 279 ip-destination-address { 280 192.0.2.0/24; 281 } 282 ip-protocol tcp; 283 } 284 } 285 } 286 then discard; 287 } 288 term from_peeringlan-v4 { 289 from { 290 ip-version { 291 ipv4 { 292 source-port bgp; 293 ip-source-address { 294 192.0.2.0/24; 295 } 296 ip-destination-address { 297 192.0.2.0/24; 298 } 299 ip-protocol tcp; 300 } 301 } 302 } 303 then discard; 304 } 305 term towards_peeringlan-v6 { 306 from { 307 ip-version { 308 ipv6 { 309 next-header tcp; 310 destination-port bgp; 311 ip6-source-address { 312 2001:db8:2::/64; 313 } 314 ip6-destination-address { 315 2001:db8:2::/64; 316 } 317 } 318 } 319 } 320 then discard; 321 } 322 term from_peeringlan-v6 { 323 from { 324 ip-version { 325 ipv6 { 326 next-header tcp; 327 source-port bgp; 328 ip6-source-address { 329 2001:db8:2::/64; 330 } 331 ip6-destination-address { 332 2001:db8:2::/64; 333 } 335 } 336 } 337 } 338 then discard; 339 } 340 term rest { 341 then accept; 342 } 344 > show configuration interfaces xe-0/0/46 345 description "IXP participant affected by maintenance" 346 unit 0 { 347 family ethernet-switching { 348 filter { 349 input cull; 350 } 351 } 352 } 354 A.2. Arista EOS Firewall Example Configuration 356 ipv6 access-list acl-ipv6-permit-all-except-bgp 357 10 deny tcp 2001:db8:2::/64 eq bgp 2001:db8:2::/64 358 20 deny tcp 2001:db8:2::/64 2001:db8:2::/64 eq bgp 359 30 permit ipv6 any any 360 ! 361 ip access-list acl-ipv4-permit-all-except-bgp 362 10 deny tcp 192.0.2.0/24 eq bgp 192.0.2.0/24 363 20 deny tcp 192.0.2.0/24 192.0.2.0/24 eq bgp 364 30 permit ip any any 365 ! 366 interface Ethernet33 367 description IXP participant affected by maintenance 368 ip access-group acl-ipv4-permit-all-except-bgp in 369 ipv6 access-group acl-ipv6-permit-all-except-bgp in 370 ! 372 Authors' Addresses 374 Will Hargrave 375 LONAP Ltd 376 5 Fleet Place 377 London EC4M 7RD 378 United Kingdom 380 Email: will@lonap.net 381 Matt Griswold 382 20C 383 1658 Milwaukee Ave # 100-4506 384 Chicago, IL 60647 385 United States of America 387 Email: grizz@20c.com 389 Job Snijders 390 NTT Communications 391 Theodorus Majofskistraat 100 392 Amsterdam 1065 SZ 393 The Netherlands 395 Email: job@ntt.net 397 Nick Hilliard 398 INEX 399 4027 Kingswood Road 400 Dublin 24 401 Ireland 403 Email: nick@inex.ie