-
Notifications
You must be signed in to change notification settings - Fork 3
/
draft-ietf-grow-bgp-session-culling.xml
327 lines (303 loc) · 16.6 KB
/
draft-ietf-grow-bgp-session-culling.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" []>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="bcp"
ipr="trust200902"
docName="draft-ietf-grow-bgp-session-culling-05"
submissionType="IETF">
<front>
<title abbrev="BGP Session Culling">Mitigating Negative Impact of Maintenance through BGP Session Culling</title>
<author fullname="Will Hargrave" initials="W." surname="Hargrave">
<organization abbrev="LONAP">LONAP Ltd</organization>
<address>
<postal>
<street>5 Fleet Place</street>
<city>London</city>
<code>EC4M 7RD</code>
<country>United Kingdom</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Matt Griswold" initials="M." surname="Griswold">
<organization abbrev="20C">20C</organization>
<address>
<postal>
<street>1658 Milwaukee Ave # 100-4506</street>
<city>Chicago</city>
<region>IL</region>
<code>60647</code>
<country>United States of America</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Job Snijders" initials="J." surname="Snijders">
<organization abbrev="NTT">NTT Communications</organization>
<address>
<postal>
<street>Theodorus Majofskistraat 100</street>
<code>1065 SZ</code>
<city>Amsterdam</city>
<country>The Netherlands</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author initials="N" surname="Hilliard" fullname="Nick Hilliard">
<organization>INEX</organization>
<address>
<postal>
<street>4027 Kingswood Road</street>
<city>Dublin</city>
<code>24</code>
<country>Ireland</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date />
<area>Routing</area>
<workgroup>Global Routing Operations</workgroup>
<keyword>BGP</keyword>
<keyword>culling</keyword>
<keyword>EBGP</keyword>
<keyword>sessions</keyword>
<abstract>
<t>
This document outlines an approach to mitigate negative impact on networks resulting from maintenance activities.
It includes guidance for both IP networks and Internet Exchange Points (IXPs).
The approach is to ensure BGP-4 sessions affected by the maintenance are forcefully torn down before the actual maintenance activities commence.
</t>
</abstract>
</front>
<middle>
<section anchor="Introduction" title="Introduction">
<t>
BGP Session Culling is the practice of ensuring BGP sessions are forcefully torn down before maintenance activities on a lower layer network commence, which otherwise would affect the flow of data between the BGP speakers.
</t>
<t>
BGP Session Culling ensures that lower layer network maintenance activities cause the minimum possible amount of disruption, by causing BGP speakers to preemptively converge onto alternative paths while the lower layer network's forwarding plane remains fully operational.
</t>
<t>
The grace period required for a successful application of BGP Session Culling is the sum of the time needed to detect the loss of the BGP session, plus the time required for the BGP speaker to converge onto alternative paths.
The first value is often governed by the BGP Hold Timer (section 6.5 of <xref target="RFC4271" />), commonly between 90 and 180 seconds.
The second value is implementation specific, but could be as much as 15 minutes when a router with a slow control-plane is receiving a full set of Internet routes.
</t>
<t>
Throughout this document the "Caretaker" is defined to be in control of the lower layer network, while "Operators" directly administrate the BGP speakers.
Operators and Caretakers implementing BGP Session Culling are encouraged to avoid using a fixed grace period, but instead monitor forwarding plane activity while the culling is taking place and consider it complete <xref target="Procedural_Considerations">once traffic levels have dropped to a minimum</xref>.
</t>
</section>
<section title="Requirements Language">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section>
<section title="BGP Session Culling">
<t>
From the viewpoint of the Operator, there are two types of BGP Session Culling:
<list style="hanging">
<t hangText="Voluntary BGP Session Teardown:">The Operator initiates the tear down of the potentially affected BGP session by issuing an Administrative Shutdown.</t>
<t hangText="Involuntary BGP Session Teardown:">The Caretaker of the lower layer network disrupts (higher layer) BGP control-plane traffic, causing the BGP Hold Timers of the affected BGP session to expire, subsequently triggering rerouting of end user traffic.</t>
</list>
</t>
<section title="Voluntary BGP Session Teardown Recommendations">
<t>
Before an Operator commences activities which can cause disruption to the flow of data through the lower layer network, an Operator can reduce loss of traffic by issuing an administrative shutdown to all BGP sessions running across the lower layer network and wait a few minutes for data-plane traffic to subside.
</t>
<t>
While architectures exist to facilitate quick network reconvergence (such as <xref target="I-D.ietf-rtgwg-bgp-pic">BGP PIC</xref>), an Operator cannot assume the remote side has such capabilities.
As such, a grace period between the Administrative Shutdown and the impacting maintenance activities is warranted.
</t>
<t>
After the maintenance activities have concluded, the Operator is expected to restore the BGP sessions to their original Administrative state.
</t>
<section title="Maintenance Considerations">
<t>
Initiators of the administrative shutdown MAY consider using <xref target="I-D.ietf-grow-bgp-gshut">Graceful Shutdown</xref> to facilitate smooth drainage of traffic prior to session tear down, and the <xref target="RFC8203">Shutdown Communication</xref> to inform the remote side on the nature and duration of the maintenance activities.
</t>
</section>
</section>
<section title="Involuntary BGP Session Teardown Recommendations">
<t>
In the case where multilateral interconnection between BGP speakers is facilitated through a switched layer-2 fabric, such as commonly seen at Internet Exchange Points (IXPs), different operational considerations can apply.
</t>
<t>
Operational experience shows many Operators are unable to carry out the Voluntary BGP Session Teardown recommendations, because of the operational cost and risk of coordinating the two configuration changes required. This has an adverse affect on Internet performance.
</t>
<t>
In the absence of notifications from the lower layer (e.g. Ethernet link down) consistent with the planned maintenance activities in a switched layer-2 fabric, the Caretaker of the fabric could choose to cull BGP sessions on behalf of the Operators connected to the fabric.
</t>
<t>
Such culling of control-plane traffic will preempt the loss of end-user traffic, by causing the expiration of BGP Hold Timers ahead of the moment where the expiration would occur without intervention from the fabric's Caretaker.
</t>
<t>
In this scenario, BGP Session Culling is accomplished as described in the next sub-section, through the application of a combined layer-3 and layer-4 packet filter deployed in the Caretaker's switched fabric.
</t>
<section title="Packet Filter Considerations">
<t>
The peering LAN prefixes used by the IXP form the control plane, and following considerations apply to the packet filter design:
<list style="symbols">
<t>
The packet filter MUST only affect BGP traffic specific to the layer-2 fabric, i.e. forming part of the control plane of the system described, rather than multihop BGP traffic which merely transits.
</t>
<t>
The packet filter MUST only affect BGP, i.e. TCP/179.
</t>
<t>
The packet filter SHOULD make provision for the bidirectional nature of BGP, i.e. that sessions may be established in either direction.
</t>
<t>
The packet filter MUST affect all Address Family Identifiers.
</t>
</list>
<xref target="acl1" /> contains examples of correct packet filters for various platforms.
</t>
</section>
<section title="Hardware Considerations">
<t>
Not all hardware is capable of deploying Layer 3 / Layer 4 filters on Layer 2 ports, and even on platforms which claim support for such a feature, limitations may exist or hardware resource allocation failures may occur during filter deployment which may cause unexpected results.
These problems may include:
<list style="symbols">
<t>
Platform inability to apply layer 3/4 filters on ports which already have layer 2 filters applied.
</t>
<t>
Layer 3/4 filters supported for IPv4 but not for IPv6.
</t>
<t>
Layer 3/4 filters supported on physical ports, but not on 802.3ad Link Aggregate ports.
</t>
<t>
Failure of the Caretaker to apply filters to all 802.3ad Link Aggregate ports.
</t>
<t>
Limitations in ACL hardware mechanisms causing filters not to be applied.
</t>
<t>
Fragmentation of ACL lookup memory causing transient ACL application problems which are resolved after ACL removal / reapplication.
</t>
<t>
Temporary service loss during hardware programming
</t>
<t>
Reduction in hardware ACL capacity if the platform enables lossless ACL application.
</t>
</list>
It is advisable for the Caretaker to be aware of the limitations of their hardware, and to thoroughly test all complicated configurations in advance to ensure that problems don't occur during production deployments.
</t>
</section>
</section>
<section anchor="Procedural_Considerations" title="Procedural Considerations">
<t>
The Caretaker of the lower layer network can monitor data-plane traffic (e.g. interface counters) and carry out the maintenance without impact to traffic once session culling is complete.
</t>
<t>
It is recommended that the packet filters are only deployed for the duration of the maintenance and immediately removed after the maintenance.
To prevent unnecessarily troubleshooting, it is RECOMMENDED that Caretakers notify the affected Operators before the maintenance takes place, and make it explicit that the Involuntary BGP Session Culling methodology will be applied.
</t>
</section>
</section>
<section anchor="Acknowledgments" title="Acknowledgments">
<t>
The authors would like to thank the following people for their contributions to this document: Saku Ytti, Greg Hankins, James Bensley, Wolfgang Tremmel, Daniel Rösen, Bruno Decraene, Tore Anderson, John Heasley, Warren Kumari, Stig Venaas, and Brian Carpenter.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
There are no security considerations.
</t>
</section>
<section title="IANA Considerations">
<t>
This document has no actions for IANA.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119.xml"?>
<?rfc include="reference.RFC.4271.xml"?>
</references>
<references title="Informative References">
<?rfc include="reference.I-D.draft-ietf-grow-bgp-gshut-11"?>
<?rfc include="reference.RFC.8203.xml"?>
<?rfc include="reference.I-D.draft-ietf-rtgwg-bgp-pic-05"?>
</references>
<section anchor="acl1" title="Example packet filters">
<t>
Example packet filters for "Involuntary BGP Session Teardown" at an IXP using peering LAN prefixes 192.0.2.0/24 and 2001:db8:2::/64 as its control plane.
</t>
<t>
A repository of configuration examples for a number of assorted platforms can be found at <eref target="https://github.com/bgp/bgp-session-culling-config-examples">https://github.com/bgp/bgp-session-culling-config-examples</eref>.
</t>
<section title="Cisco IOS, IOS XR & Arista EOS Firewall Example Configuration">
<figure>
<artwork><![CDATA[
ipv6 access-list acl-ipv6-permit-all-except-bgp
10 deny tcp 2001:db8:2::/64 eq bgp 2001:db8:2::/64
20 deny tcp 2001:db8:2::/64 2001:db8:2::/64 eq bgp
30 permit ipv6 any any
!
ip access-list acl-ipv4-permit-all-except-bgp
10 deny tcp 192.0.2.0/24 eq bgp 192.0.2.0/24
20 deny tcp 192.0.2.0/24 192.0.2.0/24 eq bgp
30 permit ip any any
!
interface Ethernet33
description IXP Participant Affected by Maintenance
ip access-group acl-ipv4-permit-all-except-bgp in
ipv6 access-group acl-ipv6-permit-all-except-bgp in
!
]]></artwork>
</figure>
</section>
<section title="Nokia SR OS Filter Example Configuration">
<figure>
<artwork><![CDATA[
ip-filter 10 create
filter-name "ACL IPv4 Permit All Except BGP"
default-action forward
entry 10 create
match protocol tcp
dst-ip 192.0.2.0/24
src-ip 192.0.2.0/24
port eq 179
exit
action
drop
exit
exit
exit
ipv6-filter 10 create
filter-name "ACL IPv6 Permit All Except BGP"
default-action forward
entry 10 create
match next-header tcp
dst-ip 2001:db8:2::/64
src-ip 2001:db8:2::/64
port eq 179
exit
action
drop
exit
exit
exit
interface "port-1/1/1"
description "IXP Participant Affected by Maintenance"
ingress
filter ip 10
filter ipv6 10
exit
exit
]]></artwork>
</figure>
</section>
</section>
</back>
</rfc>