| draft-ietf-ccamp-gr-description-04.txt | rfc5495.txt | |||
|---|---|---|---|---|
| Network Working Group Dan Li (Huawei) | ||||
| Internet Draft Jianhua Gao (Huawei) | ||||
| Arun Satyanarayana (Cisco) | ||||
| Snigdho C. Bardalai (Fujitsu) | ||||
| Intended Status: Informational | ||||
| Expires: July 21, 2009 January 21, 2009 | ||||
| Description of the RSVP-TE Graceful Restart Procedures | Network Working Group D. Li | |||
| Request for Comments: 5495 J. Gao | ||||
| draft-ietf-ccamp-gr-description-04.txt | Category: Informational Huawei | |||
| A. Satyanarayana | ||||
| Cisco | ||||
| S. Bardalai | ||||
| Fujitsu | ||||
| Description of the | ||||
| Resource Reservation Protocol - Traffic-Engineered (RSVP-TE) | ||||
| Graceful Restart Procedures | ||||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with | This memo provides information for the Internet community. It does | |||
| the provisions of BCP 78 and BCP 79. | not specify an Internet standard of any kind. Distribution of this | |||
| memo is unlimited. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Copyright Notice | |||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| months and may be updated, replaced, or obsoleted by other documents | document authors. All rights reserved. | |||
| at any time. It is inappropriate to use Internet-Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | ||||
| Please review these documents carefully, as they describe your rights | ||||
| and restrictions with respect to this document. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | This document may contain material from IETF Documents or IETF | |||
| http://www.ietf.org/shadow.html. | Contributions published or made publicly available before November | |||
| 10, 2008. The person(s) controlling the copyright in some of this | ||||
| material may not have granted the IETF Trust the right to allow | ||||
| modifications of such material outside the IETF Standards Process. | ||||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Abstract | Abstract | |||
| The Hello message for the Resource Reservation Protocol (RSVP) has | The Hello message for the Resource Reservation Protocol (RSVP) has | |||
| been defined to establish and maintain basic signaling node | been defined to establish and maintain basic signaling node | |||
| adjacencies for Label Switching Routers (LSRs) participating in a | adjacencies for Label Switching Routers (LSRs) participating in a | |||
| Multiprotocol Label Switching (MPLS) traffic engineered (TE) | Multiprotocol Label Switching (MPLS) traffic-engineered (TE) network. | |||
| network. The Hello message has been extended for use in Generalized | The Hello message has been extended for use in Generalized MPLS | |||
| MPLS (GMPLS) network for state recovery of control channel or nodal | (GMPLS) networks for state recovery of control channel or nodal | |||
| faults. | faults. | |||
| GMPLS protocol definitions for RSVP also allow a restarting node to | The GMPLS protocol definitions for RSVP also allow a restarting node | |||
| learn the label that it previously allocated for use on a Label | to learn which label it previously allocated for use on a Label | |||
| Switching Path (LSP). | Switched Path (LSP). | |||
| Further RSVP protocol extensions have been defined to enable a | Further RSVP protocol extensions have been defined to enable a | |||
| restarting node to recover full control plane state by exchanging | restarting node to recover full control plane state by exchanging | |||
| RSVP messages with its upstream and downstream neighbors. | RSVP messages with its upstream and downstream neighbors. | |||
| This document provides an informational clarification of the | This document provides an informational clarification of the control | |||
| control plane procedures for a GMPLS network when there are | plane procedures for a GMPLS network when there are multiple node | |||
| multiple node failures, and describes how full control plane state | failures, and describes how full control plane state can be recovered | |||
| can be recovered in different scenarios where the order in which | in different scenarios where the order in which the nodes restart is | |||
| the nodes restart is different. | different. | |||
| This document does not define any new processes or procedures. All | This document does not define any new processes or procedures. All | |||
| protocol mechanisms are already defined in the referenced documents. | protocol mechanisms are already defined in the referenced documents. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction.................................................3 | 1. Introduction ....................................................3 | |||
| 2. Existing Procedures for Single Node Restart..................4 | 2. Existing Procedures for Single Node Restart .....................4 | |||
| 2.1. Procedures Defined in [RFC3473]............................4 | 2.1. Procedures Defined in RFC 3473 .............................4 | |||
| 2.2. Procedures Defined in [RFC5063]............................5 | 2.2. Procedures Defined in RFC 5063 .............................5 | |||
| 3. Multiple Node Restart Scenarios..............................5 | 3. Multiple Node Restart Scenarios .................................6 | |||
| 4. RSVP State...................................................7 | 4. RSVP State ......................................................7 | |||
| 5. Procedures for Multiple Node Restart.........................7 | 5. Procedures for Multiple Node Restart ............................7 | |||
| 5.1. Procedures for the Normal Node.............................7 | 5.1. Procedures for the Normal Node .............................8 | |||
| 5.2. Procedures for the Restarting Node.........................7 | 5.2. Procedures for the Restarting Node .........................8 | |||
| 5.2.1. Procedures for Scenario 1................................8 | 5.2.1. Procedures for Scenario 1 ...........................8 | |||
| 5.2.2. Procedures for Scenario 2................................9 | 5.2.2. Procedures for Scenario 2 ...........................9 | |||
| 5.2.3. Procedures for Scenario 3...............................10 | 5.2.3. Procedures for Scenario 3 ..........................11 | |||
| 5.2.4. Procedures for Scenario 4...............................11 | 5.2.4. Procedures for Scenario 4 ..........................12 | |||
| 5.2.5. Procedures for Scenario 5...............................12 | 5.2.5. Procedures for Scenario 5 ..........................12 | |||
| 5.3. Consideration of Re-Use of Data Plane Resources...........12 | 5.3. Consideration of the Reuse of Data Plane Resources ........12 | |||
| 5.4. Consideration of Management Plane Intervention............12 | 5.4. Consideration of Management Plane Intervention ............13 | |||
| 6. Clarification of Restarting Node Procedure..................13 | 6. Clarification of Restarting Node Procedure .....................13 | |||
| 7. Security Considerations.....................................14 | 7. Security Considerations ........................................15 | |||
| 8. IANA Considerations.........................................16 | 8. Acknowledgments ................................................16 | |||
| 9. Acknowledgments.............................................16 | 9. References .....................................................17 | |||
| 10. References.................................................16 | 9.1. Normative References ......................................17 | |||
| 10.1. Normative References.....................................16 | 9.2. Informative References ....................................17 | |||
| 10.2. Informative References...................................16 | ||||
| 11. Author's Addresses.........................................17 | ||||
| 12. Full Copyright Statement...................................18 | ||||
| 13. Intellectual Property Statement............................18 | ||||
| 1. Introduction | 1. Introduction | |||
| The Hello message for the Resource Reservation Protocol (RSVP) has | The Hello message for the Resource Reservation Protocol (RSVP) has | |||
| been defined to establish and maintain basic signaling node | been defined to establish and maintain basic signaling node | |||
| adjacencies for Label Switching Routers (LSRs) participating in a | adjacencies for Label Switching Routers (LSRs) participating in a | |||
| Multiprotocol Label Switching (MPLS) traffic engineered (TE) | Multiprotocol Label Switching (MPLS) traffic-engineered (TE) network | |||
| network [RFC3209]. The Hello message has been extended for use in | [RFC3209]. The Hello message has been extended for use in | |||
| Generalized MPLS (GMPLS) network for state recovery of control | Generalized MPLS (GMPLS) networks for state recovery of control | |||
| channel or nodal faults through the exchange of the Restart | channel or nodal faults through the exchange of the Restart_Cap | |||
| Capabilities object [RFC3473]. | Object [RFC3473]. | |||
| GMPLS protocol definitions for RSVP [RFC3473] also allow a | The GMPLS protocol definitions for RSVP [RFC3473] also allow a | |||
| restarting node to learn the label that it previously allocated for | restarting node to learn which label it previously allocated for use | |||
| use on a Label Switching Path (LSP) through the RECOVERY_LABEL | on a Label Switched Path (LSP) through the Recovery_Label Object | |||
| object carried on a Path message sent to a restarting node from its | carried on a Path message sent to a restarting node from its upstream | |||
| upstream neighbor. | neighbor. | |||
| Further RSVP protocol extensions have been defined [RFC5063] to | Further RSVP protocol extensions have been defined [RFC5063] to | |||
| perform graceful restart and to enable a restarting node to recover | perform graceful restart and to enable a restarting node to recover | |||
| full control plane state by exchanging RSVP messages with its | full control plane state by exchanging RSVP messages with its | |||
| upstream and downstream neighbors. State previously transmitted to | upstream and downstream neighbors. State previously transmitted to | |||
| the upstream neighbor (principally the downstream label) is | the upstream neighbor (principally, the downstream label) is | |||
| recovered from the upstream neighbor on a Path message (using the | recovered from the upstream neighbor on a Path message (using the | |||
| RECOVERY_LABEL object as described in [RFC3473]). State previously | Recovery_Label Object as described in [RFC3473]). State previously | |||
| transmitted to the downstream neighbor (including the upstream | transmitted to the downstream neighbor (including the upstream label, | |||
| label, interface identifiers, and the explicit route) is recovered | interface identifiers, and the explicit route) is recovered from the | |||
| from the downstream neighbor using a RecoveryPath message. | downstream neighbor using a RecoveryPath message. | |||
| [RFC5063] also extends the Hello message to exchange information | [RFC5063] also extends the Hello message to exchange information | |||
| about the ability to support the RecoveryPath message. | about the ability to support the RecoveryPath message. | |||
| The examples and procedures in [RFC3473] and [RFC5063] focus on the | The examples and procedures in [RFC3473] and [RFC5063] focus on the | |||
| description of a single node restart when adjacent network nodes | description of a single node restart when adjacent network nodes are | |||
| are operative. Although the procedures are equally applicable to | operative. Although the procedures are equally applicable to multi- | |||
| multi-node restarts, no detailed explanation is provided. | node restarts, no detailed explanation is provided for such a case. | |||
| This document provides an informational clarification of the | This document provides an informational clarification of the control | |||
| control plane procedures for a GMPLS network when there are | plane procedures for a GMPLS network when there are multiple node | |||
| multiple node failures, and describes how full control plane state | failures, and describes how full control plane state can be recovered | |||
| can be recovered in different scenarios where the order in which | in different scenarios where the order in which the nodes restart is | |||
| the nodes restart is different. | different. | |||
| This document does not define any new processes or procedures. All | This document does not define any new processes or procedures. All | |||
| protocol mechanisms already defined in [RFC3473] and [RFC5063] are | protocol mechanisms already defined in [RFC3473] and [RFC5063] are | |||
| definitive. | definitive. | |||
| 2. Existing Procedures for Single Node Restart | 2. Existing Procedures for Single Node Restart | |||
| This section documents for information the existing procedures | This section documents for information the existing procedures | |||
| defined in [RFC3473] and [RFC5063]. Those documents are definitive, | defined in [RFC3473] and [RFC5063]. Those documents are definitive, | |||
| and the description here is non-normative. It is provided for | and the description here is non-normative. It is provided for | |||
| informational clarification only. | informational clarification only. | |||
| 2.1. Procedures Defined in [RFC3473] | 2.1. Procedures Defined in RFC 3473 | |||
| In the case of nodal faults, the procedures for the restarting node | In the case of nodal faults, the procedures for the restarting node | |||
| and the procedures for the neighbor of a restarting node are | and the procedures for the neighbor of a restarting node are applied | |||
| applied to the corresponding nodes. These procedures described in | to the corresponding nodes. These procedures, described in | |||
| [RFC3473] are summarized as follows: | [RFC3473], are summarized as follows: | |||
| For the Restarting Node: | For the Restarting Node: | |||
| 1) Tells its neighbors that state recovery is supported using the | 1) Tells its neighbors that state recovery is supported using the | |||
| Hello message; | Hello message. | |||
| 2) Recover its RSVP state with the help of a Path message received | 2) Recovers its RSVP state with the help of a Path message, received | |||
| from its upstream neighbor carrying the RECOVERY_LABEL object; | from its upstream neighbor, that carries the Recovery_Label | |||
| Object. | ||||
| 3) For bidirectional LSPs, the UPSTREAM_LABEL object on the received | 3) For bidirectional LSPs, uses the Upstream_Label Object on the | |||
| Path message is used to recover the corresponding RSVP state; | received Path message to recover the corresponding RSVP state. | |||
| 4) If the corresponding forwarding state in the data plane does not | 4) If the corresponding forwarding state in the data plane does not | |||
| exist, the node treats this as a setup for a new LSP. If the | exist, the node treats this as a setup for a new LSP. If the | |||
| forwarding state in the data plane exists, the forwarding state is | forwarding state in the data plane does exist, the forwarding | |||
| bound to the LSP associated with the message, and related forwarding | state is bound to the LSP associated with the message, and the | |||
| state should be considered as valid and refreshed. In addition, if | related forwarding state should be considered as valid and | |||
| the node is not the tail-end of the LSP, the incoming label on the | refreshed. In addition, if the node is not the tail-end of the | |||
| downstream interface is retrieved from the forwarding state on the | LSP, the incoming label on the downstream interface is retrieved | |||
| restarting node and set in the UPSTREAM_LABEL object in the Path | from the forwarding state on the restarting node and set in the | |||
| message sent to the downstream neighbor. | Upstream_Label Object in the Path message sent to the downstream | |||
| neighbor. | ||||
| For the Neighbor of a restarting node: | For the Neighbor of a Restarting Node: | |||
| 1) Sends a Path message with RECOVERY_LABEL object containing a label | 1) Sends a Path message with the Recovery_Label Object containing a | |||
| value corresponding to the label value received in the most recently | label value corresponding to the label value received in the most | |||
| received corresponding Resv message; | recently received corresponding Resv message. | |||
| 2) Resumes refreshing Path state with the restarting node; | 2) Resumes refreshing Path state with the restarting node. | |||
| 3) Resumes refreshing Resv state with the restarting node. | 3) Resumes refreshing Resv state with the restarting node. | |||
| 2.2. Procedures Defined in [RFC5063] | 2.2. Procedures Defined in RFC 5063 | |||
| A new message is introduced in [RFC5063] called the RecoveryPath | A new message is introduced in [RFC5063] called the RecoveryPath | |||
| message. The message is sent by the downstream neighbor of a | message. This message is sent by the downstream neighbor of a | |||
| restarting node to convey the contents of the last received Path | restarting node to convey the contents of the last received Path | |||
| message back to the restarting node. | message back to the restarting node. | |||
| The restarting node will receive the Path message with the | The restarting node will receive the Path message with the | |||
| RECOVERY_LABEL object from its upstream neighbor, and/or the | Recovery_Label Object from its upstream neighbor and/or the | |||
| RecoveryPath message from its downstream neighbor. The full RSVP | RecoveryPath message from its downstream neighbor. The full RSVP | |||
| state of the restarting node can be recovered from these two | state of the restarting node can be recovered from these two | |||
| messages. | messages. | |||
| The following state can be recovered from the received Path message: | The following state can be recovered from the received Path message: | |||
| o Upstream data interface (from RSVP_HOP object) | o Upstream data interface (from RSVP_Hop Object) | |||
| o Label on the upstream data interface (from RECOVERY_LABEL object) | o Label on the upstream data interface (from Recovery_Label Object) | |||
| o Upstream label for bidirectional LSP (from UPSTREAM_LABEL object) | o Upstream label for bidirectional LSP (from Upstream_Label Object) | |||
| The following state can be recovered from the received RecoveryPath | The following state can be recovered from the received RecoveryPath | |||
| message: | message: | |||
| o Downstream data interface (from RSVP_HOP object) | o Downstream data interface (from RSVP_Hop Object) | |||
| o Label on the downstream data interface (from RECOVERY_LABEL object) | ||||
| o Upstream direction label for bidirectional LSP (from | o Label on the downstream data interface (from Recovery_Label Object) | |||
| UPSTREAM_LABEL object) | o Upstream direction label for bidirectional LSP (from Upstream_Label | |||
| Object) | ||||
| The other objects also can be recovered either from the regular | The other objects originally exchanged on Path and Resv messages can | |||
| Path and Resv messages, or from the RecoveryPath message. | be recovered from the regular Path and Resv refresh messages, or from | |||
| the RecoveryPath. | ||||
| 3. Multiple Node Restart Scenarios | 3. Multiple Node Restart Scenarios | |||
| We define the following terms for the different node types: | We define the following terms for the different node types: | |||
| Restarting - The node has restarted; communication with its | Restarting - The node has restarted. Communication with its neighbor | |||
| neighbor nodes is restored, its RSVP state is under recovery. | nodes is restored, and its RSVP state is under recovery. | |||
| Delayed Restarting - The node has restarted, but the communication | Delayed Restarting - The node has restarted, but the communication | |||
| with a neighbor node is interrupted (for example, the neighbor node | with a neighbor node is interrupted (for example, the neighbor | |||
| needs to restart). | node needs to restart). | |||
| Normal - The normal node is the fully operational neighbor of a | Normal - The normal node is the fully operational neighbor of a | |||
| restarting or delayed restarting node. | restarting or delayed restarting node. | |||
| There are five scenarios for multi-node restart. We will focus on | There are five scenarios for multi-node restart. We will focus on | |||
| the different positions of a restarting node. As shown in Figure 1, | the different positions of a restarting node. As shown in Figure 1, | |||
| an LSP starts from Node A, traverses Nodes B and C, and ends at | an LSP starts from Node A, traverses Nodes B and C, and ends at Node | |||
| Node D. | D. | |||
| +-----+ Path +-----+ Path +-----+ Path +-----+ | +-----+ Path +-----+ Path +-----+ Path +-----+ | |||
| | PSB |------->| PSB |------->| PSB |------->| PSB | | | PSB |------->| PSB |------->| PSB |------->| PSB | | |||
| | | | | | | | | | | | | | | | | | | |||
| | RSB |<-------| RSB |<-------| RSB |<-------| RSB | | | RSB |<-------| RSB |<-------| RSB |<-------| RSB | | |||
| +-----+ Resv +-----+ Resv +-----+ Resv +-----+ | +-----+ Resv +-----+ Resv +-----+ Resv +-----+ | |||
| Node A Node B Node C Node D | Node A Node B Node C Node D | |||
| Figure 1 Two neighbor nodes restart | ||||
| 1) A Restarting node with downstream Delayed Restarting node. For | Figure 1: Two Neighbor Nodes Restart | |||
| example, in Figure 1, Nodes A and D are Normal nodes, Node B is a | ||||
| Restarting node, and Node C is a Delayed Restarting node. | ||||
| 2) A Restarting node with upstream Delayed Restarting node. For | 1) A restarting node with downstream delayed restarting node. For | |||
| example, in Figure 1, Nodes A and D are Normal nodes, Node B is a | example, in Figure 1, Nodes A and D are normal nodes, Node B is a | |||
| Delayed Restarting node, and Node C is a Restarting node. | restarting node, and Node C is a delayed restarting node. | |||
| 3) A Restarting node with downstream and upstream Delayed Restarting | 2) A restarting node with upstream delayed restarting node. For | |||
| nodes. For example, in Figure 1, Node A is a Normal node, Nodes B and | example, in Figure 1, Nodes A and D are normal nodes, Node B is a | |||
| D are Delayed Restarting nodes, and Node C is a Restarting node. | delayed restarting node, and Node C is a restarting node. | |||
| 4) A Restarting Ingress node with downstream Delayed Restarting node. | 3) A restarting node with downstream and upstream delayed restarting | |||
| For example, in Figure 1, Node A is a Restarting node, and Node B is | nodes. For example, in Figure 1, Node A is a normal node, Nodes B | |||
| a Delayed Restarting node. Nodes C and D are Normal nodes. | and D are delayed restarting nodes, and Node C is a restarting | |||
| node. | ||||
| 5) A Restarting Egress node with upstream Delayed Restarting node. | 4) A restarting ingress node with downstream delayed restarting node. | |||
| For example, in Figure 1, Nodes A and B are Normal nodes, Node C is a | For example, in Figure 1, Node A is a restarting node and Node B | |||
| Delayed Restarting node, and Node D is a Restarting node. | is a delayed restarting node. Nodes C and D are normal nodes. | |||
| 5) A restarting egress node with upstream delayed restarting node. | ||||
| For example, in Figure 1, Nodes A and B are normal nodes, Node C | ||||
| is a delayed restarting node, and Node D is a restarting node. | ||||
| If the communication between two nodes is interrupted, the upstream | If the communication between two nodes is interrupted, the upstream | |||
| node may think the downstream node is a Delayed Restarting node, or | node may think the downstream node is a delayed restarting node, or | |||
| vice versa. | vice versa. | |||
| Note that if multiple nodes which are not neighbors are restarted, | Note that if multiple nodes that are not neighbors are restarted, the | |||
| the restart Procedures could be applied as multiple separated | restart procedures could be applied as multiple separated restart | |||
| restart procedures which are exactly the same as the procedures | procedures that are exactly the same as the procedures described in | |||
| described in [RFC3473] and [RFC5063]. Therefore, these scenarios | [RFC3473] and [RFC5063]. Therefore, these scenarios are not | |||
| are not described in this document. For example, in Figure 1, Node | described in this document. For example, in Figure 1, Node A and | |||
| A and Node C are normal nodes, and Node B and Node D are restarting | Node C are normal nodes, and Node B and Node D are restarting nodes; | |||
| nodes, so Node B could be restarted through Node A and Node C, | therefore, Node B could be restarted through Node A and Node C, while | |||
| meanwhile, Node D could be restarted through Node C separately. | Node D could be restarted through Node C separately. | |||
| 4. RSVP State | 4. RSVP State | |||
| For each scenario, the RSVP state needs to be recovered at the | For each scenario, the RSVP state that needs to be recovered at the | |||
| restarting nodes are Path State Block (PSB) and Resv State Block | restarting nodes are the Path State Block (PSB) and Resv State Block | |||
| (RSB), which are created when the node receives the corresponding | (RSB), which are created when the node receives the corresponding | |||
| Path message and Resv message. | Path message and Resv message. | |||
| According to [RFC2209], how to construct the PSB and RSB is really | According to [RFC2209], how to construct the PSB and RSB is really an | |||
| an implementation issue. In fact, there is no requirement to | implementation issue. In fact, there is no requirement to maintain | |||
| maintain separate PSB and RSB data structures. And in GMPLS, there | separate PSB and RSB data structures. In GMPLS, there is a much | |||
| is a much closer tie between Path and Resv state so it is possible | closer tie between Path and Resv state so it is possible to combine | |||
| to combine the information into a single state block (the LSP state | the information into a single state block (the LSP state block). On | |||
| block). On the other hand, if point to multi-point is supported, it | the other hand, if point-to-multipoint is supported, it may be | |||
| may be convenient to maintain separate upstream and downstream | convenient to maintain separate upstream and downstream state. Note | |||
| state. Note that the PSB and RSB are not upstream and downstream | that the PSB and RSB are not upstream and downstream state since the | |||
| state since the PSB is responsible for receiving a Path from | PSB is responsible for receiving a Path from upstream and sending a | |||
| upstream and sending a Path to downstream. | Path to downstream. | |||
| Regardless of how the RSVP state is implemented, on recovery there | Regardless of how the RSVP state is implemented, on recovery there | |||
| are two logical pieces of state to be recovered and these | are two logical pieces of state to be recovered and these correspond | |||
| correspond to the PSB and RSB. | to the PSB and RSB. | |||
| 5. Procedures for Multiple Node Restart | 5. Procedures for Multiple Node Restart | |||
| In this document, all the nodes are assumed to have the graceful | In this document, all the nodes are assumed to have the graceful | |||
| restart capabilities which are described in [RFC3473] and [RFC5063]. | restart capabilities that are described in [RFC3473] and [RFC5063]. | |||
| 5.1. Procedures for the Normal Node | 5.1. Procedures for the Normal Node | |||
| When the downstream Normal node detects its neighbor restarting, it | When the downstream normal node detects its neighbor restarting, it | |||
| must send a RecoveryPath message for each LSP associated with the | must send a RecoveryPath message for each LSP associated with the | |||
| restarting node for which it has previously sent a Resv message and | restarting node for which it has previously sent a Resv message and | |||
| which has not been torn down. | which has not been torn down. | |||
| When the upstream Normal node detects its neighbor restarting, it | When the upstream normal node detects its neighbor restarting, it | |||
| must send a Path message with RECOVERY_LABEL object containing a | must send a Path message with a Recovery_Label Object containing a | |||
| label value corresponding to the label value received in the most | label value corresponding to the label value received in the most | |||
| recently received corresponding Resv message. | recently received corresponding Resv message. | |||
| This document does not modify the procedures for the Normal node | This document does not modify the procedures for the normal node, | |||
| which are described in [RFC3473] and [RFC5063]. | which are described in [RFC3473] and [RFC5063]. | |||
| 5.2. Procedures for the Restarting Node | 5.2. Procedures for the Restarting Node | |||
| This document does not modify the procedures for the Restarting | This document does not modify the procedures for the restarting node, | |||
| node which are described in [RFC3473] and [RFC5063]. | which are described in [RFC3473] and [RFC5063]. | |||
| 5.2.1. Procedures for Scenario 1 | 5.2.1. Procedures for Scenario 1 | |||
| After the Restarting node restarts, it starts a Recovery Timer. Any | After the restarting node restarts, it starts a Recovery Timer. Any | |||
| RSVP state that has not been resynchronized when the Recovery Timer | RSVP state that has not been resynchronized when the Recovery Timer | |||
| expires, should be cleared. | expires should be cleared. | |||
| At the Restarting node (Node B in the example), full | At the restarting node (Node B in the example), full | |||
| resynchronization with the upstream neighbor (Node A) is possible | resynchronization with the upstream neighbor (Node A) is possible | |||
| because Node A is a Normal node. The upstream Path information is | because Node A is a normal node. The upstream Path information is | |||
| recovered from the Path message received from Node A. Node B also | recovered from the Path message received from Node A. Node B also | |||
| recovers the upstream Resv information (that it had previously sent | recovers the upstream Resv information (that it had previously sent | |||
| to Node A) from the RECOVERY_LABEL object carried in the Path | to Node A) from the Recovery_Label Object carried in the Path message | |||
| message received from Node A, but, obviously, some information | received from Node A, but, obviously, some information (like the | |||
| (like the Recorded Route Object) will be missing from the new Resv | Recorded_Route Object) will be missing from the new Resv message | |||
| message generated by Node B, and can not be supplied until the | generated by Node B and cannot be supplied until the downstream | |||
| downstream Delayed Restarting node (Node C) restarts and sends a | delayed restarting node (Node C) restarts and sends a Resv. | |||
| Resv. | ||||
| After the upstream Path information and upstream Resv information | After the upstream Path information and upstream Resv information | |||
| has been recovered by Node B, the normal refresh procedure with the | have been recovered by Node B, the normal refresh procedure with | |||
| upstream Node A should be started. | upstream Node A should be started. | |||
| As per [RFC5063], the Restarting node (Node B) would normally | As per [RFC5063], the restarting node (Node B) would normally expect | |||
| expect to receive a RecoveryPath message from its downstream | to receive a RecoveryPath message from its downstream neighbor (Node | |||
| neighbor (Node C). It would use this to recover the downstream Path | C). It would use this to recover the downstream Path information, | |||
| information, and would subsequently send a Path message to its | and would subsequently send a Path message to its downstream neighbor | |||
| downstream neighbor and receive a Resv message. But in this | and receive a Resv message. But in this scenario, because the | |||
| scenario, because the downstream neighbor has not restarted yet, | downstream neighbor has not restarted yet, Node B detects the | |||
| Node B detects the communication with Node C is interrupted and | communication with | |||
| must wait before resynchronizing with its downstream neighbor. | Node C is interrupted and must wait before resynchronizing with its | |||
| downstream neighbor. | ||||
| In this case, the Restarting node (Node B) follows the procedures | In this case, the restarting node (Node B) follows the procedures in | |||
| in section 9.3 of [RFC3473] and may run a Restart Timer to wait for | Section 9.3 of [RFC3473] and may run a Restart Timer to wait for the | |||
| the downstream neighbor (Node C) to restart. If its downstream | downstream neighbor (Node C) to restart. If its downstream neighbor | |||
| neighbor (Node C) has not restarted before the timer expires the | (Node C) has not restarted before the timer expires, the | |||
| corresponding LSPs may be torn down according to local policy | corresponding LSPs may be torn down according to local policy | |||
| [RFC3473]. Note, however, that the Restart Time value suggested in | [RFC3473]. Note, however, that the Restart Time value suggested in | |||
| [RFC3473] is based on the previous Hello message exchanged with the | [RFC3473] is based on the previous Hello message exchanged with the | |||
| node that has not restarted yet (Node C). Since this time value is | node that has not restarted yet (Node C). Since this time value is | |||
| unlikely to be available to the restarting node (Node B), a | unlikely to be available to the restarting node (Node B), a | |||
| configured time value must be used if the timer is operated. | configured time value must be used if the timer is operated. | |||
| The RSVP state must be reconciled with the retained data plane | The RSVP state must be reconciled with the retained data plane state | |||
| state if the cross-connect information can be retrieved from the | if the cross-connect information can be retrieved from the data | |||
| data plane. In the event of any mismatches, local policy will | plane. In the event of any mismatches, local policy will dictate the | |||
| dictate the action that must be taken which could include: | action that must be taken, which could include: | |||
| - reprogramming the data plane | - reprogramming the data plane | |||
| - sending an alert to the management plane | - sending an alert to the management plane | |||
| - tearing down the control plane state for the LSP. | - tearing down the control plane state for the LSP | |||
| In the case that the Delayed Restarting node never comes back, and | In the case that the delayed restarting node never comes back and a | |||
| where a Restart Timer is not used to automatically tear down LSPs, | Restart Timer is not used to automatically tear down LSPs, the LSPs | |||
| the LSPs can be tidied up through the control plane using a | can be tidied up through the control plane using a PathTear from the | |||
| PathTear from the upstream node (Node A). Note that if Node C | upstream node (Node A). Note that if Node C restarts after this | |||
| restarts after this operation, the RecoveryPath message that it | operation, the RecoveryPath message that it sends to Node B will not | |||
| sends to Node B will not be matched with any state on Node B and | be matched with any state on Node B and will receive a PathTear as | |||
| will receive a PathTear as its response resulting in the teardown | its response, resulting in the teardown of the LSP at all downstream | |||
| of the LSP at all downstream nodes. | nodes. | |||
| 5.2.2. Procedures for Scenario 2 | 5.2.2. Procedures for Scenario 2 | |||
| In this case, the Restarting node (Node C) can recover full | In this case, the restarting node (Node C) can recover full | |||
| downstream state from its downstream neighbor (Node D) which is a | downstream state from its downstream neighbor (Node D), which is a | |||
| Normal node. The downstream Path state can be recovered from the | normal node. The downstream Path state can be recovered from the | |||
| RecoveryPath message which is sent by Node D. This allows Node C to | RecoveryPath message, which is sent by Node D. This allows Node C to | |||
| send a Path refresh message to Node D, and Node D will respond with | send a Path refresh message to Node D, and Node D will respond with a | |||
| a Resv message from which Node C can reconstruct the downstream | Resv message from which Node C can reconstruct the downstream Resv | |||
| Resv state. | state. | |||
| After the downstream Path information and downstream Resv | After the downstream Path information and downstream Resv information | |||
| information has been recovered in Node C, the normal refresh | have been recovered in Node C, the normal refresh procedure with | |||
| procedure with downstream Node D should be started. | downstream Node D should be started. | |||
| The Restarting node would normally expect to resynchronize with its | The restarting node would normally expect to resynchronize with its | |||
| upstream neighbor to re-learn the upstream Path and Resv state, but | upstream neighbor to re-learn the upstream Path and Resv state, but | |||
| in this scenario, because the upstream neighbor (Node B) has not | in this scenario, because the upstream neighbor (Node B) has not | |||
| restarted yet, the Restarting node (Node C) detects that the | restarted yet, the restarting node (Node C) detects that the | |||
| communication with upstream neighbor (Node B) is interrupted. The | communication with upstream neighbor (Node B) is interrupted. The | |||
| Restarting node (Node C) follows the procedures in section 9.3 of | restarting node (Node C) follows the procedures in Section 9.3 of | |||
| [RFC3473] and may run a Restart Timer to wait the upstream neighbor | [RFC3473] and may run a Restart Timer to wait for the upstream | |||
| (Node B) to restart. If its upstream neighbor (Node B) has not | neighbor (Node B) to restart. If its upstream neighbor (Node B) has | |||
| restarted before the Restart Timer expires, the corresponding LSPs | not restarted before the Restart Timer expires, the corresponding | |||
| may be torn down according to local policy [RFC3473]. Note, however, | LSPs may be torn down according to local policy [RFC3473]. Note, | |||
| that the Restart Time value suggested in [RFC3473] is based on the | however, that the Restart Time value suggested in [RFC3473] is based | |||
| previous Hello message exchanged with the node that has not | on the previous Hello message exchanged with the node that has not | |||
| restarted yet (Node B). Since this time value is unlikely to be | restarted yet (Node B). Since this time value is unlikely to be | |||
| available to the restarting node (Node C), a configured time value | available to the restarting node (Node C), a configured time value | |||
| must be used if the timer is operated. | must be used if the timer is operated. | |||
| Note that no Resv message is sent to the upstream neighbor (Node B) | Note that no Resv message is sent to the upstream neighbor (Node B), | |||
| because it has not restarted. | because it has not restarted. | |||
| The RSVP state must be reconciled with the retained data plane | The RSVP state must be reconciled with the retained data plane state | |||
| state if the cross-connect information can be retrieved from the | if the cross-connect information can be retrieved from the data | |||
| data plane. | plane. | |||
| In the event of any mismatches, local policy will dictate the | In the event of any mismatches, local policy will dictate the action | |||
| action that must be taken which could include: | that must be taken, which could include: | |||
| - reprogramming the data plane | - reprogramming the data plane | |||
| - sending an alert to the management plane | - sending an alert to the management plane | |||
| - tearing down the control plane state for the LSP. | - tearing down the control plane state for the LSP | |||
| In the case that the Delayed Restarting node never comes back, and | In the case that the delayed restarting node never comes back and a | |||
| where a Restart Timer is not used to automatically tear down LSPs, | Restart Timer is not used to automatically tear down LSPs, the LSPs | |||
| the LSPs cannot be tidied up through the control plane using a | cannot be tidied up through the control plane using a PathTear from | |||
| PathTear from the upstream node (Node A), because there is no | the upstream node (Node A), because there is no control plane | |||
| control plane connectivity to Node C from the upstream direction. | connectivity to Node C from the upstream direction. There are two | |||
| There are two possibilities in [RFC3473]: | possibilities in [RFC3473]: | |||
| - Management action may be taken at the Restarting node to tear the | - Management action may be taken at the restarting node to tear the | |||
| LSP. This will result in the LSP being removed from Node C, and a | LSP. This will result in the LSP being removed from Node C and a | |||
| PathTear being sent downstream to Node D. | PathTear being sent downstream to Node D. | |||
| - Management action may be taken at any downstream node (for | - Management action may be taken at any downstream node (for example, | |||
| example, Node D) resulting in a PathErr message with the | Node D), resulting in a PathErr message with the Path_State_Removed | |||
| Path_State_Removed flag set being sent to Node C to tear the LSP | flag set being sent to Node C to tear the LSP state. | |||
| state. | ||||
| Note that if Node B restarts after this operation, the Path message | Note that if Node B restarts after this operation, the Path message | |||
| that it sends to Node C will not be matched with any state on Node | that it sends to Node C will not be matched with any state on Node C | |||
| C and will be treated as a new Path message resulting in LSP setup. | and will be treated as a new Path message, resulting in LSP setup. | |||
| Node C should use the labels carried in the Path message (in the | Node C should use the labels carried in the Path message (in the | |||
| UPSTREAM_LABEL object and in the RECOVERY_LABEL object) to drive | Upstream_Label Object and in the Recovery_Label Object) to drive its | |||
| its label allocation, but may use other labels according to normal | label allocation, but may use other labels according to normal LSP | |||
| LSP setup rules. | setup rules. | |||
| 5.2.3. Procedures for Scenario 3 | 5.2.3. Procedures for Scenario 3 | |||
| In this example, the Restarting node (Node C) is isolated. It's | In this example, the restarting node (Node C) is isolated. Its | |||
| upstream and downstream neighbors have not restarted. | upstream and downstream neighbors have not restarted. | |||
| The Restarting node (Node C) follows the procedures in section 9.3 | The restarting node (Node C) follows the procedures in Section 9.3 of | |||
| of [RFC3473] and may run a Restart Timer for each of its neighbors | [RFC3473] and may run a Restart Timer for each of its neighbors | |||
| (Nodes B and D). If a neighbor has not restarted before its Restart | (Nodes B and D). If a neighbor has not restarted before its Restart | |||
| Timer expires, the corresponding LSPs may be torn down according to | Timer expires, the corresponding LSPs may be torn down according to | |||
| local policy [RFC3473]. Note, however, that the Restart Time values | local policy [RFC3473]. Note, however, that the Restart Time values | |||
| suggested in [RFC3473] are based on the previous Hello message | suggested in [RFC3473] are based on the previous Hello message | |||
| exchanged with the nodes that have not restarted yet. Since these | exchanged with the nodes that have not restarted yet. Since these | |||
| time values are unlikely to be available to the restarting node | time values are unlikely to be available to the restarting node (Node | |||
| (Node C), a configured time value must be used if the timer is | C), a configured time value must be used if the timer is operated. | |||
| operated. | ||||
| During the Recovery Time, if the upstream Delayed Restarting node | During the Recovery Time, if the upstream delayed restarting node has | |||
| has restarted, the procedure for scenario 1 can be applied. | restarted, the procedure for scenario 1 can be applied. | |||
| During the Recovery Time, if the downstream Delayed Restarting node | During the Recovery Time, if the downstream delayed restarting node | |||
| has restarted, the procedure for scenario 2 can be applied. | has restarted, the procedure for scenario 2 can be applied. | |||
| In the case that neither Delayed Restarting node ever comes back, | In the case that neither delayed restarting node ever comes back and | |||
| and where a Restart Timer is not used to automatically tear down | a Restart Timer is not used to automatically tear down LSPs, | |||
| LSPs, management intervention is required to tidy up the control | management intervention is required to tidy up the control plane and | |||
| plane and the data plane on the node that is waiting for the failed | the data plane on the node that is waiting for the failed device to | |||
| device to restart. | restart. | |||
| If the downstream Delayed Restarting node restarts after the | If the downstream delayed restarting node restarts after the cleanup | |||
| cleanup of LSPs at Node C, the RecoveryPath message from Node D | of LSPs at Node C, the RecoveryPath message from Node D will be | |||
| will be responded with a PathTear message. If the upstream Delayed | responded to with a PathTear message. If the upstream delayed | |||
| Restarting node restarts after the cleanup of LSPs at Node C, the | restarting node restarts after the cleanup of LSPs at Node C, the | |||
| Path message from Node B will be treated as a new LSP setup request, | Path message from Node B will be treated as a new LSP setup request, | |||
| but the setup will fail because Node D cannot be reached - Node C | but the setup will fail because Node D cannot be reached; Node C will | |||
| will respond with a PathErr message. Since this happens to Node B | respond with a PathErr message. Since this happens to Node B during | |||
| during its restart processing, it should follow the rules of | its restart processing, it should follow the rules of [RFC5063] and | |||
| [RFC5063] and tear down the LSP. | tear down the LSP. | |||
| 5.2.4. Procedures for Scenario 4 | 5.2.4. Procedures for Scenario 4 | |||
| When the Ingress node (Node A) restarts, it does not know which | When the ingress node (Node A) restarts, it does not know which LSPs | |||
| LSPs it caused to be created. Usually, however, this information is | it caused to be created. Usually, however, this information is | |||
| retrieved from the management plane or from the configuration | retrieved from the management plane or from the configuration | |||
| requests stored in non-volatile form in the node in order to | requests stored in non-volatile form in the node in order to recover | |||
| recover the LSP state. | the LSP state. | |||
| Furthermore, if the downstream node (Node B) is a Normal node, | Furthermore, if the downstream node (Node B) is a normal node, | |||
| according to the procedures in [RFC5063], the ingress will receive | according to the procedures in [RFC5063], the ingress will receive a | |||
| a RecoveryPath message and will understand that it was the ingress | RecoveryPath message and will understand that it was the ingress of | |||
| of the LSP. | the LSP. | |||
| However, in this scenario, the downstream node is a Delayed | However, in this scenario, the downstream node is a delayed | |||
| Restarting node, so Node A must rely on the information from the | restarting node, so Node A must either rely on the information from | |||
| management plane or stored configuration, or it must wait for Node | the management plane or stored configuration, or it must wait for | |||
| B to restart. | Node B to restart. | |||
| In the event that Node B never restarts, management plane | In the event that Node B never restarts, management plane | |||
| intervention is needed at Node A to clean up any LSP control plane | intervention is needed at Node A to clean up any LSP control plane | |||
| state restored from the management plane or from local | state restored from the management plane or from local configuration, | |||
| configuration, and to release any data plane resources. | and to release any data plane resources. | |||
| 5.2.5. Procedures for Scenario 5 | 5.2.5. Procedures for Scenario 5 | |||
| In this scenario the Egress node (Node D) restarts, and its | In this scenario, the egress node (Node D) restarts, and its upstream | |||
| upstream neighbor (Node C) has not restarted. In this case, the | neighbor (Node C) has not restarted. In this case, the egress node | |||
| Egress node may have no control plane state relating to the LSPs. | may have no control plane state relating to the LSPs. It has no | |||
| It has no downstream neighbor to help it, and no management plane | downstream neighbor to help it and no management plane or | |||
| or configuration information, although there will be data plane | configuration information, although there will be data plane state | |||
| state for the LSP. The Egress node must simply wait until its | for the LSP. The egress node must simply wait until its upstream | |||
| upstream neighbor restarts and gives it the information as Path | neighbor restarts and gives it the information in Path messages | |||
| messages carrying RECOVERY_LABEL objects. | carrying Recovery_Label Objects. | |||
| 5.3. Consideration of Re-Use of Data Plane Resources | 5.3. Consideration of the Reuse of Data Plane Resources | |||
| Fundamental to the processes described above is an understanding | Fundamental to the processes described above is an understanding that | |||
| that data plane resources may remain in use (allocated and cross- | data plane resources may remain in use (allocated and cross- | |||
| connected) when control plane state has not been fully | connected) when control plane state has not been fully resynchronized | |||
| resynchronized because some control plane nodes have not restarted. | because some control plane nodes have not restarted. | |||
| It is assumed that these data plane resources might be carrying | It is assumed that these data plane resources might be carrying | |||
| traffic and should not be reconfigured except through application | traffic and should not be reconfigured except through application of | |||
| of operator-configured policy, or as a direct result of operator | operator-configured policy, or as a direct result of operator action. | |||
| action. | ||||
| In particular, new LSP setup requests from the control plane or the | In particular, new LSP setup requests from the control plane or the | |||
| management plane should not be allowed to use data plane resources | management plane should not be allowed to use data plane resources | |||
| that are still in use. Specific action must first be taken to | that are still in use. Specific action must first be taken to | |||
| release the resources. | release the resources. | |||
| 5.4. Consideration of Management Plane Intervention | 5.4. Consideration of Management Plane Intervention | |||
| The management plane must always retain the ability to control data | The management plane must always retain the ability to control data | |||
| plane resources and to over-ride the control plane. In this context, | plane resources and to override the control plane. In this context, | |||
| the management plane must always be able to release data plane | the management plane must always be able to release data plane | |||
| resources that were previously in place for use by control-plane | resources that were previously in place for use by control-plane- | |||
| established LSPs. Further, the management plane must always be able | established LSPs. Further, the management plane must always be able | |||
| to instruct any control plane node to tear down any LSP. | to instruct any control plane node to tear down any LSP. | |||
| Operators should be aware of the risks of misconnection that could | Operators should be aware of the risks of misconnection that could be | |||
| be caused by careless manipulation from the management plane of in- | caused by careless manipulation from the management plane of in-use | |||
| use data plane resources. | data plane resources. | |||
| 6. Clarification of Restarting Node Procedure | 6. Clarification of Restarting Node Procedure | |||
| According to the current graceful restart procedure [RFC3473], | According to the current graceful restart procedure [RFC3473], after | |||
| after a node restarts its control plane, it needs its upstream node | a node restarts its control plane, it needs its upstream node to send | |||
| to send PATH message with recovery label to synchronize its RSVP | a PATH message with a recovery label in order to synchronize its RSVP | |||
| state. If the restarted control plane becomes operational quickly, | state. If the restarted control plane becomes operational quickly, | |||
| the upstream node may not detect the restarting of downstream node | the upstream node may not detect the restarting of the downstream | |||
| and therefore, may send a PATH message without recovery label | node and, therefore, may send a PATH message without a recovery | |||
| causing errors and unwanted connection deletion. | label, causing errors and unwanted connection deletion. | |||
| N1 N2 | N1 N2 | |||
| | | | | | | |||
| | X (Restart start) | | X (Restart start) | |||
| | HELLO | | | HELLO | | |||
| |--------------->| | |--------------->| | |||
| | | | | | | |||
| | SRefresh | | | SRefresh | | |||
| |--------------->| | |--------------->| | |||
| | | | | | | |||
| skipping to change at page 13, line 43 | skipping to change at page 14, line 33 | |||
| | recovery label | | | recovery label | | |||
| |--------------->| | |--------------->| | |||
| | X (resource allocation failed because the | | X (resource allocation failed because the | |||
| | | resources are in use) | | | resources are in use) | |||
| | PathErr | | | PathErr | | |||
| |<---------------| | |<---------------| | |||
| | PathTear | | | PathTear | | |||
| |--------------->| | |--------------->| | |||
| X(LSP deletion) X (LSP deletion) | X(LSP deletion) X (LSP deletion) | |||
| | | | | | | |||
| Figure 2 Message flow for accidental LSP deletion | ||||
| The sequence diagram above depicts one scenario where the LSP may | Figure 2: Message Flow for Accidental LSP Deletion | |||
| get deleted. | ||||
| In this sequence N1 did not detect Hello failure and continues | The sequence diagram above depicts one scenario where the LSP may get | |||
| sending SRefreshes which may get NACK'ed by N2 once restart | deleted. | |||
| In this sequence, N1 does not detect Hello failure and continues | ||||
| sending SRefreshes, which may get NACK'ed by N2 once restart | ||||
| completes because there is no Path state corresponding to the | completes because there is no Path state corresponding to the | |||
| SRefresh message. This NACK causes a Path refresh message to be | SRefresh message. This NACK causes a Path refresh message to be | |||
| generated but there is no RECOVERY_LABEL because N1 did not yet | generated, but there is no Recovery_Label because N1 does not yet | |||
| detect that N2 has restarted as Hello exchanges have not yet | detect that N2 has restarted, as Hello exchanges have not yet | |||
| started. The Path message is treated as "new" and fails to allocate | started. The Path message is treated as "new" and fails to allocate | |||
| the resources because they are still in use. This causes a PathErr | the resources because they are still in use. This causes a PathErr | |||
| message to be generated which may lead to the tear down of the LSP. | message to be generated, which may lead to the teardown of the LSP. | |||
| To resolve the aforementioned problem, the following procedures | To resolve the aforementioned problem, the following procedures, | |||
| which are implicit in [RFC3473] and [RFC5063] should be followed. | which are implicit in [RFC3473] and [RFC5063], should be followed. | |||
| These procedures work together with the recovery procedures | These procedures work together with the recovery procedures | |||
| documented in [RFC3473]. Here, it is assumed that the restarting | documented in [RFC3473]. Here, it is assumed that the restarting | |||
| node and the neighboring node(s) support Hello extension as | node and the neighboring node(s) support the Hello extension as | |||
| documented in [RFC3209] and recovery procedures documented in | documented in [RFC3209] as well as the recovery procedures documented | |||
| [RFC3473]. | in [RFC3473]. | |||
| After a node restarts its control plane, it should ignore and | After a node restarts its control plane, it should ignore and | |||
| silently drop all RSVP-TE messages, except Hello messages, it | silently drop all RSVP-TE messages (except Hello messages) it | |||
| receives from any neighbor to which, no HELLO session has been | receives from any neighbor to which no HELLO session has been | |||
| established. | established. | |||
| The restarting node should follow [RFC3209] to establish Hello | The restarting node should follow [RFC3209] to establish Hello | |||
| sessions with its neighbors, after its control plane becomes | sessions with its neighbors, after its control plane becomes | |||
| operational. | operational. | |||
| The restarting node resumes processing of RSVP-TE messages sent | The restarting node resumes processing of RSVP-TE messages sent from | |||
| from each neighbor to which the Hello session has been established. | each neighbor to which the Hello session has been established. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| This document clarifies the procedures defined in [RFC3473] and | This document clarifies the procedures defined in [RFC3473] and | |||
| [RFC5063] to be performed on RSVP agents that neighbor one or more | [RFC5063] to be performed on RSVP agents that neighbor one or more | |||
| restarting RSVP agents. It does not introduce any new procedures | restarting RSVP agents. It does not introduce any new procedures | |||
| and, therefore, does not introduce any new security risks or issues. | and, therefore, does not introduce any new security risks or issues. | |||
| In the case of the control plane in general, and the RSVP agent in | In the case of the control plane in general, and the RSVP agent in | |||
| particular, where one or more nodes carrying one or more LSPs are | particular, where one or more nodes carrying one or more LSPs are | |||
| restarted due to external attacks, the procedures defined in | restarted due to external attacks, the procedures defined in | |||
| [RFC5063] and described in this document provide the ability for | [RFC5063] and described in this document provide the ability for the | |||
| the restarting RSVP agents to recover the RSVP state in each | restarting RSVP agents to recover the RSVP state in each restarting | |||
| restarting node corresponding to the LSPs, with the least possible | node corresponding to the LSPs, with the least possible perturbation | |||
| perturbation to the rest of the network. These procedures can be | to the rest of the network. These procedures can be considered to | |||
| considered to provide mechanisms by which the GMPLS network can | provide mechanisms by which the GMPLS network can recover from | |||
| recover from physical attacks or from attacks on remotely | physical attacks or from attacks on remotely controlled power | |||
| controlled power supplies. | supplies. | |||
| The procedures described are such that, only the neighboring RSVP | The procedures described are such that only the neighboring RSVP | |||
| agents should notice the restart of a node, and hence only they | agents should notice the restart of a node, and hence only they need | |||
| need to perform additional processing. This allows for a network | to perform additional processing. This allows for a network with | |||
| with active LSPs to recover LSP state gracefully from an external | active LSPs to recover LSP state gracefully from an external attack, | |||
| attack, without perturbing the data/forwarding plane state, and | without perturbing the data/forwarding plane state and without | |||
| without propagating the error condition in the control or data | propagating the error condition in the control or data plane. In | |||
| plane. In other words, the effect of the restart (which might be | other words, the effect of the restart (which might be the result of | |||
| the result of an attack) does not spread into the network. | an attack) does not spread into the network. | |||
| Note that concern has been expressed about the vulnerability of a | Note that concern has been expressed about the vulnerability of a | |||
| restarting node to false messages received from its neighbors. For | restarting node to false messages received from its neighbors. For | |||
| example, a restarting node might receive a false Path message with | example, a restarting node might receive a false Path message with a | |||
| a Recovery Label object from an upstream neighbor, or a false | Recovery_Label Object from an upstream neighbor, or a false | |||
| RecoveryPath message from its downstream neighbor. This situation | RecoveryPath message from its downstream neighbor. This situation | |||
| might arise in one of four cases: | might arise in one of four cases: | |||
| - The message is spoofed and does not come from the neighbor at all. | - The message is spoofed and does not come from the neighbor at all. | |||
| - The message has been modified as it was traveling from the | - The message has been modified as it was traveling from the | |||
| neighbor. | neighbor. | |||
| - The neighbor is defective and has generated a message in error. | - The neighbor is defective and has generated a message in error. | |||
| - The neighbor has been subverted and has a "rogue" RSVP agent. | - The neighbor has been subverted and has a "rogue" RSVP agent. | |||
| The first two cases may be handled using standard RSVP | The first two cases may be handled using standard RSVP authentication | |||
| authentication and integrity procedures [RFC3209], [RFC3473]. If | and integrity procedures [RFC3209], [RFC3473]. If the operator is | |||
| the operator is particularly worried, the control plane may be | particularly worried, the control plane may be operated using IPsec | |||
| operated using IPsec [RFC4301], [RFC4302], [RFC4835], [RFC4306], | [RFC4301], [RFC4302], [RFC4835], [RFC4306], and [RFC2411]. | |||
| and [RFC2411]. | ||||
| Protection against defective or rogue RSVP implementations is | Protection against defective or rogue RSVP implementations is | |||
| generally hard to impossible. Neighbor-to-neighbor authentication | generally hard-to-impossible. Neighbor-to-neighbor authentication | |||
| and integrity validation is, by definition, ineffective in these | and integrity validation is, by definition, ineffective in these | |||
| situations. For example, if a neighbor node sends a Resv during | situations. For example, if a neighbor node sends a Resv during | |||
| normal LSP setup, and if that message carries a GENERALIZED_LABEL | normal LSP setup, and if that message carries a Generalized_Label | |||
| object carrying an incorrect label value, then the receiving LSR | Object carrying an incorrect label value, then the receiving LSR will | |||
| will use the supplied value and the LSP will be set up incorrectly. | use the supplied value and the LSP will be set up incorrectly. | |||
| Alternatively, if a Path message is modified by an upstream LSR to | Alternatively, if a Path message is modified by an upstream LSR to | |||
| change the destination and explicit route, there is no way for the | change the destination and explicit route, there is no way for the | |||
| downstream LSR to detect this, and the LSP may be set up to the | downstream LSR to detect this, and the LSP may be set up to the wrong | |||
| wrong destination. Furthermore, the upstream LSR could disguise | destination. Furthermore, the upstream LSR could disguise this fact | |||
| this fact by modifying the recorded route reported in the Resv | by modifying the recorded route reported in the Resv message. Thus, | |||
| message. Thus, these issues are in no way specific to the restart | these issues are in no way specific to the restart case, do not cause | |||
| case, do not cause any greater or different problems from the | any greater or different problems from the normal case, and do not | |||
| normal case, and do not warrant specific security measure | warrant specific security measures applicable to restart scenarios. | |||
| applicable to restart scenarios. | ||||
| Note that the RSVP POLICY_DATA object [RFC2205] provides a scope by | Note that the RSVP Policy_Data Object [RFC2205] provides a scope by | |||
| which secure end-to-end checks could be applied. However, very | which secure end-to-end checks could be applied. However, very | |||
| little definition of the use of this object has been made to date. | little definition of the use of this object has been made to date. | |||
| See [MPLS-SEC] for a wider discussion of security in MPLS and GMPLS | See [MPLS-SEC] for a wider discussion of security in MPLS and GMPLS | |||
| networks. | networks. | |||
| 8. IANA Considerations | 8. Acknowledgments | |||
| This document defines no new protocols or extensions and makes no | ||||
| requests to IANA for registry management. | ||||
| 9. Acknowledgments | ||||
| We would like to thank Adrian Farrel, Dimitri Papadimitriou, and | We would like to thank Adrian Farrel, Dimitri Papadimitriou, and Lou | |||
| Lou Berger for their useful comments. | Berger for their useful comments. | |||
| 10. References | 9. References | |||
| 10.1. Normative References | 9.1. Normative References | |||
| [RFC2209] R. Braden, L. Zhang, "Resource ReSerVation Protocol (RSVP) | [RFC2209] Braden, R. and L. Zhang, "Resource ReSerVation Protocol | |||
| -- Version 1 Message Processing Rules", RFC 2209, September | (RSVP) -- Version 1 Message Processing Rules", RFC 2209, | |||
| 1997. | September 1997. | |||
| [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., | [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., | |||
| and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP | and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP | |||
| Tunnels", RFC 3209, December 2001. | Tunnels", RFC 3209, December 2001. | |||
| [RFC3473] Berger, L., "Generalized Multi-Protocol Label Switching | [RFC3473] Berger, L., Ed., "Generalized Multi-Protocol Label | |||
| (GMPLS) Signaling Resource ReserVation Protocol-Traffic | Switching (GMPLS) Signaling Resource ReserVation | |||
| Engineering (RSVP-TE) Extensions", RFC 3473, January 2003. | Protocol-Traffic Engineering (RSVP-TE) Extensions", RFC | |||
| 3473, January 2003. | ||||
| [RFC5063] A. Satyanarayana, R. Rahman, "Extensions to GMPLS RSVP | [RFC5063] Satyanarayana, A., Ed., and R. Rahman, Ed., "Extensions to | |||
| Graceful Restart", RFC 5063, September 2007. | GMPLS Resource Reservation Protocol (RSVP) Graceful | |||
| Restart", RFC 5063, October 2007. | ||||
| 10.2. Informative References | 9.2. Informative References | |||
| [MPLS-SEC] Fang, L., "Security Framework for MPLS and GMPLS Networks", | [MPLS-SEC] Fang, L., "Security Framework for MPLS and GMPLS | |||
| draft-ietf-mpls-mpls-and-gmpls-security-framework, work in | Networks", Work in Progress, November 2008. | |||
| progress. | ||||
| [RFC2205] Braden, R. (Ed.), Zhang, L., Berson, S., Herzog, S. and S. | [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. | |||
| Jamin, "Resource ReserVation Protocol -- Version 1 | Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 | |||
| Functional Specification", RFC 2205, September 1997. | Functional Specification", RFC 2205, September 1997. | |||
| [RFC2411] R. Thayer, N. Doraswamy, R. Glenn, "IP Security Document | [RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security | |||
| Roadmap", RFC 2411, November 1998. | Document Roadmap", RFC 2411, November 1998. | |||
| [RFC4301] S. Kent, K. Seo, "Security Architecture for the Internet | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| [RFC4302] S. Kent, "IP Authentication Header", RFC 4302, December | [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | |||
| 2005. | 2005. | |||
| [RFC4306] C. Kaufman, "Internet Key Exchange (IKEv2) Protocol", RFC | [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | |||
| 4306, December 2005. | Protocol", RFC 4306, December 2005. | |||
| [RFC4835] V. Manral, "Cryptographic Algorithm Implementation | [RFC4835] Manral, V., "Cryptographic Algorithm Implementation | |||
| Requirements for Encapsulating Security Payload (ESP) and | Requirements for Encapsulating Security Payload (ESP) and | |||
| Authentication Header (AH)", RFC 4835, April 2007. | Authentication Header (AH)", RFC 4835, April 2007. | |||
| 11. Authors' Addresses | Authors' Addresses | |||
| Dan Li | Dan Li | |||
| Huawei Technologies | Huawei Technologies | |||
| F3-5-B R&D Center, Huawei Base, | F3-5-B R&D Center, Huawei Base, | |||
| Shenzhen 518129, China | Shenzhen 518129, China | |||
| Phone: +86 755 28970230 | Phone: +86 755 28970230 | |||
| Email: danli@huawei.com | EMail: danli@huawei.com | |||
| Jianhua Gao | Jianhua Gao | |||
| Huawei Technologies | Huawei Technologies | |||
| F3-5-B R&D Center, Huawei Base, | F3-5-B R&D Center, Huawei Base, | |||
| Shenzhen 518129, China | Shenzhen 518129, China | |||
| Phone: +86 755 28972902 | Phone: +86 755 28972902 | |||
| Email: gjhhit@huawei.com | EMail: gjhhit@huawei.com | |||
| Arun Satyanarayana | Arun Satyanarayana | |||
| Cisco Systems | Cisco Systems | |||
| 170 West Tasman Dr | 170 West Tasman Dr | |||
| San Jose, CA 95134, USA | San Jose, CA 95134, USA | |||
| Phone: +1 408 853-3206 | Phone: +1 408 853-3206 | |||
| Email: asatyana@cisco.com | EMail: asatyana@cisco.com | |||
| Snigdho C. Bardalai | Snigdho C. Bardalai | |||
| Fujitsu Network Communications | Fujitsu Network Communications | |||
| 2801 Telecom Parkway | 2801 Telecom Parkway | |||
| Richardson, Texas 75082, USA | Richardson, Texas 75082, USA | |||
| Phone: +1 972 479 2951 | Phone: +1 972 479 2951 | |||
| Email: snigdho.bardalai@us.fujitsu.com | EMail: snigdho.bardalai@us.fujitsu.com | |||
| 12. Full Copyright Statement | ||||
| Copyright (c) 2009 IETF Trust and the persons identified as the | ||||
| document authors. All rights reserved. | ||||
| This document is subject to BCP 78 and the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info) in effect on the date of | ||||
| publication of this document. Please review these documents | ||||
| carefully, as they describe your rights and restrictions with respect | ||||
| to this document. | ||||
| All IETF Documents and the information contained therein are provided | ||||
| on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | ||||
| REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE | ||||
| IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL | ||||
| WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY | ||||
| WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE | ||||
| ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS | ||||
| FOR A PARTICULAR PURPOSE. | ||||
| 13. Intellectual Property Statement | ||||
| The IETF Trust takes no position regarding the validity or scope of | ||||
| any Intellectual Property Rights or other rights that might be | ||||
| claimed to pertain to the implementation or use of the technology | ||||
| described in any IETF Document or the extent to which any license | ||||
| under such rights might or might not be available; nor does it | ||||
| represent that it has made any independent effort to identify any | ||||
| such rights. | ||||
| Copies of Intellectual Property disclosures made to the IETF | ||||
| Secretariat and any assurances of licenses to be made available, or | ||||
| the result of an attempt made to obtain a general license or | ||||
| permission for the use of such proprietary rights by implementers or | ||||
| users of this specification can be obtained from the IETF on-line IPR | ||||
| repository at http://www.ietf.org/ipr | ||||
| The IETF invites any interested party to bring to its attention any | ||||
| copyrights, patents or patent applications, or other proprietary | ||||
| rights that may cover technology that may be required to implement | ||||
| any standard or specification contained in an IETF Document. Please | ||||
| address the information to the IETF at ietf-ipr@ietf.org. | ||||
| The definitive version of an IETF Document is that published by, or | ||||
| under the auspices of, the IETF. Versions of IETF Documents that are | ||||
| published by third parties, including those that are translated into | ||||
| other languages, should not be considered to be definitive versions | ||||
| of IETF Documents. The definitive version of these Legal Provisions | ||||
| is that published by, or under the auspices of, the IETF. Versions of | ||||
| these Legal Provisions that are published by third parties, including | ||||
| those that are translated into other languages, should not be | ||||
| considered to be definitive versions of these Legal Provisions. | ||||
| For the avoidance of doubt, each Contributor to the IETF Standards | ||||
| Process licenses each Contribution that he or she makes as part of | ||||
| the IETF Standards Process to the IETF Trust pursuant to the | ||||
| provisions of RFC 5378. No language to the contrary, or terms, | ||||
| conditions or rights that differ from or are inconsistent with the | ||||
| rights and licenses granted under RFC 5378, shall have any effect and | ||||
| shall be null and void, whether published or posted by such | ||||
| Contributor, or included with or in such Contribution. | ||||
| End of changes. 139 change blocks. | ||||
| 400 lines changed or deleted | 401 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||