Internet Engineering Task Force (IETF) C. Pignataro Request for Comments: 7880 D. Ward Updates: 5880 Cisco Category: Standards Track N. Akiya ISSN: 2070-1721 Big Switch Networks M. Bhatia Ionos Networks S. Pallagatti July 2016
Internet Engineering Task Force (IETF) C. Pignataro Request for Comments: 7880 D. Ward Updates: 5880 Cisco Category: Standards Track N. Akiya ISSN: 2070-1721 Big Switch Networks M. Bhatia Ionos Networks S. Pallagatti July 2016
Seamless Bidirectional Forwarding Detection (S-BFD)
无缝双向转发检测(S-BFD)
Abstract
摘要
This document defines Seamless Bidirectional Forwarding Detection (S-BFD), a simplified mechanism for using BFD with a large proportion of negotiation aspects eliminated, thus providing benefits such as quick provisioning, as well as improved control and flexibility for network nodes initiating path monitoring.
本文档定义了无缝双向转发检测(S-BFD),这是一种简化的BFD使用机制,消除了大部分协商方面,从而提供了快速资源调配等好处,以及改进了网络节点启动路径监控的控制和灵活性。
This document updates RFC 5880.
本文档更新了RFC 5880。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7880.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7880.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................4 2. Terminology .....................................................4 3. Seamless BFD Overview ...........................................6 4. S-BFD Discriminators ............................................7 4.1. S-BFD Discriminator Uniqueness .............................7 4.2. Discriminator Pools ........................................7 5. Reflector BFD Session ...........................................8 6. State Variables .................................................9 6.1. New State Variables ........................................9 6.2. State Variable Initialization and Maintenance ..............9 7. S-BFD Procedures ...............................................10 7.1. Demultiplexing of S-BFD Control Packet ....................10 7.2. Responder Procedures ......................................11 7.2.1. Responder Demultiplexing ...........................11 7.2.2. Transmission of S-BFD Control Packet by SBFDReflector ......................................11 7.2.3. Additional SBFDReflector Behaviors .................12 7.3. Initiator Procedures ......................................13 7.3.1. SBFDInitiator State Machine ........................14 7.3.2. Transmission of S-BFD Control Packet by SBFDInitiator ......................................15 7.3.3. Additional SBFDInitiator Behaviors .................15 7.4. Diagnostic Values .........................................16 7.5. The Poll Sequence .........................................16 8. Operational Considerations .....................................16 8.1. Scaling Aspect ............................................17 8.2. Congestion Considerations .................................17 9. Co-existence with Classical BFD Sessions .......................17 10. S-BFD Echo Function ...........................................18 11. Security Considerations .......................................19 12. References ....................................................20 12.1. Normative References .....................................20 12.2. Informative References ...................................20 Appendix A. Loop Problem and Solution .............................22 Acknowledgements ..................................................23 Contributors ......................................................23 Authors' Addresses ................................................24
1. Introduction ....................................................4 2. Terminology .....................................................4 3. Seamless BFD Overview ...........................................6 4. S-BFD Discriminators ............................................7 4.1. S-BFD Discriminator Uniqueness .............................7 4.2. Discriminator Pools ........................................7 5. Reflector BFD Session ...........................................8 6. State Variables .................................................9 6.1. New State Variables ........................................9 6.2. State Variable Initialization and Maintenance ..............9 7. S-BFD Procedures ...............................................10 7.1. Demultiplexing of S-BFD Control Packet ....................10 7.2. Responder Procedures ......................................11 7.2.1. Responder Demultiplexing ...........................11 7.2.2. Transmission of S-BFD Control Packet by SBFDReflector ......................................11 7.2.3. Additional SBFDReflector Behaviors .................12 7.3. Initiator Procedures ......................................13 7.3.1. SBFDInitiator State Machine ........................14 7.3.2. Transmission of S-BFD Control Packet by SBFDInitiator ......................................15 7.3.3. Additional SBFDInitiator Behaviors .................15 7.4. Diagnostic Values .........................................16 7.5. The Poll Sequence .........................................16 8. Operational Considerations .....................................16 8.1. Scaling Aspect ............................................17 8.2. Congestion Considerations .................................17 9. Co-existence with Classical BFD Sessions .......................17 10. S-BFD Echo Function ...........................................18 11. Security Considerations .......................................19 12. References ....................................................20 12.1. Normative References .....................................20 12.2. Informative References ...................................20 Appendix A. Loop Problem and Solution .............................22 Acknowledgements ..................................................23 Contributors ......................................................23 Authors' Addresses ................................................24
Bidirectional Forwarding Detection (BFD), as described in [RFC5880] and related documents, has efficiently generalized the failure detection mechanism for multiple protocols and applications. There are some improvements that can be made to better fit existing technologies. There is a possibility of evolving BFD to better fit new technologies. This document focuses on several aspects of BFD in order to further improve efficiency, expand failure detection coverage, and allow BFD usage for wider scenarios. Additional use cases are listed in [RFC7882].
如[RFC5880]和相关文件所述,双向转发检测(BFD)有效地推广了多种协议和应用的故障检测机制。为了更好地适应现有技术,可以进行一些改进。有可能改进BFD以更好地适应新技术。本文档重点介绍BFD的几个方面,以进一步提高效率,扩大故障检测范围,并允许在更广泛的场景中使用BFD。[RFC7882]中列出了其他用例。
Specifically, this document defines Seamless Bidirectional Forwarding Detection (S-BFD), a simplified mechanism for using BFD with a large proportion of negotiation aspects eliminated, thus providing benefits such as quick provisioning, as well as improved control and flexibility for network nodes initiating path monitoring. S-BFD enables cases benefiting from the use of core BFD technologies in a fashion that leverages existing implementations and protocol machinery while providing a rather simplified and largely stateless infrastructure for continuity testing.
具体而言,本文档定义了无缝双向转发检测(S-BFD),这是一种简化的BFD使用机制,消除了大部分协商方面,从而提供了快速资源调配等优点,以及改进了网络节点启动路径监控的控制和灵活性。S-BFD使案例能够以一种利用现有实现和协议机制的方式受益于核心BFD技术的使用,同时为连续性测试提供了一个相当简化且基本上无状态的基础架构。
One key aspect of the mechanism described in this document eliminates the time between a network node wanting to perform a continuity test and completing the continuity test. In traditional BFD terms, the initial state changes from DOWN to UP are virtually nonexistent. Removal of this "seam" (i.e., time delay) in BFD provides a smooth and continuous operational experience for applications. Therefore, "Seamless BFD" (S-BFD) has been chosen as the name for this mechanism.
本文档中描述的机制的一个关键方面消除了网络节点想要执行连续性测试和完成连续性测试之间的时间。在传统的BFD术语中,从下到上的初始状态变化实际上是不存在的。BFD中“接缝”(即时间延迟)的移除为应用程序提供了平稳和连续的操作体验。因此,选择“无缝BFD”(S-BFD)作为该机制的名称。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The reader is expected to be familiar with the BFD [RFC5880], IP [RFC791] [RFC2460], and MPLS [RFC3031] terms and protocol constructs. The remainder of this section describes several new terms introduced by S-BFD.
读者应熟悉BFD[RFC5880]、IP[RFC791][RFC2460]和MPLS[RFC3031]术语和协议结构。本节剩余部分介绍了S-BFD引入的几个新术语。
o Classical BFD - BFD session types based on [RFC5880].
o 经典BFD-基于[RFC5880]的BFD会话类型。
o S-BFD - Seamless BFD.
o S-BFD-无缝BFD。
o S-BFD Control packet - a BFD Control packet for the S-BFD mechanism.
o S-BFD控制包-S-BFD机制的BFD控制包。
o S-BFD Echo packet - a BFD Echo packet for the S-BFD mechanism.
o S-BFD回波数据包-S-BFD机制的BFD回波数据包。
o S-BFD packet - a BFD Control packet or a BFD Echo packet.
o S-BFD数据包-BFD控制数据包或BFD回波数据包。
o Entity - a function on a network node to which the S-BFD mechanism allows remote network nodes to perform continuity tests. An entity can be abstract (e.g., reachability) or specific (e.g., IP addresses, Router-IDs, functions).
o 实体-网络节点上的功能,S-BFD机制允许远程网络节点执行连续性测试。实体可以是抽象的(如可达性)或特定的(如IP地址、路由器ID、功能)。
o SBFDInitiator - an S-BFD session on a network node that performs a continuity test to a remote entity by sending S-BFD packets.
o SBFDInitiator—网络节点上的S-BFD会话,通过发送S-BFD数据包对远程实体执行连续性测试。
o SBFDReflector - an S-BFD session on a network node that listens for incoming S-BFD Control packets to local entities and generates response S-BFD Control packets.
o SBFDReflector—网络节点上的一个S-BFD会话,用于侦听传入到本地实体的S-BFD控制数据包,并生成响应S-BFD控制数据包。
o Reflector BFD session - synonymous with SBFDReflector.
o 反射器BFD会话-与SBFD反射器同义。
o S-BFD Discriminator - a BFD Discriminator allocated for a local entity. An SBFDReflector listens for S-BFD Discriminators.
o S-BFD鉴别器-为本地实体分配的BFD鉴别器。SBFD反射器监听S-BFD鉴别器。
o BFD Discriminator - a BFD Discriminator allocated for an SBFDInitiator.
o BFD鉴别器-为SBFD启动器分配的BFD鉴别器。
o Initiator - a network node hosting an SBFDInitiator.
o 启动器—承载SBFD启动器的网络节点。
o Responder - a network node hosting an SBFDReflector.
o 响应器-承载SBFD反射器的网络节点。
Figure 1 describes the relationship between S-BFD terms.
图1描述了S-BFD术语之间的关系。
+---------------------+ +------------------------+ | Initiator | | Responder | | +-----------------+ | | +-----------------+ | | | SBFDInitiator |---S-BFD Ctrl pkt----->| SBFDReflector | | | | +-------------+ |<--S-BFD Ctrl pkt------| +-------------+ | | | | | BFD Discrim | | | | | |S-BFD Discrim| | | | | | | |---S-BFD Echo pkt---+ | | | | | | | +-------------+ | | | | | +----------^--+ | | | +-----------------+<-------------------+ +------------|----+ | | | | | | | | | +---v----+ | | | | | Entity | | | | | +--------+ | +---------------------+ +------------------------+
+---------------------+ +------------------------+ | Initiator | | Responder | | +-----------------+ | | +-----------------+ | | | SBFDInitiator |---S-BFD Ctrl pkt----->| SBFDReflector | | | | +-------------+ |<--S-BFD Ctrl pkt------| +-------------+ | | | | | BFD Discrim | | | | | |S-BFD Discrim| | | | | | | |---S-BFD Echo pkt---+ | | | | | | | +-------------+ | | | | | +----------^--+ | | | +-----------------+<-------------------+ +------------|----+ | | | | | | | | | +---v----+ | | | | | Entity | | | | | +--------+ | +---------------------+ +------------------------+
Figure 1: S-BFD Terminology Relationship
图1:S-BFD术语关系
An S-BFD module on each network node allocates one or more S-BFD Discriminators for local entities and creates a Reflector BFD session. Allocated S-BFD Discriminators may be advertised by applications (e.g., OSPF/IS-IS). The required result is that applications on other network nodes will know about the S-BFD Discriminators allocated by a remote node to remote entities. The Reflector BFD session, upon receiving an S-BFD Control packet targeted to one of the local S-BFD Discriminator values, is to transmit a response S-BFD Control packet back to the initiator.
每个网络节点上的S-BFD模块为本地实体分配一个或多个S-BFD鉴别器,并创建反射器BFD会话。分配的S-BFD鉴别器可由应用程序(例如,OSPF/IS-IS)公布。所需的结果是,其他网络节点上的应用程序将知道由远程节点分配给远程实体的S-BFD鉴别器。反射器BFD会话在接收到针对本地S-BFD鉴别器值之一的S-BFD控制分组时,将响应S-BFD控制分组发送回发起方。
Once the above setup is complete, any network node that knows about the S-BFD Discriminator allocated by a remote node to a remote entity or entities can quickly perform a continuity test to the remote entity by simply sending S-BFD Control packets with a corresponding S-BFD Discriminator value in the Your Discriminator field.
一旦上述设置完成,任何知道由远程节点分配给远程实体的S-BFD鉴别器的网络节点都可以通过在您的鉴别器字段中发送带有相应S-BFD鉴别器值的S-BFD控制数据包,快速对远程实体执行连续性测试。
This is exemplified in Figure 2.
如图2所示。
<------- IS-IS Network ------->
<------- IS-IS Network ------->
+---------+ | | A---------B---------C---------D ^ ^ | | System-ID System-ID xxx yyy BFD Discrim BFD Discrim 123 456
+---------+ | | A---------B---------C---------D ^ ^ | | System-ID System-ID xxx yyy BFD Discrim BFD Discrim 123 456
Figure 2: S-BFD for IS-IS Network
图2:IS-IS网络的S-BFD
An S-BFD module in a system with IS-IS System-ID xxx (Node A) allocates an S-BFD Discriminator 123, and IS-IS advertises the S-BFD Discriminator 123 in an IS-IS TLV. An S-BFD module in a system with IS-IS System-ID yyy (Node D) allocates an S-BFD Discriminator 456, and IS-IS advertises the S-BFD Discriminator 456 in an IS-IS TLV. A Reflector BFD session is created on both network nodes (Node A and Node D). When Node A wants to check the reachability of Node D, Node A can send an S-BFD Control packet destined to Node D with the Your Discriminator field set to 456. When the Reflector BFD session on Node D receives this S-BFD Control packet, then a response S-BFD Control packet is sent back to Node A, which allows Node A to complete the continuity test.
具有IS-IS系统ID xxx(节点a)的系统中的S-BFD模块分配S-BFD鉴别器123,并且IS-IS在IS-IS TLV中播发S-BFD鉴别器123。具有IS-IS系统ID yyy(节点D)的系统中的S-BFD模块分配S-BFD鉴别器456,并且IS-IS在IS-IS TLV中播发S-BFD鉴别器456。在两个网络节点(节点A和节点D)上创建反射器BFD会话。当节点A想要检查节点D的可达性时,节点A可以发送一个S-BFD控制包,目的地是节点D,您的鉴别器字段设置为456。当节点D上的反射器BFD会话接收到该S-BFD控制分组时,响应S-BFD控制分组被发送回节点a,从而允许节点a完成连续性测试。
When a node allocates multiple S-BFD Discriminators, how remote nodes determine which of the discriminators is associated with a specific entity is currently unspecified. The use of multiple S-BFD Discriminators by a single network node is therefore discouraged until a means of learning the mapping is defined.
当一个节点分配多个S-BFD鉴别器时,远程节点如何确定哪些鉴别器与特定实体相关联,目前尚未确定。因此,在定义学习映射的方法之前,不鼓励单个网络节点使用多个S-BFD鉴别器。
One important characteristic of an S-BFD Discriminator is that it MUST be unique within an administrative domain. If multiple network nodes allocate the same S-BFD Discriminator value, then S-BFD Control packets falsely terminating on a wrong network node can result in a Reflector BFD session generating a response back because of a matching Your Discriminator value. This is clearly not desirable.
S-BFD鉴别器的一个重要特征是它在管理域中必须是唯一的。如果多个网络节点分配相同的S-BFD鉴别器值,则S-BFD控制数据包在错误的网络节点上错误终止可能会导致反射器BFD会话生成响应,因为与您的鉴别器值匹配。这显然是不可取的。
This subsection describes a discriminator pool implementation technique to minimize S-BFD Discriminator collisions. This technique will allow an implementation to better satisfy the S-BFD Discriminator uniqueness requirement defined in Section 4.1.
本小节描述一种鉴别器池实现技术,以最小化S-BFD鉴别器冲突。该技术将允许实现更好地满足第4.1节中定义的S-BFD鉴别器唯一性要求。
o An SBFDInitiator is to allocate a discriminator from the BFD Discriminator pool. If the system also supports classical BFD (i.e., implements [RFC5880]), then the BFD Discriminator pool SHOULD be shared by SBFDInitiator sessions and classical BFD sessions.
o SBFDInitiator将从BFD鉴别器池分配鉴别器。如果系统还支持经典BFD(即实现[RFC5880]),则SBFDInitiator会话和经典BFD会话应共享BFD鉴别器池。
o An SBFDReflector is to allocate a discriminator from the S-BFD Discriminator pool. The S-BFD Discriminator pool SHOULD be a separate pool from the BFD Discriminator pool.
o SBFD反射器用于从S-BFD鉴别器池中分配鉴别器。S-BFD鉴别器池应与BFD鉴别器池分开。
The remainder of this subsection describes the reasons for the suggestions above.
本小节的其余部分描述了上述建议的原因。
Locally allocated S-BFD Discriminator values for entities that SBFDReflector sessions are listening for may be arbitrarily allocated or derived from values provided by applications. These values may be protocol IDs (e.g., System-ID, Router-ID) or network targets (e.g., IP address). To avoid derived S-BFD Discriminator values already being assigned to other BFD sessions (i.e., SBFDInitiator sessions and classical BFD sessions), it is RECOMMENDED that the discriminator pool for SBFDReflector sessions be separate from other BFD sessions.
SBFDReflector会话正在侦听的实体的本地分配的S-BFD鉴别器值可以任意分配或从应用程序提供的值派生。这些值可以是协议ID(例如,系统ID、路由器ID)或网络目标(例如,IP地址)。为避免派生的S-BFD鉴别器值已分配给其他BFD会话(即SBFDInitiator会话和经典BFD会话),建议将SBFDReflector会话的鉴别器池与其他BFD会话分开。
Even when following the "separate discriminator pool" approach, a collision is still possible between different S-BFD applications that may be using different values and algorithms to derive S-BFD Discriminator values. If two applications are using S-BFD for the same purpose (e.g., network reachability), then the colliding S-BFD Discriminator value can be shared. If the two applications are using S-BFD for a different purpose, then the collision must be addressed. The use of multiple S-BFD Discriminators by a single network node, however, is discouraged (see Section 3).
即使采用“单独的鉴别器池”方法,不同的S-BFD应用程序之间仍然可能发生冲突,这些应用程序可能使用不同的值和算法来推导S-BFD鉴别器值。如果两个应用程序出于相同目的(例如,网络可达性)使用S-BFD,则可以共享冲突的S-BFD鉴别器值。如果两个应用程序使用S-BFD的目的不同,则必须解决冲突。但是,不鼓励单个网络节点使用多个S-BFD鉴别器(见第3节)。
Each network node creates one or more Reflector BFD sessions. This Reflector BFD session is a session that transmits S-BFD Control packets in response to received S-BFD Control packets with the Your Discriminator field having S-BFD Discriminators allocated for local entities. Specifically, this Reflector BFD session has the following characteristics:
每个网络节点创建一个或多个Reflector BFD会话。这个反射器BFD会话是一个会话,它发送S-BFD控制数据包以响应接收到的S-BFD控制数据包,您的鉴别器字段具有为本地实体分配的S-BFD鉴别器。具体而言,此反射器BFD会话具有以下特征:
o MUST NOT transmit any S-BFD packets based on local timer expiry.
o 不得基于本地计时器到期发送任何S-BFD数据包。
o MUST transmit an S-BFD Control packet in response to a received S-BFD Control packet having a valid S-BFD Discriminator in the Your Discriminator field, unless prohibited by local policies (e.g., administrative, security, rate-limiter).
o 必须发送S-BFD控制数据包,以响应接收到的S-BFD控制数据包,该数据包在您的鉴别器字段中具有有效的S-BFD鉴别器,除非当地政策(例如,管理、安全、速率限制器)禁止。
o MUST be capable of sending only two states: UP and AdminDown.
o 必须只能发送两种状态:向上和向下。
One Reflector BFD session may be responsible for handling received S-BFD Control packets targeted to all locally allocated S-BFD Discriminators, or a few Reflector BFD sessions may each be responsible for a subset of locally allocated S-BFD Discriminators. This policy is a local matter and is outside the scope of this document.
一个反射器BFD会话可以负责处理接收到的以所有本地分配的S-BFD鉴别器为目标的S-BFD控制分组,或者几个反射器BFD会话可以各自负责本地分配的S-BFD鉴别器的子集。本政策是本地事务,不在本文件范围内。
Note that incoming S-BFD Control packets may be based on IPv4, IPv6, or MPLS [RFC7881]. Note also that other options are possible and may be defined in future documents. How such S-BFD Control packets reach an appropriate Reflector BFD session is also a local matter and is outside the scope of this document.
注意,传入的S-BFD控制数据包可能基于IPv4、IPv6或MPLS[RFC7881]。还请注意,其他选项是可能的,并且可能在将来的文档中定义。此类S-BFD控制数据包如何到达适当的反射器BFD会话也是一个局部问题,不在本文档的范围内。
S-BFD introduces new state variables and modifies the usage of existing ones.
S-BFD引入了新的状态变量,并修改了现有状态变量的用法。
A new state variable is added to the base specification in support of S-BFD.
在基本规范中添加了一个新的状态变量以支持S-BFD。
o bfd.SessionType: This is a new state variable that describes the type of a particular session. Allowable values for S-BFD sessions are:
o bfd.SessionType:这是一个新的状态变量,用于描述特定会话的类型。S-BFD会话的允许值为:
* SBFDInitiator - an S-BFD session on a network node that performs a continuity test to a target entity by sending S-BFD packets.
* SBFDInitiator—网络节点上的S-BFD会话,通过发送S-BFD数据包对目标实体执行连续性测试。
* SBFDReflector - an S-BFD session on a network node that listens for incoming S-BFD Control packets to local entities and generates response S-BFD Control packets.
* SBFDReflector—网络节点上的一个S-BFD会话,用于侦听传入到本地实体的S-BFD控制数据包,并生成响应S-BFD控制数据包。
The bfd.SessionType variable MUST be initialized to the appropriate type when an S-BFD session is created.
创建S-bfd会话时,必须将bfd.SessionType变量初始化为适当的类型。
State variables (defined in Section 6.8.1 of [RFC5880]) need to be initialized or manipulated differently, depending on the session type.
状态变量(在[RFC5880]第6.8.1节中定义)需要根据会话类型进行不同的初始化或操作。
o bfd.DemandMode: This variable MUST be initialized to 1 for session type SBFDInitiator and MUST be initialized to 0 for session type SBFDReflector. This is done to prevent loops (see Appendix A).
o bfd.DemandMode:对于会话类型SBFDInitiator,此变量必须初始化为1;对于会话类型SBFDReflector,此变量必须初始化为0。这样做是为了防止循环(见附录A)。
An S-BFD packet MUST be demultiplexed with lower-layer information (e.g., dedicated destination UDP port [RFC7881], associated Channel Type [RFC7885]). The following procedure SHOULD be executed on both initiator and reflector:
S-BFD数据包必须使用较低层信息(例如,专用目标UDP端口[RFC7881],相关信道类型[RFC7885])解复用。应在启动器和反射器上执行以下程序:
If the packet is an S-BFD packet
如果数据包是S-BFD数据包
If the S-BFD packet is for an SBFDReflector
如果S-BFD数据包用于SBFD反射器
The packet MUST be looked up to locate a corresponding SBFDReflector session based on the value from the Your Discriminator field in the table describing S-BFD Discriminators.
必须根据描述S-BFD鉴别器的表中“您的鉴别器”字段的值查找数据包,以定位相应的SBFDReflector会话。
Else
其他的
The packet MUST be looked up to locate a corresponding SBFDInitiator session or classical BFD session based on the value from the Your Discriminator field in the table describing BFD Discriminators. If no match, then the received packet MUST be discarded.
必须根据描述BFD鉴别器的表中Your Discriminator字段的值查找数据包,以定位相应的SBFDInitiator会话或经典BFD会话。如果不匹配,则必须丢弃接收到的数据包。
If the session is an SBFDInitiator session
如果会话是SBFDInitiator会话
The destination of the packet (i.e., the destination IP address) SHOULD be verified as being for itself.
应验证数据包的目的地(即目的地IP地址)是否为其自身。
Else
其他的
The packet MUST be discarded.
必须丢弃该数据包。
Else
其他的
The procedure described in Section 6.8.6 of [RFC5880] MUST be applied.
必须采用[RFC5880]第6.8.6节所述的程序。
More details on S-BFD Control packet demultiplexing are provided in relevant S-BFD data-plane documents.
有关S-BFD控制数据包解复用的更多详细信息,请参阅相关S-BFD数据平面文档。
A network node that receives S-BFD Control packets transmitted by an initiator is referred to as the responder. The responder, upon reception of S-BFD Control packets, is to verify the validity of the packets, as described in [RFC5880].
接收由发起方发送的S-BFD控制包的网络节点称为响应方。响应方在接收到S-BFD控制数据包后,将验证数据包的有效性,如[RFC5880]所述。
An S-BFD packet MUST be demultiplexed with lower-layer information. The following procedure SHOULD be executed by the responder:
S-BFD数据包必须与较低层信息解复用。响应者应执行以下程序:
If the Your Discriminator field is not one of the entries allocated for local entities
如果您的鉴别器字段不是为本地实体分配的条目之一
The packet MUST be discarded.
必须丢弃该数据包。
Else
其他的
The packet is determined to be handled by a Reflector BFD session responsible for that S-BFD Discriminator.
该分组被确定由负责该S-BFD鉴别器的反射器BFD会话处理。
If allowable per local policy (e.g., administrative, security, rate-limiter)
如果当地政策允许(例如,行政、安全、费率限制)
The chosen Reflector BFD session SHOULD transmit a response BFD Control packet using the procedures described in Section 7.2.2.
所选反射器BFD会话应使用第7.2.2节所述程序发送响应BFD控制包。
The contents of S-BFD Control packets sent by an SBFDReflector MUST be set as per Section 6.8.7 of [RFC5880]. There are a few fields that need to be set differently from [RFC5880], as follows:
SBFD反射器发送的S-BFD控制数据包的内容必须按照[RFC5880]第6.8.7节进行设置。有几个字段需要与[RFC5880]设置不同,如下所示:
State (Sta)
州(Sta)
Set to bfd.SessionState (either UP or AdminDown only). Clarification of Reflector BFD session state is described in Section 7.2.3.
设置为bfd.SessionState(仅向上或向下)。第7.2.3节描述了反射器BFD会话状态的澄清。
Demand (D)
需求(D)
Set to 0, to indicate that the S-BFD packet is sent by the SBFDReflector.
设置为0,表示S-BFD数据包由SBFD反射器发送。
Detect Mult
探测骡子
Value to be copied from the Detection Multiplier field of the received BFD packet.
要从接收的BFD数据包的检测乘数字段复制的值。
My Discriminator
我的鉴别器
Value to be copied from the Your Discriminator field of the received BFD packet.
要从接收的BFD数据包的Your Discriminator字段复制的值。
Your Discriminator
你的鉴别器
Value to be copied from the My Discriminator field of the received BFD packet.
要从接收的BFD数据包的“我的鉴别器”字段复制的值。
Desired Min TX Interval
所需最小发送间隔
Value to be copied from the Desired Min TX Interval field of the received BFD packet.
从接收到的BFD数据包的所需最小发送间隔字段复制的值。
Required Min RX Interval
所需最小接收间隔
Set to bfd.RequiredMinRxInterval. Value indicating the minimum interval, in microseconds, between received S-BFD Control packets. Further details are provided in Section 7.2.3.
设置为bfd.RequiredMinRxInterval。值,指示接收到的S-BFD控制数据包之间的最小间隔(以微秒为单位)。更多详情见第7.2.3节。
Required Min Echo RX Interval
所需最小回波接收间隔
If the device supports looping back S-BFD Echo packets
如果设备支持回送S-BFD回送数据包
Set to the minimum required S-BFD Echo packet receive interval for this session.
设置为此会话所需的最小S-BFD回显数据包接收间隔。
Else
其他的
Set to 0.
设置为0。
o S-BFD Control packets transmitted by the SBFDReflector MUST have Required Min RX Interval set to a value that expresses, in microseconds, the minimum interval between incoming S-BFD Control packets that this SBFDReflector can handle. The SBFDReflector can control how fast SBFDInitiators will be sending S-BFD Control packets to themselves by ensuring that Required Min RX Interval indicates a value based on the current load.
o SBFDReflector传输的S-BFD控制数据包必须将所需的最小RX间隔设置为表示该SBFDReflector可以处理的传入S-BFD控制数据包之间的最小间隔(以微秒为单位)的值。SBFD反射器可通过确保所需的最小RX间隔指示基于当前负载的值,控制SBFD启动器向自身发送S-BFD控制数据包的速度。
o When the SBFDReflector receives an S-BFD Control packet from an SBFDInitiator, then the SBFDReflector needs to determine what "state" to send in the response S-BFD Control packet. If the monitored local entity is in service, then the state MUST be set to UP. If the monitored local entity is "temporarily out of service", then the state SHOULD be set to AdminDown.
o 当SBFDReflector从SBFD启动器接收到S-BFD控制数据包时,SBFDReflector需要确定响应S-BFD控制数据包中要发送的“状态”。如果受监视的本地实体正在使用中,则必须将状态设置为。如果受监视的本地实体“暂时停止服务”,则状态应设置为AdminDown。
o If an SBFDReflector receives an S-BFD Control packet with the Demand (D) bit cleared, the packet MUST be discarded (see Appendix A).
o 如果SBFD反射器接收到S-BFD控制数据包且请求(D)位已清除,则必须丢弃该数据包(见附录A)。
S-BFD Control packets transmitted by an SBFDInitiator MUST set the Your Discriminator field to an S-BFD Discriminator corresponding to the remote entity.
SBFDInitiator传输的S-BFD控制数据包必须将Your Discriminator字段设置为与远程实体对应的S-BFD Discriminator。
Every SBFDInitiator MUST have a locally unique My Discriminator value allocated from the BFD Discriminator pool.
每个SBFDInitiator都必须具有从BFD鉴别器池分配的本地唯一My鉴别器值。
Figure 3 describes the high-level concept of continuity testing using S-BFD. R2 allocates XX as the S-BFD Discriminator for network reachability purposes and advertises XX to neighbors. Figure 3 shows R1 and R4 performing a continuity test to R2.
图3描述了使用S-BFD进行连续性测试的高级概念。R2为网络可达性目的分配XX作为S-BFD鉴别器,并向邻居播发XX。图3显示R1和R4对R2执行连续性测试。
+--- md=50/yd=XX (ping) ----+ | | |+-- md=XX/yd=50 (pong) --+ | || | | |v | v R1 ==================== R2[*] ========= R3 ========= R4 | ^ |^ | | || | +-- md=60/yd=XX (ping) --+| | | +---- md=XX/yd=60 (pong) ---+
+--- md=50/yd=XX (ping) ----+ | | |+-- md=XX/yd=50 (pong) --+ | || | | |v | v R1 ==================== R2[*] ========= R3 ========= R4 | ^ |^ | | || | +-- md=60/yd=XX (ping) --+| | | +---- md=XX/yd=60 (pong) ---+
[*] Reflector BFD session on R2. === Links connecting network nodes. --- S-BFD Control packet traversal.
[*] Reflector BFD session on R2. === Links connecting network nodes. --- S-BFD Control packet traversal.
Figure 3: S-BFD Continuity Test
图3:S-BFD连续性测试
An SBFDInitiator may be a "persistent" session on the initiator with a timer for S-BFD Control packet transmissions (stateful SBFDInitiator). An SBFDInitiator may also be a module, a script, or a tool on the initiator that transmits one or more S-BFD Control packets "when needed" (stateless SBFDInitiator). For stateless SBFDInitiators, a complete BFD state machine may not be applicable. For stateful SBFDInitiators, the states and the state machine described in [RFC5880] will not function due to the SBFDReflector session only sending the UP and AdminDown states (i.e., the SBFDReflector session does not send the INIT state). The following diagram provides the RECOMMENDED state machine for stateful SBFDInitiators. The notation on each arc represents the state of the SBFDInitiator (as received in the State field in the S-BFD Control packet) or indicates the expiration of the Detection Timer. See Figure 4.
SBFD启动器可以是启动器上的“持久”会话,带有用于S-BFD控制数据包传输的计时器(有状态SBFD启动器)。SBFDInitiator也可以是启动器上的模块、脚本或工具,在“需要时”(无状态SBFDInitiator)传输一个或多个S-BFD控制数据包。对于无状态SBFD启动器,完整的BFD状态机可能不适用。对于有状态SBFD启动器,[RFC5880]中描述的状态和状态机将不起作用,因为SBFDReflector会话仅发送向上和向下状态(即SBFDReflector会话不发送初始状态)。下图提供了有状态SBFDInitiator的推荐状态机。每个arc上的符号表示SBFD启动器的状态(在S-BFD控制数据包的状态字段中接收)或指示检测计时器的过期。参见图4。
+--+ ADMIN DOWN, | | TIMER | V +------+ UP +------+ | |-------------------->| |----+ | DOWN | | UP | | UP | |<--------------------| |<---+ +------+ ADMIN DOWN, +------+ TIMER
+--+ ADMIN DOWN, | | TIMER | V +------+ UP +------+ | |-------------------->| |----+ | DOWN | | UP | | UP | |<--------------------| |<---+ +------+ ADMIN DOWN, +------+ TIMER
Figure 4: SBFDInitiator Finite State Machine
图4:SBFD启动器有限状态机
Note that the above state machine is different from the base BFD specification [RFC5880]. This is because the INIT state is no longer applicable for the SBFDInitiator. Another important difference is the transition of the state machine from the DOWN state to the UP state when a packet with an UP state setting is received by the SBFDInitiator. The definitions of the states and events have the same meanings as those defined in the base BFD specification [RFC5880].
请注意,上述状态机与基本BFD规范[RFC5880]不同。这是因为INIT状态不再适用于SBFDInitiator。另一个重要区别是,当SBFD启动器接收到具有向上状态设置的数据包时,状态机从向下状态转换为向上状态。状态和事件的定义与基本BFD规范[RFC5880]中定义的含义相同。
The contents of S-BFD Control packets sent by an SBFDInitiator MUST be set as per Section 6.8.7 of [RFC5880]. There are a few fields that need to be set differently from [RFC5880], as follows:
SBFD启动器发送的S-BFD控制数据包的内容必须按照[RFC5880]第6.8.7节进行设置。有几个字段需要与[RFC5880]设置不同,如下所示:
Demand (D)
需求(D)
Used to indicate that the S-BFD packet originated from the SBFDInitiator. Always set to 1.
用于指示S-BFD数据包源自SBFD启动器。始终设置为1。
Your Discriminator
你的鉴别器
Set to bfd.RemoteDiscr. bfd.RemoteDiscr is set to the Discriminator value of the remote entity. It MAY be learnt from routing protocols or configured locally.
设置为bfd.RemoteDiscr。bfd.RemoteDiscr设置为远程实体的鉴别器值。它可以从路由协议中学习,也可以在本地配置。
Required Min RX Interval
所需最小接收间隔
Set to 0.
设置为0。
Required Min Echo RX Interval
所需最小回波接收间隔
Set to 0.
设置为0。
o If the SBFDInitiator receives a valid S-BFD Control packet in response to a transmitted S-BFD Control packet to a remote entity, then the SBFDInitiator SHOULD conclude that the S-BFD Control packet reached the intended remote entity.
o 如果SBFD启动器收到有效的S-BFD控制数据包,以响应发送给远程实体的S-BFD控制数据包,则SBFD启动器应断定S-BFD控制数据包到达了预期的远程实体。
o When an SBFDInitiator receives a response S-BFD Control packet, if the state specified is AdminDown, the SBFDInitiator MUST NOT conclude that the reachability of the corresponding remote entity is lost and MUST back off the packet transmission interval for the remote entity to an interval no faster than 1 second.
o 当SBFDInitiator接收到响应S-BFD控制数据包时,如果指定的状态为AdminDown,SBFDInitiator不得得出相应远程实体的可达性丢失的结论,并且必须将远程实体的数据包传输间隔缩短到不超过1秒的间隔。
o When a sufficient number of S-BFD packets have not arrived as they should, the SBFDInitiator SHOULD declare loss of reachability to the remote entity. The criteria for declaring loss of reachability and the action that would be triggered as a result are outside the scope of this document; the action MAY include logging an error.
o 当足够数量的S-BFD数据包未到达时,SBFD启动器应声明失去远程实体的可达性。宣布可达性丧失的标准以及由此引发的行动不在本文件范围内;该操作可能包括记录错误。
o Regarding the third bullet item, it is critical for an implementation to understand the latency to/from the Reflector BFD session on the responder. In other words, for the very first S-BFD packet transmitted by the SBFDInitiator, an implementation MUST NOT expect a response S-BFD packet to be received for a time equivalent to the sum of the latencies: initiator to responder and responder back to initiator.
o 关于第三个项目符号,对于实现来说,了解响应程序上的反射程序BFD会话的延迟是至关重要的。换句话说,对于SBFD启动器发送的第一个S-BFD数据包,实现不能期望在相当于延迟总和的时间内接收响应S-BFD数据包:启动器到响应程序,响应程序返回到启动器。
o If the SBFDInitiator receives an S-BFD Control packet with the Demand (D) bit set, the packet MUST be discarded (see Appendix A).
o 如果SBFD启动器接收到设置了请求(D)位的S-BFD控制数据包,则必须丢弃该数据包(见附录A)。
The diagnostic value in both directions MAY be set to a certain value, to attempt to communicate further information to both ends. Implementations MAY use the already-existing diagnostic values defined in Section 4.1 of [RFC5880]. However, details regarding this topic are outside the scope of this specification.
可以将两个方向上的诊断值设置为特定值,以尝试向两端传达更多信息。实施可使用[RFC5880]第4.1节中定义的现有诊断值。但是,有关此主题的详细信息不在本规范的范围内。
The Poll Sequence MAY be used in both directions. The Poll Sequence MUST operate in accordance with [RFC5880]. An SBFDReflector MAY use the Poll Sequence to slow down the rate at which S-BFD Control packets are generated from an SBFDInitiator. This is done by the SBFDReflector, using the procedures described in Section 7.2.3 and setting the Poll (P) bit in the reflected S-BFD Control packet. The SBFDInitiator is to then send the next S-BFD Control packet with the Final (F) bit set. If an SBFDReflector receives an S-BFD Control packet with the P bit set, then the SBFDReflector MUST respond with an S-BFD Control packet with the P bit cleared and the F bit set.
轮询序列可以在两个方向上使用。轮询序列必须按照[RFC5880]操作。SBFD反射器可以使用轮询序列来降低从SBFD启动器生成S-BFD控制分组的速率。这由SBFD反射器完成,使用第7.2.3节中描述的程序,并在反射的S-BFD控制数据包中设置轮询(P)位。SBFD启动器随后将发送下一个设置了最终(F)位的S-BFD控制数据包。如果SBFDReflector接收到设置了P位的S-BFD控制数据包,则SBFDReflector必须使用清除了P位且设置了F位的S-BFD控制数据包进行响应。
S-BFD provides a smooth and continuous (i.e., seamless) operational experience as an Operations, Administration, and Maintenance (OAM) mechanism for connectivity checking and connection verification. This is achieved by providing a simplified mechanism with a large proportion of negotiation aspects eliminated, resulting in faster and simpler provisioning.
S-BFD作为一种用于连接检查和连接验证的操作、管理和维护(OAM)机制,提供了平稳、连续(即无缝)的操作体验。这是通过提供一种简化的机制来实现的,该机制消除了大部分协商方面,从而实现了更快、更简单的资源调配。
Because of this simplified mechanism, due to a misconfiguration an SBFDInitiator could send S-BFD Control packets to a target that does not exist or that is outside the S-BFD administrative domain. As explained in Section 7.3.1, an SBFDInitiator can be a persistent initiator or a "when needed" one. When an S-BFD persistent SBFDInitiator is used, a deployment SHOULD ensure that S-BFD Control packets do not propagate for an extended period of time outside of
由于这种简化机制,由于配置错误,SBFD启动器可能会将S-BFD控制数据包发送到不存在的目标或S-BFD管理域之外的目标。如第7.3.1节所述,SBFD启动器可以是持久启动器或“需要时”启动器。当使用S-BFD持久SBFDInitiator时,部署应确保S-BFD控制数据包不会在外部的较长时间内传播
the administrative domain that uses it. Further, operational measures SHOULD be taken to determine if responses to S-BFD packets are not sent for an extended period of time and then remediate the situation. These potential concerns are largely mitigated by dynamic advertisement mechanisms for S-BFD and with automation checks before applying configurations.
使用它的管理域。此外,应采取操作措施,以确定对S-BFD数据包的响应是否在较长时间内未发送,然后纠正这种情况。S-BFD的动态广告机制和应用配置前的自动化检查在很大程度上缓解了这些潜在问题。
This mechanism brings forth one noticeable difference in terms of the scaling aspect: the number of SBFDReflectors. This specification eliminates the need for egress nodes to have fully active BFD sessions when only one side desires to perform continuity tests. With the introduction of the Reflector BFD concept, egress is no longer required to create any active BFD sessions on a per-path/LSP/ function basis. Because of this, the total number of BFD sessions in a network is reduced.
这种机制在缩放方面带来了一个明显的差异:SBFD反射器的数量。当只有一方希望执行连续性测试时,该规范消除了出口节点具有完全活动BFD会话的需要。随着反射器BFD概念的引入,在每个路径/LSP/功能的基础上创建任何活动BFD会话不再需要出口。因此,网络中BFD会话的总数减少。
When S-BFD performs failure detection, it consumes resources, including bandwidth and CPU processing. To avoid congestion, it is therefore imperative that operators correctly provision the rates at which S-BFD packets are transmitted. When BFD is used across multiple hops, a congestion control mechanism MUST be implemented, and when congestion is detected, the BFD implementation MUST reduce the amount of traffic it generates. The exact mechanism used to detect congestion is outside the scope of this specification but may include the detection of lost BFD Control packets or other means. The SBFDReflector can limit the rate at which SBFDInitiators will be sending S-BFD Control packets by utilizing Required Min RX Interval, but at the expense of detection time (i.e., detection time will increase).
当S-BFD执行故障检测时,它会消耗资源,包括带宽和CPU处理。因此,为了避免拥塞,运营商必须正确规定S-BFD数据包的传输速率。当跨多个跃点使用BFD时,必须实现拥塞控制机制,当检测到拥塞时,BFD实现必须减少其产生的流量。用于检测拥塞的确切机制不在本规范的范围内,但可能包括检测丢失的BFD控制数据包或其他方式。SBFD反射器可通过利用所需的最小RX间隔来限制SBFD启动器发送S-BFD控制数据包的速率,但以牺牲检测时间为代价(即,检测时间将增加)。
Demultiplexing requirements for the initial packet are described in Section 7.1. Because of this, the S-BFD mechanism can co-exist with classical BFD sessions.
第7.1节描述了初始数据包的解复用要求。因此,S-BFD机制可以与经典BFD会话共存。
The concept of the S-BFD Echo function is similar to the BFD Echo function described in [RFC5880]. S-BFD Echo packets have the destination of "self"; thus, S-BFD Echo packets are self-generated and self-terminated after traversing a link/path. S-BFD Echo packets are expected to U-turn on the target node in the data plane and MUST NOT be processed by any Reflector BFD sessions on the target node.
S-BFD回波函数的概念类似于[RFC5880]中描述的BFD回波函数。S-BFD回波数据包的目的地为“self”;因此,S-BFD回波包在穿越链路/路径后自生成和自终止。S-BFD回波数据包预计将在数据平面中的目标节点上掉头,并且不得由目标节点上的任何反射器BFD会话处理。
When using the S-BFD Echo function, it is RECOMMENDED that:
使用S-BFD回波功能时,建议:
o Both S-BFD Control packets and S-BFD Echo packets be sent.
o 可以发送S-BFD控制数据包和S-BFD回波数据包。
o Both S-BFD Control packets and S-BFD Echo packets have the same semantics in the forward direction to reach the target node.
o S-BFD控制数据包和S-BFD回波数据包在到达目标节点的前向方向上具有相同的语义。
In other words, it is not preferable to send just S-BFD Echo packets without also sending S-BFD Control packets. There are two reasons behind this suggestion:
换句话说,不优选仅发送S-BFD回波分组而不发送S-BFD控制分组。这一建议背后有两个原因:
o S-BFD Control packets can verify the reachability of the intended target node; this allows one to have confidence that S-BFD Echo packets are U-turning on the expected target node.
o S-BFD控制包可以验证预期目标节点的可达性;这使我们能够确信S-BFD回波数据包在预期目标节点上正在U形转弯。
o S-BFD Control packets can detect when the target node is going out of service (i.e., by receiving AdminDown state).
o S-BFD控制数据包可以检测目标节点何时停止服务(即,通过接收AdminDown状态)。
S-BFD Echo packets can be spoofed and can U-turn in a transit node before reaching the expected target node. When the S-BFD Echo function is used, it is RECOMMENDED in this specification that both S-BFD Control packets and S-BFD Echo packets be sent. While the additional use of S-BFD Control packets alleviates these two concerns, some form of authentication MAY still be included.
S-BFD回波数据包可以被欺骗,并且可以在到达预期目标节点之前在传输节点中掉头。使用S-BFD回波功能时,本规范建议同时发送S-BFD控制数据包和S-BFD回波数据包。虽然S-BFD控制分组的额外使用减轻了这两个问题,但是仍然可以包括某种形式的认证。
The usage of the Required Min Echo RX Interval field is described in Sections 7.2.2 and 7.3.2. Because of the stateless nature of SBFDReflector sessions, a value specified in the Required Min Echo RX Interval field is not very meaningful to the SBFDReflector. Thus, it is RECOMMENDED that the Required Min Echo RX Interval field simply be set to zero by the SBFDInitiator. The SBFDReflector MAY set the Required Min Echo RX Interval field to an appropriate value to control the rate at which it wants to receive S-BFD Echo packets.
第7.2.2节和第7.3.2节描述了所需最小回波接收间隔字段的使用。由于SBFDReflector会话的无状态性质,在Required Min Echo RX Interval字段中指定的值对SBFDReflector来说意义不大。因此,建议SBFD启动器将所需的最小回波接收间隔字段设置为零。SBFD反射器可将所需的最小回波接收间隔字段设置为适当的值,以控制其想要接收S-BFD回波数据包的速率。
The following aspects of S-BFD Echo functions are left as implementation details and are outside the scope of this document:
S-BFD回波功能的以下方面作为实施细节保留,不在本文件范围内:
o Format of the S-BFD Echo packet (e.g., data beyond UDP header).
o S-BFD回波数据包的格式(例如,UDP报头以外的数据)。
o Procedures on when and how to use the S-BFD Echo function.
o 关于何时以及如何使用S-BFD回波功能的程序。
The same security considerations as those described in [RFC5880] apply to this document. Additionally, implementing the following measures will strengthen security aspects of the mechanism described by this document:
[RFC5880]中所述的安全注意事项同样适用于本文件。此外,实施以下措施将加强本文件所述机制的安全方面:
o The SBFDInitiator MAY pick a sequence number to be set in "sequence number" in the Authentication Section, based on the configured authentication mode.
o SBFD启动器可以基于配置的认证模式,选择要在认证部分的“序列号”中设置的序列号。
o The SBFDReflector MUST NOT use the crypto sequence number to make a decision about accepting the packet. This is because the SBFDReflector does not maintain S-BFD peer state and because the SBFDReflector can receive S-BFD packets from multiple SBFDInitiators. Consequently, BFD authentication can be used, but not the sequence number.
o SBFDReflector不得使用加密序列号来决定是否接受数据包。这是因为SBFDReflector不保持S-BFD对等状态,并且SBFDReflector可以从多个SBFDInitiator接收S-BFD数据包。因此,可以使用BFD身份验证,但不能使用序列号。
o The SBFDReflector MAY use the Auth Key ID in the incoming packet to verify the Authentication Data.
o sbfd反射器可以使用传入分组中的认证密钥ID来验证认证数据。
o The SBFDReflector MUST accept the packet if authentication is successful.
o 如果身份验证成功,SBFDReflector必须接受数据包。
o The SBFDReflector MUST compute the Authentication Data and MUST use the same sequence number that it received in the S-BFD Control packet to which it is responding.
o SBFDReflector必须计算认证数据,并且必须使用在其响应的S-BFD控制数据包中接收到的相同序列号。
o The SBFDInitiator SHOULD accept an S-BFD Control packet with a sequence number within the permissible range. One potential approach is the procedure explained in [BFD-GEN-AUTH].
o SBFD启动器应接受序列号在允许范围内的S-BFD控制数据包。一种可能的方法是[BFD-GEN-AUH]中解释的程序。
Using the above method,
用上述方法,,
o SBFDReflectors continue to remain stateless, despite using security.
o 尽管使用了安全性,SBFD反射器仍然保持无状态。
o SBFDReflectors are not susceptible to replay attacks, as they always respond to S-BFD Control packets irrespective of the sequence number carried.
o SBFD反射器不易受到重播攻击,因为它们总是响应S-BFD控制数据包,而与所携带的序列号无关。
o An attacker cannot impersonate the responder, since the SBFDInitiator will only accept S-BFD Control packets that come with the sequence number that it had originally used when sending the S-BFD Control packet.
o 攻击者无法模拟响应者,因为SBFD启动器将只接受带有其在发送S-BFD控制数据包时最初使用的序列号的S-BFD控制数据包。
Additionally, the use of strong forms of authentication is strongly encouraged for S-BFD. The use of Simple Password authentication [RFC5880] potentially puts other services at risk if S-BFD packets can be intercepted and those password values are reused for other services.
此外,强烈鼓励S-BFD使用强身份验证形式。如果可以截获S-BFD数据包并将这些密码值重新用于其他服务,则使用简单密码验证[RFC5880]可能会使其他服务面临风险。
Considerations related to loop problems are covered in Appendix A.
与回路问题相关的注意事项见附录A。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, <http://www.rfc-editor.org/info/rfc5880>.
[RFC5880]Katz,D.和D.Ward,“双向转发检测(BFD)”,RFC 5880,DOI 10.17487/RFC5880,2010年6月<http://www.rfc-editor.org/info/rfc5880>.
[BFD-GEN-AUTH] Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, "BFD Generic Cryptographic Authentication", Work in Progress, draft-ietf-bfd-generic-crypto-auth-06, April 2014.
[BFD-GEN-AUTH]Bhatia,M.,Manral,V.,Zhang,D.,和M.Jethanandani,“BFD通用密码认证”,正在进行的工作,草稿-ietf-BFD-Generic-crypto-AUTH-062014年4月。
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC791, September 1981, <http://www.rfc-editor.org/info/rfc791>.
[RFC791]Postel,J.,“互联网协议”,STD 5,RFC 791,DOI 10.17487/RFC7911981年9月<http://www.rfc-editor.org/info/rfc791>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,DOI 10.17487/RFC2460,1998年12月<http://www.rfc-editor.org/info/rfc2460>.
[RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol Label Switching Architecture", RFC 3031, DOI 10.17487/RFC3031, January 2001, <http://www.rfc-editor.org/info/rfc3031>.
[RFC3031]Rosen,E.,Viswanathan,A.,和R.Callon,“多协议标签交换体系结构”,RFC 3031,DOI 10.17487/RFC3031,2001年1月<http://www.rfc-editor.org/info/rfc3031>.
[RFC7881] Pignataro, C., Ward, D., and N. Akiya, "Seamless Bidirectional Forwarding Detection (S-BFD) for IPv4, IPv6, and MPLS", RFC 7881, DOI 10.17487/RFC7881, July 2016, <http://www.rfc-editor.org/info/rfc7881>.
[RFC7881]Pignataro,C.,Ward,D.,和N.Akiya,“IPv4,IPv6和MPLS的无缝双向转发检测(S-BFD)”,RFC 7881,DOI 10.17487/RFC7881,2016年7月<http://www.rfc-editor.org/info/rfc7881>.
[RFC7882] Aldrin, S., Pignataro, C., Mirsky, G., and N. Kumar, "Seamless Bidirectional Forwarding Detection (S-BFD) Use Cases", RFC 7882, DOI 10.17487/RFC7882, July 2016, <http://www.rfc-editor.org/info/rfc7882>.
[RFC7882]Aldrin,S.,Pignataro,C.,Mirsky,G.,和N.Kumar,“无缝双向转发检测(S-BFD)用例”,RFC 7882,DOI 10.17487/RFC7882,2016年7月<http://www.rfc-editor.org/info/rfc7882>.
[RFC7885] Govindan, V. and C. Pignataro, "Seamless Bidirectional Forwarding Detection (S-BFD) for Virtual Circuit Connectivity Verification (VCCV)", RFC 7885, DOI 10.17487/RFC7885, July 2016, <http://www.rfc-editor.org/info/rfc7885>.
[RFC7885]Govindan,V.和C.Pignataro,“用于虚拟电路连接验证(VCCV)的无缝双向转发检测(S-BFD)”,RFC 7885,DOI 10.17487/RFC7885,2016年7月<http://www.rfc-editor.org/info/rfc7885>.
Consider a scenario where we have two nodes and both are S-BFD capable.
考虑一个场景,我们有两个节点,两个节点都是-BFD能力。
Node A (IP 2001:db8::1) ----------------- Node B (IP 2001:db8::2) | | Man in the Middle (MITM)
Node A (IP 2001:db8::1) ----------------- Node B (IP 2001:db8::2) | | Man in the Middle (MITM)
Assume that Node A reserved a discriminator 0x01010101 for target identifier 2001:db8::1 and has a reflector session in listening mode. Similarly, Node B reserved a discriminator 0x02020202 for its target identifier 2001:db8::2 and also has a reflector session in listening mode.
假设节点A为目标标识符2001:db8::1保留了一个鉴别器0x01010101,并且在侦听模式下有一个反射器会话。类似地,节点B为其目标标识符2001:db8::2保留了一个鉴别器0x020202,并且在侦听模式下也有一个反射器会话。
Suppose that a MITM sends a spoofed packet with My Discriminator = 0x01010101, Your Discriminator = 0x02020202, source IP as 2001:db8::1, and destination IP as 2001:db8::2. When this packet reaches Node B, the reflector session on Node B will swap the discriminators and IP addresses of the received packet and reflect it back, since the Your Discriminator value of the received packet matches the reserved discriminator of Node B. The reflected packet that reached Node A will have My Discriminator = 0x02020202 and Your Discriminator = 0x01010101. Since the Your Discriminator value of the received packet matches the reserved discriminator of Node A, Node A will swap the discriminators and reflect the packet back to Node B. Since the reflectors must set the TTL of the reflected packets to 255, the above scenario will result in an infinite loop because of just one malicious packet injected from the MITM.
假设一个MITM发送一个伪造的数据包,其中我的鉴别器=0x01010101,您的鉴别器=0x020202,源IP为2001:db8::1,目标IP为2001:db8::2。当该分组到达节点B时,节点B上的反射器会话将交换所接收分组的鉴别器和IP地址并将其反射回来,由于接收数据包的Your鉴别器值与节点B的保留鉴别器匹配。到达节点A的反射数据包将具有My鉴别器=0x020202和Your鉴别器=0x01010101。由于所接收数据包的Your鉴别器值与节点A的保留鉴别器匹配,节点A将交换鉴别器并将数据包反射回节点B。由于反射器必须将反射数据包的TTL设置为255,上述场景将导致无限循环,因为仅从MITM注入一个恶意数据包。
The solution is to avoid the loop problem by using the D bit (Demand mode bit). The initiator always sets the D bit, and the reflector always clears it. This way, we can determine if a received packet was a reflected packet and avoid reflecting it back.
解决方案是通过使用D位(需求模式位)来避免循环问题。启动器总是设置D位,反射器总是清除它。通过这种方式,我们可以确定接收到的数据包是否为反射数据包,并避免将其反射回来。
Acknowledgements
致谢
The authors would like to thank Jeffrey Haas, Greg Mirsky, Marc Binderberger, and Alvaro Retana for performing thorough reviews and providing a number of suggestions. The authors would also like to thank Girija Raghavendra Rao, Les Ginsberg, Srihari Raghavan, Vanitha Neelamegam, and Vengada Prasad Govindan from Cisco Systems for providing valuable comments. Finally, the authors would also like to thank John E. Drake and Pablo Frank for providing comments and suggestions.
作者要感谢Jeffrey Haas、Greg Mirsky、Marc Binderberger和Alvaro Retana进行了全面的审查并提供了一些建议。作者还要感谢思科系统公司的Girija Raghavendra Rao、Les Ginsberg、Srihari Raghavan、Vanitha Neelamegam和Vengada Prasad Govindan提供的宝贵意见。最后,作者还要感谢John E.Drake和Pablo Frank提供的评论和建议。
Contributors
贡献者
The following are key contributors to this document:
以下是本文件的主要贡献者:
Tarek Saad, Cisco Systems, Inc. Siva Sivabalan, Cisco Systems, Inc. Nagendra Kumar, Cisco Systems, Inc. Mallik Mudigonda, Cisco Systems, Inc. Sam Aldrin, Google
塔里克·萨阿德、思科系统公司、西瓦·西瓦巴兰、思科系统公司、纳甘德拉·库马尔、思科系统公司、马利克·穆迪贡达、思科系统公司、萨姆·奥尔德林、谷歌
Authors' Addresses
作者地址
Carlos Pignataro Cisco Systems, Inc.
卡洛斯·皮格纳塔罗思科系统公司。
Email: cpignata@cisco.com
Email: cpignata@cisco.com
Dave Ward Cisco Systems, Inc.
戴夫·沃德思科系统公司。
Email: wardd@cisco.com
Email: wardd@cisco.com
Nobo Akiya Big Switch Networks
Nobo Akiya大交换网络
Email: nobo.akiya.dev@gmail.com
Email: nobo.akiya.dev@gmail.com
Manav Bhatia Ionos Networks
Manav Bhatia Ionios网络
Email: manav@ionosnetworks.com
Email: manav@ionosnetworks.com
Santosh Pallagatti
桑托什·帕拉加蒂
Email: santosh.pallagatti@gmail.com
Email: santosh.pallagatti@gmail.com